On 23/11/2015 01:41, Fam Zheng wrote:
> "werror=report" would free the req in virtio_blk_handle_rw_error, we
> mustn't write to it in that case.
>
> Reported-by: Paolo Bonzini <pbonz...@redhat.com>
> Signed-off-by: Fam Zheng <f...@redhat.com>
> ---
> hw/block/virtio-blk.c | 7 +++----
> 1 file changed, 3 insertions(+), 4 deletions(-)
>
> diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
> index 848f3fe..756ae5c 100644
> --- a/hw/block/virtio-blk.c
> +++ b/hw/block/virtio-blk.c
> @@ -72,6 +72,9 @@ static int virtio_blk_handle_rw_error(VirtIOBlockReq *req,
> int error,
> VirtIOBlock *s = req->dev;
>
> if (action == BLOCK_ERROR_ACTION_STOP) {
> + /* Break the link as the next request is going to be parsed from the
> + * ring again. Otherwise we may end up doing a double completion! */
> + req->mr_next = NULL;
> req->next = s->rq;
> s->rq = req;
> } else if (action == BLOCK_ERROR_ACTION_REPORT) {
> @@ -112,10 +115,6 @@ static void virtio_blk_rw_complete(void *opaque, int ret)
> * happen on the other side of the migration).
> */
> if (virtio_blk_handle_rw_error(req, -ret, is_read)) {
> - /* Break the link in case the next request is added to the
> - * restart queue and is going to be parsed from the ring
> again.
> - */
> - req->mr_next = NULL;
> continue;
> }
> }
>
Reviewed-by: Paolo Bonzini <pbonz...@redhat.com>
