From: Kevin Wolf <kwolf@redhat.com>
Date: Tue, 4 May 2010 14:35:24 +0000 (+0200)
Subject: ide: Fix ide_dma_cancel
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=38d8dfa193e9a45f0f08b06aab2ba2a94f40a041;p=qemu.git

ide: Fix ide_dma_cancel

When cancelling a request, bdrv_aio_cancel may decide that it waits for
completion of a request rather than for cancellation. IDE therefore can't
abandon its DMA status before calling bdrv_aio_cancel; otherwise the callback
of a completed request would use invalid data.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---

diff --git a/hw/ide/core.c b/hw/ide/core.c
index b0165bcc02..066fecb0c0 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -2838,10 +2838,6 @@ static void ide_dma_restart(IDEState *s, int is_read)
 void ide_dma_cancel(BMDMAState *bm)
 {
     if (bm->status & BM_STATUS_DMAING) {
-        bm->status &= ~BM_STATUS_DMAING;
-        /* cancel DMA request */
-        bm->unit = -1;
-        bm->dma_cb = NULL;
         if (bm->aiocb) {
 #ifdef DEBUG_AIO
             printf("aio_cancel\n");
@@ -2849,6 +2845,10 @@ void ide_dma_cancel(BMDMAState *bm)
             bdrv_aio_cancel(bm->aiocb);
             bm->aiocb = NULL;
         }
+        bm->status &= ~BM_STATUS_DMAING;
+        /* cancel DMA request */
+        bm->unit = -1;
+        bm->dma_cb = NULL;
     }
 }