From patchwork Thu Jul 1 14:31:57 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kevin Wolf X-Patchwork-Id: 57553 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [199.232.76.165]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id 792FCB6EEB for ; Fri, 2 Jul 2010 00:33:33 +1000 (EST) Received: from localhost ([127.0.0.1]:59622 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1OUKpV-0003Pv-Lh for incoming@patchwork.ozlabs.org; Thu, 01 Jul 2010 10:33:29 -0400 Received: from [140.186.70.92] (port=48209 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1OUKoG-0003OU-Dv for qemu-devel@nongnu.org; Thu, 01 Jul 2010 10:32:13 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69) (envelope-from ) id 1OUKoA-0008De-CJ for qemu-devel@nongnu.org; Thu, 01 Jul 2010 10:32:12 -0400 Received: from mx1.redhat.com ([209.132.183.28]:26550) by eggs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OUKoA-0008DM-5g for qemu-devel@nongnu.org; Thu, 01 Jul 2010 10:32:06 -0400 Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o61EW5BD004401 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Thu, 1 Jul 2010 10:32:05 -0400 Received: from localhost.localdomain (dhcp-5-217.str.redhat.com [10.32.5.217]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id o61EW3tQ012444; Thu, 1 Jul 2010 10:32:04 -0400 From: Kevin Wolf To: qemu-devel@nongnu.org Date: Thu, 1 Jul 2010 16:31:57 +0200 Message-Id: <1277994718-14443-2-git-send-email-kwolf@redhat.com> In-Reply-To: <1277994718-14443-1-git-send-email-kwolf@redhat.com> References: <1277994718-14443-1-git-send-email-kwolf@redhat.com> X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. Cc: kwolf@redhat.com Subject: [Qemu-devel] [PATCH 1/2] block: Fix too early free in multiwrite X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org bdrv_aio_writev may call the callback immediately (and it will commonly do so in error cases). If num_requests doesn't have its final value yet, multiwrite_cb will falsely detect that all requests are completed and frees the mcb. However, the mcb is still used by other requests that are started only afterwards. When all requests are completed, it is freed for the second time. Fix this by setting the right num_requests from the beginning. Signed-off-by: Kevin Wolf Reviewed-by: Christoph Hellwig --- block.c | 6 ++---- 1 files changed, 2 insertions(+), 4 deletions(-) diff --git a/block.c b/block.c index c40dd2c..9719649 100644 --- a/block.c +++ b/block.c @@ -2198,6 +2198,7 @@ int bdrv_aio_multiwrite(BlockDriverState *bs, BlockRequest *reqs, int num_reqs) num_reqs = multiwrite_merge(bs, reqs, num_reqs, mcb); // Run the aio requests + mcb->num_requests = num_reqs; for (i = 0; i < num_reqs; i++) { acb = bdrv_aio_writev(bs, reqs[i].sector, reqs[i].qiov, reqs[i].nb_sectors, multiwrite_cb, mcb); @@ -2206,16 +2207,13 @@ int bdrv_aio_multiwrite(BlockDriverState *bs, BlockRequest *reqs, int num_reqs) // We can only fail the whole thing if no request has been // submitted yet. Otherwise we'll wait for the submitted AIOs to // complete and report the error in the callback. - if (mcb->num_requests == 0) { + if (i == 0) { reqs[i].error = -EIO; goto fail; } else { - mcb->num_requests++; multiwrite_cb(mcb, -EIO); break; } - } else { - mcb->num_requests++; } }