Il 02/07/2014 14:54, 陈梁 ha scritto:
> The second call should have happened within dma_aio_cancel's call to
> bdrv_aio_cancel. This is the real bug.
IMO, the second need not happened within dma_aio_cancel's call to
bdrv_aio_cancel.
The double free will be happened if dam_aio_cancel is called.
The callback must not be invoked after bdrv_aio_cancel. This is the
fundamental invariant of bdrv_aio_cancel. All implementations of AIOCB
must respect it, or bugs like this one happen.
Here, either bdrv_aio_cancel was not invoked, or the invariant was broken.
The other invariant, this time in dma-helpers.c, is that dma_bdrv_cb
either exits with no pending AIOCB, or it exits with a non-NULL
dbs->acb. If bdrv_aio_cancel was not invoked, this invariant was broken
because there is a pending AIOCB but it is not in dbs->acb.
Paolo
