AHCI: Fix port reset race

bdrv_aio_cancel() can trigger bdrv_aio_flush() which makes all aio that is currently in flight finish. So what we do is: port reset detect ncq in flight cancel ncq delete ncq sg list at which point we have double freed the sg list. Instead, with this patch we do: port reset detect ncq in flight cancel ncq check if we are really still in flight delete ncq sg list which makes things work and gets rid of the race. Signed-off-by: N Alexander Graf <agraf@suse.de> Signed-off-by: N Kevin Wolf <kwolf@redhat.com>

AHCI: Fix port reset race
bdrv_aio_cancel() can trigger bdrv_aio_flush() which makes all aio that is currently in flight finish. So what we do is: port reset detect ncq in flight cancel ncq delete ncq sg list at which point we have double freed the sg list. Instead, with this patch we do: port reset detect ncq in flight cancel ncq check if we are really still in flight delete ncq sg list which makes things work and gets rid of the race. Signed-off-by: N Alexander Graf <agraf@suse.de> Signed-off-by: N Kevin Wolf <kwolf@redhat.com>
c9b308d2 · Alexander Graf · Kevin Wolf · ea8f978f · c9b308d2
隐藏空白更改
内联并排

Showing with 5 addition and 0 deletion

hw/ide/ahci.c hw/ide/ahci.c +5 -0

未找到文件。
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -560,6 +560,11 @@ static void ahci_reset_port(AHCIState *s, int port)
            ncq_tfs->aiocb = NULL;
        }

+        /* Maybe we just finished the request thanks to bdrv_aio_cancel() */
+        if (!ncq_tfs->used) {
+            continue;
+        }
+
        qemu_sglist_destroy(&ncq_tfs->sglist);
        ncq_tfs->used = 0;
    }