Bug fix: routines 'ioreq_runio_qemu_sync' and 'ioreq_runio_qemu_aio' won't call 'ioreq_unmap' or 'ioreq_finish' on errors, leaving ioreq in the blkdev->inflight list and a leak.
Signed-off-by: Feiran Zheng <famc...@gmail.com> --- hw/xen_disk.c | 22 +++++++++++++++++----- 1 files changed, 17 insertions(+), 5 deletions(-) diff --git a/hw/xen_disk.c b/hw/xen_disk.c index 445bf03..7940fab 100644 --- a/hw/xen_disk.c +++ b/hw/xen_disk.c @@ -309,8 +309,10 @@ static int ioreq_runio_qemu_sync(struct ioreq *ioreq) int i, rc, len = 0; off_t pos; - if (ioreq->req.nr_segments && ioreq_map(ioreq) == -1) - goto err; + if (ioreq->req.nr_segments) { + if (ioreq_map(ioreq) == -1) + goto err_no_map; + } if (ioreq->presync) bdrv_flush(blkdev->bs); @@ -364,6 +366,9 @@ static int ioreq_runio_qemu_sync(struct ioreq *ioreq) return 0; err: + ioreq_unmap(ioreq); +err_no_map: + ioreq_finish(ioreq); ioreq->status = BLKIF_RSP_ERROR; return -1; } @@ -392,8 +397,10 @@ static int ioreq_runio_qemu_aio(struct ioreq *ioreq) { struct XenBlkDev *blkdev = ioreq->blkdev; - if (ioreq->req.nr_segments && ioreq_map(ioreq) == -1) - goto err; + if (ioreq->req.nr_segments) { + if (ioreq_map(ioreq) == -1) + goto err_no_map; + } ioreq->aio_inflight++; if (ioreq->presync) @@ -425,9 +432,14 @@ static int ioreq_runio_qemu_aio(struct ioreq *ioreq) qemu_aio_complete(ioreq, 0); return 0; + +err_no_map: + ioreq_finish(ioreq); + ioreq->status = BLKIF_RSP_ERROR; + return -1; err: - ioreq->status = BLKIF_RSP_ERROR; + qemu_aio_complete(ioreq, -1); return -1; }