From faaf431eeaa660994705364fd96ab72cb94ea41b Mon Sep 17 00:00:00 2001 From: Stefan Hajnoczi Date: Sat, 20 Jun 2015 06:26:11 -0400 Subject: [PATCH] posix-aio-compat: fix acb->ev_signo race condition RH-Author: Stefan Hajnoczi Message-id: <1434781571-31074-2-git-send-email-stefanha@redhat.com> Patchwork-id: 66338 O-Subject: [RHEL-6.7 qemu-kvm PATCH 1/1] posix-aio-compat: fix acb->ev_signo race condition Bugzilla: 1233292 RH-Acked-by: Paolo Bonzini RH-Acked-by: Jeff Nelson RH-Acked-by: Richard Jones aiocb->ev_signo is used after aiocb->ret has been filled in and the list lock has been released. If posix_aio_read() is run in another thread at the same time, aiocb->ev_signo may be fetched after acb has been freed. This race condition results in spurious "kill failed failed: Invalid argument" error messages and the QEMU process aborts. Drop the ev_signo field since its value is always SIGUSR2. This eliminates the unsafe aiocb->ev_signo access. Reported-by: Richard Jones Signed-off-by: Stefan Hajnoczi Signed-off-by: Jeff E. Nelson --- posix-aio-compat.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/posix-aio-compat.c b/posix-aio-compat.c index df09e38..f8c70d8 100644 --- a/posix-aio-compat.c +++ b/posix-aio-compat.c @@ -43,7 +43,6 @@ struct qemu_paiocb { int aio_niov; size_t aio_nbytes; #define aio_ioctl_cmd aio_nbytes /* for QEMU_AIO_IOCTL */ - int ev_signo; off_t aio_offset; QTAILQ_ENTRY(qemu_paiocb) node; @@ -382,7 +381,7 @@ static void *aio_thread(void *unused) idle_threads++; mutex_unlock(&lock); - if (kill(pid, aiocb->ev_signo)) die("kill failed"); + if (kill(pid, SIGUSR2)) die("kill failed"); } idle_threads--; @@ -560,7 +559,6 @@ BlockDriverAIOCB *paio_submit(BlockDriverState *bs, int fd, acb = qemu_aio_get(&raw_aiocb_info, bs, cb, opaque); acb->aio_type = type; acb->aio_fildes = fd; - acb->ev_signo = SIGUSR2; if (qiov) { acb->aio_iov = qiov->iov; @@ -588,7 +586,6 @@ BlockDriverAIOCB *paio_ioctl(BlockDriverState *bs, int fd, return NULL; acb->aio_type = QEMU_AIO_IOCTL; acb->aio_fildes = fd; - acb->ev_signo = SIGUSR2; acb->aio_offset = 0; acb->aio_ioctl_buf = buf; acb->aio_ioctl_cmd = req; -- 1.8.3.1