dma-helpers: Fix race condition of continue_after_map_failure and dma_aio_cancel (e95205e1) · Commits · Anton / libtcg

Commit e95205e1 authored 10 years ago by Fam Zheng Committed by Paolo Bonzini 9 years ago

dma-helpers: Fix race condition of continue_after_map_failure and dma_aio_cancel


If DMA's owning thread cancels the IO while the bounce buffer's owning thread
is notifying the "cpu client list", a use-after-free happens:

     continue_after_map_failure               dma_aio_cancel
     ------------------------------------------------------------------
     aio_bh_new
                                              qemu_bh_delete
     qemu_bh_schedule (use after free)

Also, the old code doesn't run the bh in the right AioContext.

Fix both problems by passing a QEMUBH to cpu_register_map_client.

Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <1426496617-10702-6-git-send-email-famz@redhat.com>
[Remove unnecessary forward declaration. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

parent 33b6c2ed

No related branches found

No related tags found

No related merge requests found

Hide whitespace changes

Inline Side-by-side

Showing with 31 additions and 23 deletions

Please register or to comment