qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] virtio-scsi: fix use-after-free of VirtIOSCSIRe


From: Fam Zheng
Subject: Re: [Qemu-devel] [PATCH] virtio-scsi: fix use-after-free of VirtIOSCSIReq
Date: Thu, 9 Oct 2014 14:00:52 +0800
User-agent: Mutt/1.5.23 (2014-03-12)

On Wed, 10/08 11:37, Paolo Bonzini wrote:
> scsi_req_continue can complete the request and cause the VirtIOSCSIReq
> to be freed.  Fetch req->sreq just once to avoid the bug.
> 
> Reported-by: Richard Jones <address@hidden>
> Tested-by: Richard Jones <address@hidden>
> Signed-off-by: Paolo Bonzini <address@hidden>
> ---
>  hw/scsi/virtio-scsi.c | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
> index 203e624..6c02fe2 100644
> --- a/hw/scsi/virtio-scsi.c
> +++ b/hw/scsi/virtio-scsi.c
> @@ -545,11 +545,12 @@ bool virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, 
> VirtIOSCSIReq *req)
>  
>  void virtio_scsi_handle_cmd_req_submit(VirtIOSCSI *s, VirtIOSCSIReq *req)
>  {
> -    if (scsi_req_enqueue(req->sreq)) {
> -        scsi_req_continue(req->sreq);
> +    SCSIRequest *sreq = req->sreq;
> +    if (scsi_req_enqueue(sreq)) {
> +        scsi_req_continue(sreq);
>      }
> -    bdrv_io_unplug(req->sreq->dev->conf.bs);
> -    scsi_req_unref(req->sreq);
> +    bdrv_io_unplug(sreq->dev->conf.bs);
> +    scsi_req_unref(sreq);
>  }
>  
>  static void virtio_scsi_handle_cmd(VirtIODevice *vdev, VirtQueue *vq)
> -- 
> 1.8.3.1
> 
Reviewed-by: Fam Zheng <address@hidden>



reply via email to

[Prev in Thread] Current Thread [Next in Thread]