On Mon, Jul 21, 2025 at 05:07:48PM -0400, Stefan Hajnoczi wrote: > When an AioHandler is enqueued on ctx->submit_list for removal, the > fill_sq_ring() function will submit an io_uring POLL_REMOVE operation to > cancel the in-flight POLL_ADD operation. > > There is a race when another thread enqueues an AioHandler for deletion > on ctx->submit_list when the POLL_ADD CQE has already appeared. In that > case POLL_REMOVE is unnecessary. The code already handled this, but > forgot that the AioHandler itself is still on ctx->submit_list when the > POLL_ADD CQE is being processed. It's unsafe to delete the AioHandler at > that point in time (use-after-free). > > Solve this problem by keeping the AioHandler alive but setting a flag so > that it will be deleted by fill_sq_ring() when it runs. > > Signed-off-by: Stefan Hajnoczi <stefa...@redhat.com> > --- > util/fdmon-io_uring.c | 33 ++++++++++++++++++++++++++------- > 1 file changed, 26 insertions(+), 7 deletions(-)
Reviewed-by: Eric Blake <ebl...@redhat.com> -- Eric Blake, Principal Software Engineer Red Hat, Inc. Virtualization: qemu.org | libguestfs.org
