> > @@ -574,6 +570,12 @@ static void
> > qemu_rbd_aio_cancel(BlockDriverAIOCB *blockacb)
> > {
> > RBDAIOCB *acb = (RBDAIOCB *) blockacb;
> > acb->cancelled = 1;
> > +
> > + while (acb->status == -EINPROGRESS) {
> > + qemu_aio_wait();
> > + }
> > +
>
> There should be a qemu_vfree(acb->bounce); here
No, because the BH will have run at this point and you'd doubly-free
the buffer.
Paolo
> > + qemu_aio_release(acb);
> > }
> >
> > static AIOPool rbd_aio_pool = {
> > @@ -646,7 +648,8 @@ static void rbd_aio_bh_cb(void *opaque)
> > qemu_bh_delete(acb->bh);
> > acb->bh = NULL;
> >
> > - qemu_aio_release(acb);
> > + if (!acb->cancelled)
> > + qemu_aio_release(acb);
> > }
> >
> > static int rbd_aio_discard_wrapper(rbd_image_t image,
> > @@ -691,6 +694,7 @@ static BlockDriverAIOCB
> > *rbd_start_aio(BlockDriverState *bs,
> > acb->s = s;
> > acb->cancelled = 0;
> > acb->bh = NULL;
> > + acb->status = -EINPROGRESS;
> >
> > if (cmd == RBD_AIO_WRITE) {
> > qemu_iovec_to_buf(acb->qiov, 0, acb->bounce, qiov->size);
> > @@ -737,7 +741,8 @@ static BlockDriverAIOCB
> > *rbd_start_aio(BlockDriverState *bs,
> > failed:
> > g_free(rcb);
> > s->qemu_aio_count--;
> > - qemu_aio_release(acb);
> > + if (!acb->cancelled)
>
> qemu_vfree(acb->bounce) should be here as well, although that's a
> separate bug that's probably never hit.
>
> > + qemu_aio_release(acb);
> > return NULL;
> > }
> >
> >
>
>
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
