Git Repo - qemu.git/commit

author	Fam Zheng <[email protected]>
	Mon, 16 Mar 2015 09:03:37 +0000 (17:03 +0800)
committer	Paolo Bonzini <[email protected]>
	Mon, 27 Apr 2015 16:24:18 +0000 (18:24 +0200)
commit	e95205e1f9cd2c4262b7a7b1c992a94512c86d0e
tree	1c03e53eeb46e2d7c15b9c15a1f1c9414e254e6e	tree \| snapshot
parent	33b6c2edf6214f02b9beaea61b169506c01f90aa	commit \| diff

dma-helpers: Fix race condition of continue_after_map_failure and dma_aio_cancel

If DMA's owning thread cancels the IO while the bounce buffer's owning thread
is notifying the "cpu client list", a use-after-free happens:

     continue_after_map_failure               dma_aio_cancel
     ------------------------------------------------------------------
     aio_bh_new
                                              qemu_bh_delete
     qemu_bh_schedule (use after free)

Also, the old code doesn't run the bh in the right AioContext.

Fix both problems by passing a QEMUBH to cpu_register_map_client.

Signed-off-by: Fam Zheng <[email protected]>
Reviewed-by: Paolo Bonzini <[email protected]>
Message-Id: <1426496617 [email protected]>
[Remove unnecessary forward declaration. - Paolo]
Signed-off-by: Paolo Bonzini <[email protected]>

dma-helpers.c		diff \| blob \| blame \| history
exec.c		diff \| blob \| blame \| history
include/exec/cpu-common.h		diff \| blob \| blame \| history