mirror of
https://github.com/qemu/qemu.git
synced 2024-12-13 22:43:32 +08:00
648fb0ea5e
qemu may segfault when a BH handler first deletes a BH and then (possibly
indirectly) calls a nested qemu_bh_poll(). This is because the inner instance
frees the BH and deletes it from the list that the outer one processes.
This patch deletes BHs only in the outermost qemu_bh_poll instance.
Commit 7887f620
already tried to achieve the same, but it assumed that the BH
handler would only delete its own BH. With a nested qemu_bh_poll(), this isn't
guaranteed, so that commit wasn't enough. Hope this one fixes it for real.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
142 lines
3.4 KiB
C
142 lines
3.4 KiB
C
/*
|
|
* QEMU System Emulator
|
|
*
|
|
* Copyright (c) 2003-2008 Fabrice Bellard
|
|
*
|
|
* Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
* of this software and associated documentation files (the "Software"), to deal
|
|
* in the Software without restriction, including without limitation the rights
|
|
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
* copies of the Software, and to permit persons to whom the Software is
|
|
* furnished to do so, subject to the following conditions:
|
|
*
|
|
* The above copyright notice and this permission notice shall be included in
|
|
* all copies or substantial portions of the Software.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
|
|
* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
|
* THE SOFTWARE.
|
|
*/
|
|
|
|
#include "qemu-common.h"
|
|
#include "qemu-aio.h"
|
|
|
|
/* Anchor of the list of Bottom Halves belonging to the context */
|
|
static struct QEMUBH *first_bh;
|
|
|
|
/***********************************************************/
|
|
/* bottom halves (can be seen as timers which expire ASAP) */
|
|
|
|
struct QEMUBH {
|
|
QEMUBHFunc *cb;
|
|
void *opaque;
|
|
int scheduled;
|
|
int idle;
|
|
int deleted;
|
|
QEMUBH *next;
|
|
};
|
|
|
|
QEMUBH *qemu_bh_new(QEMUBHFunc *cb, void *opaque)
|
|
{
|
|
QEMUBH *bh;
|
|
bh = g_malloc0(sizeof(QEMUBH));
|
|
bh->cb = cb;
|
|
bh->opaque = opaque;
|
|
bh->next = first_bh;
|
|
first_bh = bh;
|
|
return bh;
|
|
}
|
|
|
|
int qemu_bh_poll(void)
|
|
{
|
|
QEMUBH *bh, **bhp, *next;
|
|
int ret;
|
|
static int nesting = 0;
|
|
|
|
nesting++;
|
|
|
|
ret = 0;
|
|
for (bh = first_bh; bh; bh = next) {
|
|
next = bh->next;
|
|
if (!bh->deleted && bh->scheduled) {
|
|
bh->scheduled = 0;
|
|
if (!bh->idle)
|
|
ret = 1;
|
|
bh->idle = 0;
|
|
bh->cb(bh->opaque);
|
|
}
|
|
}
|
|
|
|
nesting--;
|
|
|
|
/* remove deleted bhs */
|
|
if (!nesting) {
|
|
bhp = &first_bh;
|
|
while (*bhp) {
|
|
bh = *bhp;
|
|
if (bh->deleted) {
|
|
*bhp = bh->next;
|
|
g_free(bh);
|
|
} else {
|
|
bhp = &bh->next;
|
|
}
|
|
}
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
void qemu_bh_schedule_idle(QEMUBH *bh)
|
|
{
|
|
if (bh->scheduled)
|
|
return;
|
|
bh->scheduled = 1;
|
|
bh->idle = 1;
|
|
}
|
|
|
|
void qemu_bh_schedule(QEMUBH *bh)
|
|
{
|
|
if (bh->scheduled)
|
|
return;
|
|
bh->scheduled = 1;
|
|
bh->idle = 0;
|
|
/* stop the currently executing CPU to execute the BH ASAP */
|
|
qemu_notify_event();
|
|
}
|
|
|
|
void qemu_bh_cancel(QEMUBH *bh)
|
|
{
|
|
bh->scheduled = 0;
|
|
}
|
|
|
|
void qemu_bh_delete(QEMUBH *bh)
|
|
{
|
|
bh->scheduled = 0;
|
|
bh->deleted = 1;
|
|
}
|
|
|
|
void qemu_bh_update_timeout(int *timeout)
|
|
{
|
|
QEMUBH *bh;
|
|
|
|
for (bh = first_bh; bh; bh = bh->next) {
|
|
if (!bh->deleted && bh->scheduled) {
|
|
if (bh->idle) {
|
|
/* idle bottom halves will be polled at least
|
|
* every 10ms */
|
|
*timeout = MIN(10, *timeout);
|
|
} else {
|
|
/* non-idle bottom halves will be executed
|
|
* immediately */
|
|
*timeout = 0;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|