From 7d4e634d538183e5f5da3932e37e5b357c91c3b4 Mon Sep 17 00:00:00 2001 Message-Id: <7d4e634d538183e5f5da3932e37e5b357c91c3b4.1346668737.git.minovotn@redhat.com> In-Reply-To: References: From: Paolo Bonzini Date: Mon, 27 Aug 2012 13:42:05 +0200 Subject: [PATCH 02/10] scsi: add missing test for cancelled request RH-Author: Paolo Bonzini Message-id: <1346074931-12083-2-git-send-email-pbonzini@redhat.com> Patchwork-id: 41325 O-Subject: [RHEL 6.4 qemu-kvm PATCH 1/7] scsi: add missing test for cancelled request Bugzilla: 805501 RH-Acked-by: Gerd Hoffmann RH-Acked-by: Markus Armbruster RH-Acked-by: Orit Wasserman Bugzilla: 805501, 808664 Once a request has been canceled, scsi_cancel_io is called and takes ownership of the reference that scsi_*_data passed to the AIO callback. Double release of the reference leads to memory corruption. Signed-off-by: Paolo Bonzini (cherry picked from commit b8aba8d7e3031ee3411a8e5eb07ac61f5b18f045) --- hw/scsi-disk.c | 4 +++- 1 file modificato, 3 inserzioni(+). 1 rimozione(-) Signed-off-by: Michal Novotny --- hw/scsi-disk.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c index 0324fcc..e25830b 100644 --- a/hw/scsi-disk.c +++ b/hw/scsi-disk.c @@ -168,7 +168,9 @@ static void scsi_dma_complete(void * opaque, int ret) scsi_req_complete(&r->req, GOOD); done: - scsi_req_unref(&r->req); + if (!r->req.io_canceled) { + scsi_req_unref(&r->req); + } } static void scsi_read_complete(void * opaque, int ret) -- 1.7.11.4