diff options
| author | Paolo Bonzini <pbonzini@redhat.com> | 2013-01-22 17:34:29 +0100 |
|---|---|---|
| committer | Paolo Bonzini <pbonzini@redhat.com> | 2013-01-24 15:37:55 +0100 |
| commit | 4790b03d308f6c7dea7dc6941ddab9867c9530b8 (patch) | |
| tree | 28bb95e19bbd65ad77005738575184ef63d545b2 | |
| parent | 3f668b6c5dc9747d0367837532c3b2ce0520cc17 (diff) | |
| download | qemu-4790b03d308f6c7dea7dc6941ddab9867c9530b8.tar.gz | |
iscsi: do not leak acb->buf when commands are aborted
acb->buf is freed in the WRITE(16) callback, but this may not
get called at all when commands are aborted. Add another
free in the ABORT TASK callback, which requires setting acb->buf
to NULL everywhere.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
| -rw-r--r-- | block/iscsi.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/block/iscsi.c b/block/iscsi.c index fd54a1550e..b647201ec2 100644 --- a/block/iscsi.c +++ b/block/iscsi.c @@ -77,6 +77,9 @@ iscsi_bh_cb(void *p) qemu_bh_delete(acb->bh); + g_free(acb->buf); + acb->buf = NULL; + if (acb->canceled == 0) { acb->common.cb(acb->common.opaque, acb->status); } @@ -198,6 +201,7 @@ iscsi_aio_write16_cb(struct iscsi_context *iscsi, int status, trace_iscsi_aio_write16_cb(iscsi, status, acb, acb->canceled); g_free(acb->buf); + acb->buf = NULL; if (acb->canceled != 0) { return; @@ -241,6 +245,7 @@ iscsi_aio_writev(BlockDriverState *bs, int64_t sector_num, acb->canceled = 0; acb->bh = NULL; acb->status = -EINPROGRESS; + acb->buf = NULL; /* XXX we should pass the iovec to write16 to avoid the extra copy */ /* this will allow us to get rid of 'buf' completely */ @@ -249,7 +254,6 @@ iscsi_aio_writev(BlockDriverState *bs, int64_t sector_num, /* if the iovec only contains one buffer we can pass it directly */ if (acb->qiov->niov == 1) { - acb->buf = NULL; data.data = acb->qiov->iov[0].iov_base; } else { acb->buf = g_malloc(data.size); @@ -440,6 +444,7 @@ iscsi_aio_flush(BlockDriverState *bs, acb->canceled = 0; acb->bh = NULL; acb->status = -EINPROGRESS; + acb->buf = NULL; acb->task = iscsi_synchronizecache10_task(iscsi, iscsilun->lun, 0, 0, 0, 0, @@ -493,6 +498,7 @@ iscsi_aio_discard(BlockDriverState *bs, acb->canceled = 0; acb->bh = NULL; acb->status = -EINPROGRESS; + acb->buf = NULL; list[0].lba = sector_qemu2lun(sector_num, iscsilun); list[0].num = nb_sectors * BDRV_SECTOR_SIZE / iscsilun->block_size; |