The only caller of this function is blk_ioctl, a generated_co_wrapper functions that needs to take the graph read lock.
Protecting bdrv_co_ioctl() implies that BlockDriver->bdrv_co_ioctl() is always called with graph rdlock taken, and BlockDriver->bdrv_aio_ioctl is a coroutine_fn callback (called too with rdlock taken). Signed-off-by: Emanuele Giuseppe Esposito <eespo...@redhat.com> --- block/block-backend.c | 1 + block/io.c | 1 + include/block/block_int-common.h | 5 +++-- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/block/block-backend.c b/block/block-backend.c index 20b772a476..9e1c689e84 100644 --- a/block/block-backend.c +++ b/block/block-backend.c @@ -1672,6 +1672,7 @@ blk_co_do_ioctl(BlockBackend *blk, unsigned long int req, void *buf) IO_CODE(); blk_wait_while_drained(blk); + GRAPH_RDLOCK_GUARD(); if (!blk_is_available(blk)) { return -ENOMEDIUM; diff --git a/block/io.c b/block/io.c index c5b3bb0a6d..831f277e85 100644 --- a/block/io.c +++ b/block/io.c @@ -3007,6 +3007,7 @@ int coroutine_fn bdrv_co_ioctl(BlockDriverState *bs, int req, void *buf) }; BlockAIOCB *acb; IO_CODE(); + assert_bdrv_graph_readable(); bdrv_inc_in_flight(bs); if (!drv || (!drv->bdrv_aio_ioctl && !drv->bdrv_co_ioctl)) { diff --git a/include/block/block_int-common.h b/include/block/block_int-common.h index 9d9cd59f1e..db97d61836 100644 --- a/include/block/block_int-common.h +++ b/include/block/block_int-common.h @@ -743,10 +743,11 @@ struct BlockDriver { void (*bdrv_eject)(BlockDriverState *bs, bool eject_flag); void (*bdrv_lock_medium)(BlockDriverState *bs, bool locked); - /* to control generic scsi devices */ - BlockAIOCB *(*bdrv_aio_ioctl)(BlockDriverState *bs, + /* to control generic scsi devices. Called with graph rdlock taken. */ + BlockAIOCB *coroutine_fn (*bdrv_aio_ioctl)(BlockDriverState *bs, unsigned long int req, void *buf, BlockCompletionFunc *cb, void *opaque); + /* Called with graph rdlock taken. */ int coroutine_fn (*bdrv_co_ioctl)(BlockDriverState *bs, unsigned long int req, void *buf); -- 2.31.1