From 7d4e634d538183e5f5da3932e37e5b357c91c3b4 Mon Sep 17 00:00:00 2001
Message-Id: <7d4e634d538183e5f5da3932e37e5b357c91c3b4.1346668737.git.minovotn@redhat.com>
In-Reply-To: <d22fc35d1e14760dba012d88bdf0162dd7d0f3c6.1346668737.git.minovotn@redhat.com>
References: <d22fc35d1e14760dba012d88bdf0162dd7d0f3c6.1346668737.git.minovotn@redhat.com>
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Mon, 27 Aug 2012 13:42:05 +0200
Subject: [PATCH 02/10] scsi: add missing test for cancelled request

RH-Author: Paolo Bonzini <pbonzini@redhat.com>
Message-id: <1346074931-12083-2-git-send-email-pbonzini@redhat.com>
Patchwork-id: 41325
O-Subject: [RHEL 6.4 qemu-kvm PATCH 1/7] scsi: add missing test for cancelled request
Bugzilla: 805501
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
RH-Acked-by: Markus Armbruster <armbru@redhat.com>
RH-Acked-by: Orit Wasserman <owasserm@redhat.com>

Bugzilla: 805501, 808664

Once a request has been canceled, scsi_cancel_io is called and takes
ownership of the reference that scsi_*_data passed to the AIO callback.
Double release of the reference leads to memory corruption.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit b8aba8d7e3031ee3411a8e5eb07ac61f5b18f045)
---
 hw/scsi-disk.c | 4 +++-
 1 file modificato, 3 inserzioni(+). 1 rimozione(-)

Signed-off-by: Michal Novotny <minovotn@redhat.com>
---
 hw/scsi-disk.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index 0324fcc..e25830b 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -168,7 +168,9 @@ static void scsi_dma_complete(void * opaque, int ret)
     scsi_req_complete(&r->req, GOOD);
 
 done:
-    scsi_req_unref(&r->req);
+    if (!r->req.io_canceled) {
+        scsi_req_unref(&r->req);
+    }
 }
 
 static void scsi_read_complete(void * opaque, int ret)
-- 
1.7.11.4

