Am 10.09.2025 um 19:56 hat Stefan Hajnoczi geschrieben: > When an AioHandler is enqueued on ctx->submit_list for removal, the > fill_sq_ring() function will submit an io_uring POLL_REMOVE operation to > cancel the in-flight POLL_ADD operation. > > There is a race when another thread enqueues an AioHandler for deletion > on ctx->submit_list when the POLL_ADD CQE has already appeared. In that > case POLL_REMOVE is unnecessary. The code already handled this, but > forgot that the AioHandler itself is still on ctx->submit_list when the > POLL_ADD CQE is being processed. It's unsafe to delete the AioHandler at > that point in time (use-after-free). > > Solve this problem by keeping the AioHandler alive but setting a flag so > that it will be deleted by fill_sq_ring() when it runs. > > Signed-off-by: Stefan Hajnoczi <[email protected]> > Reviewed-by: Eric Blake <[email protected]>
Reviewed-by: Kevin Wolf <[email protected]>
