From a26ec3eb2601edec101f29f644e25612aac88637 Mon Sep 17 00:00:00 2001
From: Avi Kivity <avi@cloudius-systems.com>
Date: Mon, 30 Jun 2014 10:20:44 +0300
Subject: [PATCH] vfs: stop polls before destroying file object

If we stop current polls during file destruction, we have a race window
between the outer destructor being called (say socket_file::~socket_file())
and polls being stopped in file::~file().  During this race window, poll()
can be called on a partial object.

Fix by stopping polls in fdrop().

Fixes #293.

Signed-off-by: Avi Kivity <avi@cloudius-systems.com>
---
 fs/vfs/kern_descrip.cc | 5 +++++
 include/osv/file.h     | 1 +
 2 files changed, 6 insertions(+)

diff --git a/fs/vfs/kern_descrip.cc b/fs/vfs/kern_descrip.cc
index 940db09232..e959db2e6c 100644
--- a/fs/vfs/kern_descrip.cc
+++ b/fs/vfs/kern_descrip.cc
@@ -180,11 +180,16 @@ int fdrop(struct file *fp)
 
     fp->f_count = INT_MIN;
     fp->close();
+    fp->stop_polls();
     delete fp;
     return 1;
 }
 
 file::~file()
+{
+}
+
+void file::stop_polls()
 {
     auto fp = this;
 
diff --git a/include/osv/file.h b/include/osv/file.h
index 3a7bdfbaf3..2b76f91359 100755
--- a/include/osv/file.h
+++ b/include/osv/file.h
@@ -127,6 +127,7 @@ struct file {
 	// poll_wake_count used for implementing epoll()'s EPOLLET using poll().
 	// Once we have a real epoll() implementation, it won't be needed.
 	int poll_wake_count = 0;
+	void stop_polls();
 };