On Thu, Jun 19, 2025 at 08:08:17PM -0400, Stefan Hajnoczi wrote: > When an AioHandler is enqueued on ctx->submit_list for removal, the > fill_sq_ring() function will submit an io_uring POLL_REMOVE operation to > cancel the in-flight POLL_ADD operation. > > There is a race when another thread enqueues an AioHandler for deletion > on ctx->submit_list when the POLL_ADD CQE has already appeared. In that > case POLL_REMOVE is unnecessary. The code already handled this, but > forgot that the AioHandler itself is still on ctx->submit_list when the > POLL_ADD CQE is being processed. It's unsafe to delete the AioHandler at > that point in time (use-after-free). > > Solve this problem by keeping the AioHandler alive but setting a flag so > that it will be deleted by fill_sq_ring() when it runs. > > Signed-off-by: Stefan Hajnoczi <stefa...@redhat.com> > --- > util/fdmon-io_uring.c | 26 +++++++++++++++++++------- > 1 file changed, 19 insertions(+), 7 deletions(-) >
Reviewed-by: Eric Blake <ebl...@redhat.com> -- Eric Blake, Principal Software Engineer Red Hat, Inc. Virtualization: qemu.org | libguestfs.org
