From 18adde86ddc6dbef865a3d360bf8e15dce85756d Mon Sep 17 00:00:00 2001 From: Greg Kurz Date: Tue, 4 Apr 2017 18:06:01 +0200 Subject: [PATCH 1/2] 9pfs: fix multiple flush for same request If a client tries to flush the same outstanding request several times, only the first flush completes. Subsequent ones keep waiting for the request completion in v9fs_flush() and, therefore, leak a PDU. This will cause QEMU to hang when draining active PDUs the next time the device is reset. Let have each flush request wake up the next one if any. The last waiter frees the cancelled PDU. Signed-off-by: Greg Kurz Reviewed-by: Eric Blake --- hw/9pfs/9p.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index 48babce836..ef47a0a5ad 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -2387,8 +2387,10 @@ static void coroutine_fn v9fs_flush(void *opaque) * Wait for pdu to complete. */ qemu_co_queue_wait(&cancel_pdu->complete, NULL); - cancel_pdu->cancelled = 0; - pdu_free(cancel_pdu); + if (!qemu_co_queue_next(&cancel_pdu->complete)) { + cancel_pdu->cancelled = 0; + pdu_free(cancel_pdu); + } } pdu_complete(pdu, 7); } From 6d54af0ea9eeee70b4c0eb48bd2ae1d22b207dd4 Mon Sep 17 00:00:00 2001 From: Greg Kurz Date: Tue, 4 Apr 2017 18:06:01 +0200 Subject: [PATCH 2/2] 9pfs: clear migration blocker at session reset The migration blocker survives a device reset: if the guest mounts a 9p share and then gets rebooted with system_reset, it will be unmigratable until it remounts and umounts the 9p share again. This happens because the migration blocker is supposed to be cleared when we put the last reference on the root fid, but virtfs_reset() wrongly calls free_fid() instead of put_fid(). This patch fixes virtfs_reset() so that it honor the way fids are supposed to be manipulated: first get a reference and later put it back when you're done. Signed-off-by: Greg Kurz Reviewed-by: Li Qiang --- hw/9pfs/9p.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index ef47a0a5ad..c80ba67389 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -539,14 +539,15 @@ static void coroutine_fn virtfs_reset(V9fsPDU *pdu) /* Free all fids */ while (s->fid_list) { + /* Get fid */ fidp = s->fid_list; - s->fid_list = fidp->next; + fidp->ref++; - if (fidp->ref) { - fidp->clunked = 1; - } else { - free_fid(pdu, fidp); - } + /* Clunk fid */ + s->fid_list = fidp->next; + fidp->clunked = 1; + + put_fid(pdu, fidp); } }