diff options
author | Paolo Bonzini <pbonzini@redhat.com> | 2014-10-08 01:19:00 +0200 |
---|---|---|
committer | Paolo Bonzini <pbonzini@redhat.com> | 2014-10-09 15:36:15 +0200 |
commit | 35e4e96c4d5bfcf8a22930d8e99f7c8c44420062 (patch) | |
tree | c5603336cb7682e5aa965e5acba854ed827b9f62 | |
parent | cdebec5e40bd0af82da0659f37af85ee2aa2c9d1 (diff) | |
download | qemu-35e4e96c4d5bfcf8a22930d8e99f7c8c44420062.zip qemu-35e4e96c4d5bfcf8a22930d8e99f7c8c44420062.tar.gz qemu-35e4e96c4d5bfcf8a22930d8e99f7c8c44420062.tar.bz2 |
virtio-scsi: fix use-after-free of VirtIOSCSIReq
scsi_req_continue can complete the request and cause the VirtIOSCSIReq
to be freed. Fetch req->sreq just once to avoid the bug.
Reported-by: Richard Jones <rjones@redhat.com>
Tested-by: Richard Jones <rjones@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-rw-r--r-- | hw/scsi/virtio-scsi.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c index 203e624..6c02fe2 100644 --- a/hw/scsi/virtio-scsi.c +++ b/hw/scsi/virtio-scsi.c @@ -545,11 +545,12 @@ bool virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req) void virtio_scsi_handle_cmd_req_submit(VirtIOSCSI *s, VirtIOSCSIReq *req) { - if (scsi_req_enqueue(req->sreq)) { - scsi_req_continue(req->sreq); + SCSIRequest *sreq = req->sreq; + if (scsi_req_enqueue(sreq)) { + scsi_req_continue(sreq); } - bdrv_io_unplug(req->sreq->dev->conf.bs); - scsi_req_unref(req->sreq); + bdrv_io_unplug(sreq->dev->conf.bs); + scsi_req_unref(sreq); } static void virtio_scsi_handle_cmd(VirtIODevice *vdev, VirtQueue *vq) |