From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:58769)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1XcAnr-0006WI-JT
	for qemu-devel@nongnu.org; Thu, 09 Oct 2014 06:18:44 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1XcAnh-0000as-UF
	for qemu-devel@nongnu.org; Thu, 09 Oct 2014 06:18:35 -0400
Received: from mail-wg0-x233.google.com ([2a00:1450:400c:c00::233]:48790)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1XcAnh-0000Zt-Ni
	for qemu-devel@nongnu.org; Thu, 09 Oct 2014 06:18:25 -0400
Received: by mail-wg0-f51.google.com with SMTP id b13so875085wgh.34
	for <qemu-devel@nongnu.org>; Thu, 09 Oct 2014 03:18:25 -0700 (PDT)
Received: from playground.station (net-37-116-201-55.cust.vodafonedsl.it.
	[37.116.201.55])
	by mx.google.com with ESMTPSA id h4sm3050323wjb.9.2014.10.09.03.18.23
	for <qemu-devel@nongnu.org>
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 09 Oct 2014 03:18:24 -0700 (PDT)
Sender: Paolo Bonzini <paolo.bonzini@gmail.com>
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Thu,  9 Oct 2014 12:17:32 +0200
Message-Id: <1412849855-12661-18-git-send-email-pbonzini@redhat.com>
In-Reply-To: <1412849438-12274-1-git-send-email-pbonzini@redhat.com>
References: <1412849438-12274-1-git-send-email-pbonzini@redhat.com>
Subject: [Qemu-devel] [PULL 25/28] virtio-scsi: fix use-after-free of
	VirtIOSCSIReq
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

scsi_req_continue can complete the request and cause the VirtIOSCSIReq
to be freed.  Fetch req->sreq just once to avoid the bug.

Reported-by: Richard Jones <rjones@redhat.com>
Tested-by: Richard Jones <rjones@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 hw/scsi/virtio-scsi.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
index 203e624..6c02fe2 100644
--- a/hw/scsi/virtio-scsi.c
+++ b/hw/scsi/virtio-scsi.c
@@ -545,11 +545,12 @@ bool virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req)
 
 void virtio_scsi_handle_cmd_req_submit(VirtIOSCSI *s, VirtIOSCSIReq *req)
 {
-    if (scsi_req_enqueue(req->sreq)) {
-        scsi_req_continue(req->sreq);
+    SCSIRequest *sreq = req->sreq;
+    if (scsi_req_enqueue(sreq)) {
+        scsi_req_continue(sreq);
     }
-    bdrv_io_unplug(req->sreq->dev->conf.bs);
-    scsi_req_unref(req->sreq);
+    bdrv_io_unplug(sreq->dev->conf.bs);
+    scsi_req_unref(sreq);
 }
 
 static void virtio_scsi_handle_cmd(VirtIODevice *vdev, VirtQueue *vq)
-- 
1.8.3.1