Patchwork usb-storage: fix request canceling

login
register
mail settings
Submitter Gerd Hoffmann
Date April 19, 2012, 9:46 a.m.
Message ID <1334828810-14291-1-git-send-email-kraxel@redhat.com>
Download mbox | patch
Permalink /patch/153715/
State New
Headers show

Comments

Gerd Hoffmann - April 19, 2012, 9:46 a.m.
Little fix for usb packet handling on i/o cancelation.  The
usb packet pointer (s->packet) is cleared at the wrong place:
The scsi request cancel handler does it.  When a usb packet
is canceled the usb-storage emulation canceles the scsi request
if present.  In most cases there is one, so usually s->packet
is cleared as needed even with the code sitting at the wrong
place.

If there is no scsi request in flight s->packet is not cleared
though.  The usb-storage emulation will then try to complete an
usb packet which is not in flight any more and thereby trigger
an assert() in the usb core.

Fix this by clearing s->packet at the correct place, which is
the usb packet cancel header.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/usb/dev-storage.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)
Hans de Goede - April 19, 2012, 10:05 a.m.
Looks good,

Acked-by: Hans de Goede <hdegoede@redhat.com>

Regards,

Hans


On 04/19/2012 11:46 AM, Gerd Hoffmann wrote:
> Little fix for usb packet handling on i/o cancelation.  The
> usb packet pointer (s->packet) is cleared at the wrong place:
> The scsi request cancel handler does it.  When a usb packet
> is canceled the usb-storage emulation canceles the scsi request
> if present.  In most cases there is one, so usually s->packet
> is cleared as needed even with the code sitting at the wrong
> place.
>
> If there is no scsi request in flight s->packet is not cleared
> though.  The usb-storage emulation will then try to complete an
> usb packet which is not in flight any more and thereby trigger
> an assert() in the usb core.
>
> Fix this by clearing s->packet at the correct place, which is
> the usb packet cancel header.
>
> Signed-off-by: Gerd Hoffmann<kraxel@redhat.com>
> ---
>   hw/usb/dev-storage.c |    4 +++-
>   1 files changed, 3 insertions(+), 1 deletions(-)
>
> diff --git a/hw/usb/dev-storage.c b/hw/usb/dev-storage.c
> index d865a5e..3d2f244 100644
> --- a/hw/usb/dev-storage.c
> +++ b/hw/usb/dev-storage.c
> @@ -268,7 +268,6 @@ static void usb_msd_request_cancelled(SCSIRequest *req)
>       if (req == s->req) {
>           scsi_req_unref(s->req);
>           s->req = NULL;
> -        s->packet = NULL;
>           s->scsi_len = 0;
>       }
>   }
> @@ -330,6 +329,9 @@ static void usb_msd_cancel_io(USBDevice *dev, USBPacket *p)
>   {
>       MSDState *s = DO_UPCAST(MSDState, dev, dev);
>
> +    assert(s->packet == p);
> +    s->packet = NULL;
> +
>       if (s->req) {
>           scsi_req_cancel(s->req);
>       }
Paolo Bonzini - April 19, 2012, 10:29 a.m.
Il 19/04/2012 11:46, Gerd Hoffmann ha scritto:
> Little fix for usb packet handling on i/o cancelation.  The
> usb packet pointer (s->packet) is cleared at the wrong place:
> The scsi request cancel handler does it.  When a usb packet
> is canceled the usb-storage emulation canceles the scsi request
> if present.  In most cases there is one, so usually s->packet
> is cleared as needed even with the code sitting at the wrong
> place.
> 
> If there is no scsi request in flight s->packet is not cleared
> though.  The usb-storage emulation will then try to complete an
> usb packet which is not in flight any more and thereby trigger
> an assert() in the usb core.
> 
> Fix this by clearing s->packet at the correct place, which is
> the usb packet cancel header.
> 
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
>  hw/usb/dev-storage.c |    4 +++-
>  1 files changed, 3 insertions(+), 1 deletions(-)
> 
> diff --git a/hw/usb/dev-storage.c b/hw/usb/dev-storage.c
> index d865a5e..3d2f244 100644
> --- a/hw/usb/dev-storage.c
> +++ b/hw/usb/dev-storage.c
> @@ -268,7 +268,6 @@ static void usb_msd_request_cancelled(SCSIRequest *req)
>      if (req == s->req) {
>          scsi_req_unref(s->req);
>          s->req = NULL;
> -        s->packet = NULL;
>          s->scsi_len = 0;
>      }
>  }
> @@ -330,6 +329,9 @@ static void usb_msd_cancel_io(USBDevice *dev, USBPacket *p)
>  {
>      MSDState *s = DO_UPCAST(MSDState, dev, dev);
>  
> +    assert(s->packet == p);
> +    s->packet = NULL;
> +
>      if (s->req) {
>          scsi_req_cancel(s->req);
>      }

Looks good,

Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>

Patch

diff --git a/hw/usb/dev-storage.c b/hw/usb/dev-storage.c
index d865a5e..3d2f244 100644
--- a/hw/usb/dev-storage.c
+++ b/hw/usb/dev-storage.c
@@ -268,7 +268,6 @@  static void usb_msd_request_cancelled(SCSIRequest *req)
     if (req == s->req) {
         scsi_req_unref(s->req);
         s->req = NULL;
-        s->packet = NULL;
         s->scsi_len = 0;
     }
 }
@@ -330,6 +329,9 @@  static void usb_msd_cancel_io(USBDevice *dev, USBPacket *p)
 {
     MSDState *s = DO_UPCAST(MSDState, dev, dev);
 
+    assert(s->packet == p);
+    s->packet = NULL;
+
     if (s->req) {
         scsi_req_cancel(s->req);
     }