[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 25/28] virtio-scsi: fix use-after-free of VirtIOSCSIR
|
From: |
Paolo Bonzini |
|
Subject: |
[Qemu-devel] [PULL 25/28] virtio-scsi: fix use-after-free of VirtIOSCSIReq |
|
Date: |
Thu, 9 Oct 2014 12:17:32 +0200 |
scsi_req_continue can complete the request and cause the VirtIOSCSIReq
to be freed. Fetch req->sreq just once to avoid the bug.
Reported-by: Richard Jones <address@hidden>
Tested-by: Richard Jones <address@hidden>
Reviewed-by: Fam Zheng <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
---
hw/scsi/virtio-scsi.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
index 203e624..6c02fe2 100644
--- a/hw/scsi/virtio-scsi.c
+++ b/hw/scsi/virtio-scsi.c
@@ -545,11 +545,12 @@ bool virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s,
VirtIOSCSIReq *req)
void virtio_scsi_handle_cmd_req_submit(VirtIOSCSI *s, VirtIOSCSIReq *req)
{
- if (scsi_req_enqueue(req->sreq)) {
- scsi_req_continue(req->sreq);
+ SCSIRequest *sreq = req->sreq;
+ if (scsi_req_enqueue(sreq)) {
+ scsi_req_continue(sreq);
}
- bdrv_io_unplug(req->sreq->dev->conf.bs);
- scsi_req_unref(req->sreq);
+ bdrv_io_unplug(sreq->dev->conf.bs);
+ scsi_req_unref(sreq);
}
static void virtio_scsi_handle_cmd(VirtIODevice *vdev, VirtQueue *vq)
--
1.8.3.1
- [Qemu-devel] [PULL 21/28] accel: Pass MachineState object to accel init functions, (continued)
- [Qemu-devel] [PULL 21/28] accel: Pass MachineState object to accel init functions, Paolo Bonzini, 2014/10/09
- [Qemu-devel] [PULL 26/28] qemu-error: Add error_vreport(), Paolo Bonzini, 2014/10/09
- [Qemu-devel] [PULL 27/28] qemu-sockets: Add error to non-blocking connect handler, Paolo Bonzini, 2014/10/09
- [Qemu-devel] [PULL 23/28] kvm: Make KVMState be the TYPE_KVM_ACCEL instance struct, Paolo Bonzini, 2014/10/09
- Re: [Qemu-devel] [PULL 23/28] kvm: Make KVMState be the TYPE_KVM_ACCEL instance struct, Gonglei, 2014/10/10
[Qemu-devel] [PULL 28/28] qemu-char: Fix reconnect socket error reporting, Paolo Bonzini, 2014/10/09
[Qemu-devel] [PULL 25/28] virtio-scsi: fix use-after-free of VirtIOSCSIReq,
Paolo Bonzini <=
[Qemu-devel] [PULL 24/28] linuxboot: compute initrd loading address, Paolo Bonzini, 2014/10/09
[Qemu-devel] [PULL 07/28] vl.c: Small coding style fix, Paolo Bonzini, 2014/10/09
[Qemu-devel] [PULL 16/28] accel: Move Xen registration code to xen-common.c, Paolo Bonzini, 2014/10/09
[Qemu-devel] [PULL 15/28] accel: Move KVM accel registration to kvm-all.c, Paolo Bonzini, 2014/10/09
[Qemu-devel] [PULL 10/28] accel: Simplify configure_accelerator() using AccelType *acc variable, Paolo Bonzini, 2014/10/09
[Qemu-devel] [PULL 11/28] accel: Move accel name lookup to separate function, Paolo Bonzini, 2014/10/09
[Qemu-devel] [PULL 14/28] accel: Report unknown accelerator as "not found" instead of "does not exist", Paolo Bonzini, 2014/10/09
[Qemu-devel] [PULL 12/28] accel: Use QOM classes for accel types, Paolo Bonzini, 2014/10/09
[Qemu-devel] [PULL 09/28] accel: Create AccelType typedef, Paolo Bonzini, 2014/10/09
[Qemu-devel] [PULL 13/28] accel: Make AccelClass.available() optional, Paolo Bonzini, 2014/10/09