@@ -2827,10 +2827,6 @@ static void ide_dma_restart(IDEState *s, int is_read)
void ide_dma_cancel(BMDMAState *bm)
{
if (bm->status & BM_STATUS_DMAING) {
- bm->status &= ~BM_STATUS_DMAING;
- /* cancel DMA request */
- bm->unit = -1;
- bm->dma_cb = NULL;
if (bm->aiocb) {
#ifdef DEBUG_AIO
printf("aio_cancel\n");
@@ -2838,6 +2834,10 @@ void ide_dma_cancel(BMDMAState *bm)
bdrv_aio_cancel(bm->aiocb);
bm->aiocb = NULL;
}
+ bm->status &= ~BM_STATUS_DMAING;
+ /* cancel DMA request */
+ bm->unit = -1;
+ bm->dma_cb = NULL;
}
}
When cancelling a request, bdrv_aio_cancel may decide that it waits for completion of a request rather than for cancellation. IDE therefore can't abandon its DMA status before calling bdrv_aio_cancel; otherwise the callback of a completed request would use invalid data. Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit 38d8dfa193e9a45f0f08b06aab2ba2a94f40a041) --- hw/ide/core.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-)