haraldwolff/qemu-patch-raspberry4
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

virtio-scsi: fix use-after-free of VirtIOSCSIReq

Browse source 
scsi_req_continue can complete the request and cause the VirtIOSCSIReq
to be freed.  Fetch req->sreq just once to avoid the bug.

Reported-by: Richard Jones <rjones@redhat.com>
Tested-by: Richard Jones <rjones@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This commit is contained in:
Paolo Bonzini 2014-10-08 01:19:00 +02:00
parent cdebec5e40
commit 35e4e96c4d
1 changed files with 5 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
hw/scsi/virtio-scsi.c
View file

@ -545,11 +545,12 @@ bool virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req)
void virtio_scsi_handle_cmd_req_submit(VirtIOSCSI *s, VirtIOSCSIReq *req) void virtio_scsi_handle_cmd_req_submit(VirtIOSCSI *s, VirtIOSCSIReq *req)
{ {
if (scsi_req_enqueue(req->sreq)) { SCSIRequest *sreq = req->sreq;
scsi_req_continue(req->sreq); if (scsi_req_enqueue(sreq)) {
scsi_req_continue(sreq);
} }
bdrv_io_unplug(req->sreq->dev->conf.bs); bdrv_io_unplug(sreq->dev->conf.bs);
scsi_req_unref(req->sreq); scsi_req_unref(sreq);
} }
static void virtio_scsi_handle_cmd(VirtIODevice *vdev, VirtQueue *vq) static void virtio_scsi_handle_cmd(VirtIODevice *vdev, VirtQueue *vq)