From patchwork Thu Jul 1 14:31:57 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [1/2] block: Fix too early free in multiwrite Date: Thu, 01 Jul 2010 04:31:57 -0000 From: Kevin Wolf X-Patchwork-Id: 57553 Message-Id: <1277994718-14443-2-git-send-email-kwolf@redhat.com> To: qemu-devel@nongnu.org Cc: kwolf@redhat.com bdrv_aio_writev may call the callback immediately (and it will commonly do so in error cases). If num_requests doesn't have its final value yet, multiwrite_cb will falsely detect that all requests are completed and frees the mcb. However, the mcb is still used by other requests that are started only afterwards. When all requests are completed, it is freed for the second time. Fix this by setting the right num_requests from the beginning. Signed-off-by: Kevin Wolf Reviewed-by: Christoph Hellwig --- block.c | 6 ++---- 1 files changed, 2 insertions(+), 4 deletions(-) diff --git a/block.c b/block.c index c40dd2c..9719649 100644 --- a/block.c +++ b/block.c @@ -2198,6 +2198,7 @@ int bdrv_aio_multiwrite(BlockDriverState *bs, BlockRequest *reqs, int num_reqs) num_reqs = multiwrite_merge(bs, reqs, num_reqs, mcb); // Run the aio requests + mcb->num_requests = num_reqs; for (i = 0; i < num_reqs; i++) { acb = bdrv_aio_writev(bs, reqs[i].sector, reqs[i].qiov, reqs[i].nb_sectors, multiwrite_cb, mcb); @@ -2206,16 +2207,13 @@ int bdrv_aio_multiwrite(BlockDriverState *bs, BlockRequest *reqs, int num_reqs) // We can only fail the whole thing if no request has been // submitted yet. Otherwise we'll wait for the submitted AIOs to // complete and report the error in the callback. - if (mcb->num_requests == 0) { + if (i == 0) { reqs[i].error = -EIO; goto fail; } else { - mcb->num_requests++; multiwrite_cb(mcb, -EIO); break; } - } else { - mcb->num_requests++; } }