aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKevin Wolf <kwolf@redhat.com>2010-03-31 17:46:59 +0200
committerAurelien Jarno <aurelien@aurel32.net>2010-04-18 23:55:19 +0200
commit908bb9497bcb5543930cc345326afff939a6ffa4 (patch)
tree99ceadfe6109161cc034d88ccdc578fbc672cb72
parent5369e3c0b8997210a2558191d8451775f7643683 (diff)
downloadqemu-908bb9497bcb5543930cc345326afff939a6ffa4.zip
qemu-908bb9497bcb5543930cc345326afff939a6ffa4.tar.gz
qemu-908bb9497bcb5543930cc345326afff939a6ffa4.tar.bz2
virtio-blk: Fix use after free in error case
virtio_blk_req_complete frees the request, so we can't access it any more when calling bdrv_mon_event. Use the pointer that was copied earlier. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
-rw-r--r--hw/virtio-blk.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c
index 9915840..01d77b8 100644
--- a/hw/virtio-blk.c
+++ b/hw/virtio-blk.c
@@ -65,7 +65,7 @@ static int virtio_blk_handle_rw_error(VirtIOBlockReq *req, int error,
VirtIOBlock *s = req->dev;
if (action == BLOCK_ERR_IGNORE) {
- bdrv_mon_event(req->dev->bs, BDRV_ACTION_IGNORE, is_read);
+ bdrv_mon_event(s->bs, BDRV_ACTION_IGNORE, is_read);
return 0;
}
@@ -73,11 +73,11 @@ static int virtio_blk_handle_rw_error(VirtIOBlockReq *req, int error,
|| action == BLOCK_ERR_STOP_ANY) {
req->next = s->rq;
s->rq = req;
- bdrv_mon_event(req->dev->bs, BDRV_ACTION_STOP, is_read);
+ bdrv_mon_event(s->bs, BDRV_ACTION_STOP, is_read);
vm_stop(0);
} else {
virtio_blk_req_complete(req, VIRTIO_BLK_S_IOERR);
- bdrv_mon_event(req->dev->bs, BDRV_ACTION_REPORT, is_read);
+ bdrv_mon_event(s->bs, BDRV_ACTION_REPORT, is_read);
}
return 1;