Check reply-handle == request-handle in the same place, where
recv coroutine number is calculated from reply->handle and it's
correctness checked - in nbd_read_reply_entry.
Also finish nbd_read_reply_entry in case of reply-handle !=
request-handle in the same way as in case of incorrect reply-handle.
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsement...@virtuozzo.com>
---
block/nbd-client.h | 1 +
block/nbd-client.c | 9 +++++++--
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/block/nbd-client.h b/block/nbd-client.h
index 48e2559df6..aa36be8950 100644
--- a/block/nbd-client.h
+++ b/block/nbd-client.h
@@ -29,6 +29,7 @@ typedef struct NBDClientSession {
struct {
Coroutine *co;
+ NBDRequest *request;
} requests[MAX_NBD_REQUESTS];
NBDReply reply;
} NBDClientSession;
diff --git a/block/nbd-client.c b/block/nbd-client.c
index 5eb126c399..0e12db4be3 100644
--- a/block/nbd-client.c
+++ b/block/nbd-client.c
@@ -88,7 +88,9 @@ static coroutine_fn void nbd_read_reply_entry(void *opaque)
* one coroutine is called until the reply finishes.
*/
i = HANDLE_TO_INDEX(s, s->reply.handle);
- if (i >= MAX_NBD_REQUESTS || !s->requests[i].co) {
+ if (i >= MAX_NBD_REQUESTS || !s->requests[i].co ||
+ s->reply.handle != s->requests[i].request->handle)
+ {
break;
}
@@ -135,6 +137,7 @@ static int nbd_co_request(BlockDriverState *bs,
g_assert(qemu_in_coroutine());
assert(i < MAX_NBD_REQUESTS);
request->handle = INDEX_TO_HANDLE(s, i);
+ s->requests[i].request = request;
if (!s->ioc) {
qemu_co_mutex_unlock(&s->send_mutex);
@@ -170,11 +173,13 @@ static int nbd_co_request(BlockDriverState *bs,
/* Wait until we're woken up by nbd_read_reply_entry. */
qemu_coroutine_yield();
- if (s->reply.handle != request->handle || !s->ioc) {
+ if (!s->ioc || s->reply.handle == 0) {
rc = -EIO;
goto out;
}
+ assert(s->reply.handle == request->handle);
+
if (qiov && s->reply.error == 0) {
ret = nbd_rwv(s->ioc, qiov->iov, qiov->niov, request->len, true, NULL);
if (ret != request->len) {
--
2.11.1
