vfs: stop polls before destroying file object

If we stop current polls during file destruction, we have a race window between the outer destructor being called (say socket_file::~socket_file()) and polls being stopped in file::~file(). During this race window, poll() can be called on a partial object. Fix by stopping polls in fdrop(). Fixes #293. Signed-off-by: Avi Kivity <[email protected]>
cloudius-systems · Jul 3, 2014 · a26ec3e · a26ec3e
1 parent fe14a2b
commit a26ec3e
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/fs/vfs/kern_descrip.cc b/fs/vfs/kern_descrip.cc
@@ -180,11 +180,16 @@ int fdrop(struct file *fp)
 
     fp->f_count = INT_MIN;
     fp->close();
+    fp->stop_polls();
     delete fp;
     return 1;
 }
 
 file::~file()
+{
+}
+
+void file::stop_polls()
 {
     auto fp = this;
 

diff --git a/include/osv/file.h b/include/osv/file.h
@@ -127,6 +127,7 @@ struct file {
 	// poll_wake_count used for implementing epoll()'s EPOLLET using poll().
 	// Once we have a real epoll() implementation, it won't be needed.
 	int poll_wake_count = 0;
+	void stop_polls();
 };