Commit 35e4e96c authored by Paolo Bonzini's avatar Paolo Bonzini
Browse files

virtio-scsi: fix use-after-free of VirtIOSCSIReq 



scsi_req_continue can complete the request and cause the VirtIOSCSIReq
to be freed.  Fetch req->sreq just once to avoid the bug.

Reported-by: default avatarRichard Jones <rjones@redhat.com>
Tested-by: default avatarRichard Jones <rjones@redhat.com>
Reviewed-by: default avatarFam Zheng <famz@redhat.com>
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
parent cdebec5e

hw/scsi/virtio-scsi.c

+5 −4
Original line number Diff line number Diff line
@@ -545,11 +545,12 @@ bool virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req) 


void virtio_scsi_handle_cmd_req_submit(VirtIOSCSI *s, VirtIOSCSIReq *req)

{

    if (scsi_req_enqueue(req->sreq)) {

        scsi_req_continue(req->sreq);

    SCSIRequest *sreq = req->sreq;

    if (scsi_req_enqueue(sreq)) {

        scsi_req_continue(sreq);

    }

    bdrv_io_unplug(req->sreq->dev->conf.bs);

    scsi_req_unref(req->sreq);

    bdrv_io_unplug(sreq->dev->conf.bs);

    scsi_req_unref(sreq);

}



static void virtio_scsi_handle_cmd(VirtIODevice *vdev, VirtQueue *vq)