[Spice-devel] Fwd: [PATCH 2/3] server: fix race when data arrives from guest through vdi interface

[Alon Levy]

----- Forwarded Message -----
From: "Alon Levy" <alevy at redhat.com>
To: alevy at redhat.com
Sent: Sunday, August 22, 2010 10:28:37 PM (GMT+0200) Auto-Detected
Subject: [PATCH 2/3] server: fix race when data arrives from guest through vdi interface

The call chains that could lead to write_to_vdi_port from two threads:

guest paste:
 per cpu thread:
 kvm_main_loop_cpu..vmc_have_data..spice_server_vdi_port_wakeup
  ..write_to_vdi_port

client message (mouse / clipboard)
 qemu/kvm main thread:
 main_loop..inputs_event..reds_handle_agent_mouse_event..write_to_vdi_port

Either spice-vmc write or virtio-serial write functions are not thread safe
this causes random packets to reach the agent, and random control message to
reach the driver, causing bad things (driver stuck waiting for read, agent
crash on bad packet being the better case).

Fix is not to do writes when a callback that means "you can read" happens.
The reason for the old code is that vdi_port worked differently, having
a single event for both "read possible" and "write possible", and apparently
it was thread safe. While virtio-serial still doesn't have a "write possible"
event (we compensate by a retry timer) it isn't thread safe.
---
 server/reds.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/server/reds.c b/server/reds.c
index 543c341..5820cd5 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -1312,7 +1312,7 @@ static int read_from_vdi_port(void)
 
 __visible__ void spice_server_vdi_port_wakeup(SpiceVDIPortInstance *sin)
 {
-    while (write_to_vdi_port() || read_from_vdi_port());
+    while (read_from_vdi_port());
 }
 
 static void reds_handle_agent_mouse_event()
-- 
1.7.1