Index: /trunk/src/VBox/Runtime/r3/posix/fileaio-posix.cpp
===================================================================
--- /trunk/src/VBox/Runtime/r3/posix/fileaio-posix.cpp	(revision 23601)
+++ /trunk/src/VBox/Runtime/r3/posix/fileaio-posix.cpp	(revision 23602)
@@ -277,4 +277,5 @@
 
             ASMAtomicDecS32(&pCtxInt->cRequests);
+            AssertMsg(pCtxInt->cRequests >= 0, ("Canceled request not which is not in this context\n"));
             RTSemEventSignal(pCtxInt->SemEventCancel);
         }
@@ -650,4 +651,6 @@
             if (RT_UNLIKELY(rcPosix < 0))
             {
+                size_t cReqsSubmitted = cReqsSubmit;
+
                 if (errno == EAGAIN)
                     rc = VERR_FILE_AIO_INSUFFICIENT_RESSOURCES;
@@ -656,5 +659,5 @@
 
                 /* Check which ones were not submitted. */
-                for (i = 0; i < cReqs; i++)
+                for (i = 0; i < cReqsSubmit; i++)
                 {
                     pReqInt = pahReqs[i];
@@ -664,5 +667,5 @@
                     if ((rcPosix != EINPROGRESS) && (rcPosix != 0))
                     {
-                        cReqsSubmit--;
+                        cReqsSubmitted--;
 
 #if defined(RT_OS_DARWIN) || defined(RT_OS_FREEBSD)
@@ -703,11 +706,16 @@
                         else
                             pHead = pNext;
+
+                        pReqInt->pNext = NULL;
+                        pReqInt->pPrev = NULL;
                     }
                 }
-
+                ASMAtomicAddS32(&pCtxInt->cRequests, cReqsSubmitted);
+                AssertMsg(pCtxInt->cRequests > 0, ("Adding requests resulted in overflow\n"));
                 break;
             }
 
             ASMAtomicAddS32(&pCtxInt->cRequests, cReqsSubmit);
+            AssertMsg(pCtxInt->cRequests > 0, ("Adding requests resulted in overflow\n"));
             cReqs   -= cReqsSubmit;
             pahReqs += cReqsSubmit;
@@ -720,9 +728,8 @@
          * above.
          */
-        if (cReqs)
+        if (cReqs && RT_SUCCESS_NP(rc))
         {
             pReqInt = pahReqs[0];
             RTFILEAIOREQ_VALID_RETURN(pReqInt);
-
 
             if (pReqInt->fFlush)
@@ -754,9 +761,11 @@
 
                 ASMAtomicIncS32(&pCtxInt->cRequests);
+                AssertMsg(pCtxInt->cRequests > 0, ("Adding requests resulted in overflow\n"));
                 cReqs--;
                 pahReqs++;
             }
         }
-    } while (cReqs);
+    } while (   cReqs
+             && RT_SUCCESS_NP(rc));
 
     if (pHead)
@@ -815,6 +824,11 @@
     AssertReturn(cReqs >= cMinReqs, VERR_OUT_OF_RANGE);
 
-    if (RT_UNLIKELY(ASMAtomicReadS32(&pCtxInt->cRequests) == 0))
+    int32_t cRequestsWaiting = ASMAtomicReadS32(&pCtxInt->cRequests);
+
+    if (RT_UNLIKELY(cRequestsWaiting == 0))
         return VERR_FILE_AIO_NO_REQUEST;
+
+    if (RT_UNLIKELY(cMinReqs > cRequestsWaiting))
+        return VERR_INVALID_PARAMETER;
 
     if (cMillisTimeout != RT_INDEFINITE_WAIT)
@@ -945,4 +959,6 @@
             ASMAtomicSubS32(&pCtxInt->cRequests, cDone);
 
+            AssertMsg(pCtxInt->cRequests >= 0, ("Finished more requests than currently active\n"));
+
             if (!cMinReqs)
                 break;