aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPaolo Bonzini <pbonzini@redhat.com>2014-10-08 01:19:00 +0200
committerPaolo Bonzini <pbonzini@redhat.com>2014-10-09 15:36:15 +0200
commit35e4e96c4d5bfcf8a22930d8e99f7c8c44420062 (patch)
treec5603336cb7682e5aa965e5acba854ed827b9f62
parentcdebec5e40bd0af82da0659f37af85ee2aa2c9d1 (diff)
downloadqemu-35e4e96c4d5bfcf8a22930d8e99f7c8c44420062.zip
qemu-35e4e96c4d5bfcf8a22930d8e99f7c8c44420062.tar.gz
qemu-35e4e96c4d5bfcf8a22930d8e99f7c8c44420062.tar.bz2
virtio-scsi: fix use-after-free of VirtIOSCSIReq
scsi_req_continue can complete the request and cause the VirtIOSCSIReq to be freed. Fetch req->sreq just once to avoid the bug. Reported-by: Richard Jones <rjones@redhat.com> Tested-by: Richard Jones <rjones@redhat.com> Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-rw-r--r--hw/scsi/virtio-scsi.c9
1 files changed, 5 insertions, 4 deletions
diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
index 203e624..6c02fe2 100644
--- a/hw/scsi/virtio-scsi.c
+++ b/hw/scsi/virtio-scsi.c
@@ -545,11 +545,12 @@ bool virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req)
void virtio_scsi_handle_cmd_req_submit(VirtIOSCSI *s, VirtIOSCSIReq *req)
{
- if (scsi_req_enqueue(req->sreq)) {
- scsi_req_continue(req->sreq);
+ SCSIRequest *sreq = req->sreq;
+ if (scsi_req_enqueue(sreq)) {
+ scsi_req_continue(sreq);
}
- bdrv_io_unplug(req->sreq->dev->conf.bs);
- scsi_req_unref(req->sreq);
+ bdrv_io_unplug(sreq->dev->conf.bs);
+ scsi_req_unref(sreq);
}
static void virtio_scsi_handle_cmd(VirtIODevice *vdev, VirtQueue *vq)