virtio-scsi: fix use-after-free of VirtIOSCSIReq
scsi_req_continue can complete the request and cause the VirtIOSCSIReq to be freed. Fetch req->sreq just once to avoid the bug. Reported-by: Richard Jones <rjones@redhat.com> Tested-by: Richard Jones <rjones@redhat.com> Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This commit is contained in:
parent
cdebec5e40
commit
35e4e96c4d
@ -545,11 +545,12 @@ bool virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req)
|
||||
|
||||
void virtio_scsi_handle_cmd_req_submit(VirtIOSCSI *s, VirtIOSCSIReq *req)
|
||||
{
|
||||
if (scsi_req_enqueue(req->sreq)) {
|
||||
scsi_req_continue(req->sreq);
|
||||
SCSIRequest *sreq = req->sreq;
|
||||
if (scsi_req_enqueue(sreq)) {
|
||||
scsi_req_continue(sreq);
|
||||
}
|
||||
bdrv_io_unplug(req->sreq->dev->conf.bs);
|
||||
scsi_req_unref(req->sreq);
|
||||
bdrv_io_unplug(sreq->dev->conf.bs);
|
||||
scsi_req_unref(sreq);
|
||||
}
|
||||
|
||||
static void virtio_scsi_handle_cmd(VirtIODevice *vdev, VirtQueue *vq)
|
||||
|
Loading…
Reference in New Issue
Block a user