On 18/12/2015 01:57, Fam Zheng wrote:
> Oh hang on, in scsi_req_dequeue, if req->enqueued is already false, the
> matching scsi_req_unref is never called.
The matching unref for scsi_req_cancel_async's ref is in
scsi_req_cancel_complete. You're right that there is a leak if
we get to the second cancellation with req->aiocb, and we should
never get there with !req->aiocb. So the patch is wrong, but
we should add some documentation instead of plainly reverting it:
diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
index 00bddc9..378bf4d 100644
--- a/hw/scsi/scsi-bus.c
+++ b/hw/scsi/scsi-bus.c
@@ -1759,6 +1759,17 @@ void scsi_req_cancel_async(SCSIRequest *req, Notifier
*notifier)
if (notifier) {
notifier_list_add(&req->cancel_notifiers, notifier);
}
+ if (req->io_canceled) {
+ /* Canceling a second time after scsi_req_cancel_complete
+ * is a programming error, hence a blk_aio_cancel_async is
+ * pending; when it finishes, scsi_req_cancel_complete
+ * will be called and will call the notifier we just
+ * added. Just wait for that.
+ */
+ assert(req->aiocb);
+ return;
+ }
+ /* Dropped in scsi_req_cancel_complete. */
scsi_req_ref(req);
scsi_req_dequeue(req);
req->io_canceled = true;
@@ -1775,6 +1784,8 @@ void scsi_req_cancel(SCSIRequest *req)
if (!req->enqueued) {
return;
}
+ assert(!req->io_canceled);
+ /* Dropped in scsi_req_cancel_complete. */
scsi_req_ref(req);
scsi_req_dequeue(req);
req->io_canceled = true;
Does this look sane?
Thanks,
Paolo
