AIO deletion race fix

When deleting an fd event there is a chance the object doesn't get deleted, but only ->deleted set positive and deleted somewhere later. Now, if we create a handler for the fd again before the actual deletion occurs, we end up writing data into an object that has ->deleted set, which is obviously wrong. I see two ways to fix this: 1. Don't return ->deleted objects in the search 2. Unset ->deleted in the search This patch implements 1. which feels safer to do. It fixes AIO issues I've seen with curl, as libcurl unsets fd event listeners pretty frequently. Signed-off-by: Alexander Graf <alex@csgraf.de> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

AIO deletion race fix
When deleting an fd event there is a chance the object doesn't get deleted, but only ->deleted set positive and deleted somewhere later. Now, if we create a handler for the fd again before the actual deletion occurs, we end up writing data into an object that has ->deleted set, which is obviously wrong. I see two ways to fix this: 1. Don't return ->deleted objects in the search 2. Unset ->deleted in the search This patch implements 1. which feels safer to do. It fixes AIO issues I've seen with curl, as libcurl unsets fd event listeners pretty frequently. Signed-off-by: Alexander Graf <alex@csgraf.de> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Alexander Graf · Anthony Liguori
1 parent d6ecb036
Showing 1 changed file with 2 additions and 1 deletions
aio.c
@@ -44,7 +44,8 @@ static AioHandler *find_aio_handler(int fd)
  
     LIST_FOREACH(node, &aio_handlers, node) {
         if (node->fd == fd)
-            return node;
+            if (!node->deleted)
+                return node;
     }
  
     return NULL;