summaryrefslogtreecommitdiffstats
path: root/hw/virtio
diff options
context:
space:
mode:
authorStefan Hajnoczi2014-07-09 10:05:47 +0200
committerKevin Wolf2014-07-14 12:03:20 +0200
commitabd764250fbce6f285513d74f03eb5c526e520f6 (patch)
treef782045c780ae30049bef65a2e0c819ceaf8aaa1 /hw/virtio
parentvirtio-blk: avoid dataplane VirtIOBlockReq early free (diff)
downloadqemu-abd764250fbce6f285513d74f03eb5c526e520f6.tar.gz
qemu-abd764250fbce6f285513d74f03eb5c526e520f6.tar.xz
qemu-abd764250fbce6f285513d74f03eb5c526e520f6.zip
dataplane: do not free VirtQueueElement in vring_push()
VirtQueueElement is allocated in vring_pop() so it seems to make sense that vring_push() should free it. Alas, virtio-blk frees VirtQueueElement itself in virtio_blk_free_request(). This patch solves a double-free assertion in glib's g_slice_free(). Rename vring_free_element() to vring_unmap_element() since it no longer frees the VirtQueueElement. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Tested-by: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Diffstat (limited to 'hw/virtio')
-rw-r--r--hw/virtio/dataplane/vring.c9
1 files changed, 4 insertions, 5 deletions
diff --git a/hw/virtio/dataplane/vring.c b/hw/virtio/dataplane/vring.c
index 665a1ffcb3..5d17d39c17 100644
--- a/hw/virtio/dataplane/vring.c
+++ b/hw/virtio/dataplane/vring.c
@@ -272,7 +272,7 @@ static int get_indirect(Vring *vring, VirtQueueElement *elem,
return 0;
}
-void vring_free_element(VirtQueueElement *elem)
+static void vring_unmap_element(VirtQueueElement *elem)
{
int i;
@@ -287,8 +287,6 @@ void vring_free_element(VirtQueueElement *elem)
for (i = 0; i < elem->in_num; i++) {
vring_unmap(elem->in_sg[i].iov_base, true);
}
-
- g_slice_free(VirtQueueElement, elem);
}
/* This looks in the virtqueue and for the first available buffer, and converts
@@ -402,7 +400,8 @@ out:
vring->broken = true;
}
if (elem) {
- vring_free_element(elem);
+ vring_unmap_element(elem);
+ g_slice_free(VirtQueueElement, elem);
}
*p_elem = NULL;
return ret;
@@ -418,7 +417,7 @@ void vring_push(Vring *vring, VirtQueueElement *elem, int len)
unsigned int head = elem->index;
uint16_t new;
- vring_free_element(elem);
+ vring_unmap_element(elem);
/* Don't touch vring if a fatal error occurred */
if (vring->broken) {