[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH] virtio-scsi: fix use-after-free of VirtIOSCSIReq
|
From: |
Paolo Bonzini |
|
Subject: |
[Qemu-devel] [PATCH] virtio-scsi: fix use-after-free of VirtIOSCSIReq |
|
Date: |
Wed, 8 Oct 2014 11:37:24 +0200 |
scsi_req_continue can complete the request and cause the VirtIOSCSIReq
to be freed. Fetch req->sreq just once to avoid the bug.
Reported-by: Richard Jones <address@hidden>
Tested-by: Richard Jones <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
---
hw/scsi/virtio-scsi.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
index 203e624..6c02fe2 100644
--- a/hw/scsi/virtio-scsi.c
+++ b/hw/scsi/virtio-scsi.c
@@ -545,11 +545,12 @@ bool virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s,
VirtIOSCSIReq *req)
void virtio_scsi_handle_cmd_req_submit(VirtIOSCSI *s, VirtIOSCSIReq *req)
{
- if (scsi_req_enqueue(req->sreq)) {
- scsi_req_continue(req->sreq);
+ SCSIRequest *sreq = req->sreq;
+ if (scsi_req_enqueue(sreq)) {
+ scsi_req_continue(sreq);
}
- bdrv_io_unplug(req->sreq->dev->conf.bs);
- scsi_req_unref(req->sreq);
+ bdrv_io_unplug(sreq->dev->conf.bs);
+ scsi_req_unref(sreq);
}
static void virtio_scsi_handle_cmd(VirtIODevice *vdev, VirtQueue *vq)
--
1.8.3.1
- [Qemu-devel] [PATCH] virtio-scsi: fix use-after-free of VirtIOSCSIReq,
Paolo Bonzini <=