On Mon, Aug 23, 2010 at 2:55 AM, Yoshiaki Tamura
<tamura.yoshi...@lab.ntt.co.jp> wrote:
> Currently qemu_set_fd_handler2() is only setting ioh->deleted upon
> deleting. This may cause a crash when a read handler calls
> qemu_set_fd_handler2() to delete handlers, but a write handler is
> still invoked from main_loop_wait(). Because main_loop_wait() checks
> handlers before calling, setting NULL upon deleting will protect
> handlers being called if already deleted.
>
> One example is the new threaded vnc server. When an error occurs in
> the context of a read handler, it'll releases resources and deletes
> handlers. However, because the write handler still exists, it'll be
> called, and then crashes because of lack of resources. This patch
> fixes it.
>
> Signed-off-by: Yoshiaki Tamura <tamura.yoshi...@lab.ntt.co.jp>
> ---
> vl.c | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/vl.c b/vl.c
> index ccc8d57..7ae69ab 100644
> --- a/vl.c
> +++ b/vl.c
> @@ -966,6 +966,8 @@ int qemu_set_fd_handler2(int fd,
> QLIST_FOREACH(ioh, &io_handlers, next) {
> if (ioh->fd == fd) {
> ioh->deleted = 1;
> + ioh->fd_read = NULL;
> + ioh->fd_write = NULL;
> break;
> }
> }
> --
> 1.7.1.1
>
>
Good catch, thanks,
Reviewed-by: Corentin Chary <corenti...@iksaif.net>
--
Corentin Chary
http://xf.iksaif.net
