virtio-blk: Move resetting of req->mr_next to virtio_blk_handle_rw_error

"werror=report" would free the req in virtio_blk_handle_rw_error, we
mustn't write to it in that case.

Reported-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Fam Zheng <famz@redhat.com>
Message-id: 1448239280-15025-1-git-send-email-famz@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index 848f3fe3e1122e174cf0ded843bd2f95d11fa639..756ae5ce63222f822eeb1ee150b95f99df93ba57 100644 (file)
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -72,6 +72,9 @@ static int virtio_blk_handle_rw_error(VirtIOBlockReq *req, int error,
     VirtIOBlock *s = req->dev;
 
     if (action == BLOCK_ERROR_ACTION_STOP) {
+        /* Break the link as the next request is going to be parsed from the
+         * ring again. Otherwise we may end up doing a double completion! */
+        req->mr_next = NULL;
         req->next = s->rq;
         s->rq = req;
     } else if (action == BLOCK_ERROR_ACTION_REPORT) {
@@ -112,10 +115,6 @@ static void virtio_blk_rw_complete(void *opaque, int ret)
              * happen on the other side of the migration).
              */
             if (virtio_blk_handle_rw_error(req, -ret, is_read)) {
-                /* Break the link in case the next request is added to the
-                 * restart queue and is going to be parsed from the ring again.
-                 */
-                req->mr_next = NULL;
                 continue;
             }
         }