From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1Nx1im-00013t-Ih
	for qemu-devel@nongnu.org; Wed, 31 Mar 2010 13:28:52 -0400
Received: from [140.186.70.92] (port=50929 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Nx1il-00011e-5X
	for qemu-devel@nongnu.org; Wed, 31 Mar 2010 13:28:51 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69)
	(envelope-from <lcapitulino@redhat.com>) id 1Nx1ij-0004tB-I0
	for qemu-devel@nongnu.org; Wed, 31 Mar 2010 13:28:51 -0400
Received: from mx1.redhat.com ([209.132.183.28]:24299)
	by eggs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <lcapitulino@redhat.com>) id 1Nx1ij-0004t2-8e
	for qemu-devel@nongnu.org; Wed, 31 Mar 2010 13:28:49 -0400
Received: from int-mx05.intmail.prod.int.phx2.redhat.com
	(int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.18])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o2VHSmEp017054
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <qemu-devel@nongnu.org>; Wed, 31 Mar 2010 13:28:48 -0400
Date: Wed, 31 Mar 2010 14:28:41 -0300
From: Luiz Capitulino <lcapitulino@redhat.com>
Message-ID: <20100331142841.6dab1816@redhat.com>
In-Reply-To: <1270050419-16425-1-git-send-email-kwolf@redhat.com>
References: <1270050419-16425-1-git-send-email-kwolf@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: [Qemu-devel] Re: [PATCH] virtio-blk: Fix use after free in error
	case
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Kevin Wolf <kwolf@redhat.com>
Cc: qemu-devel@nongnu.org

On Wed, 31 Mar 2010 17:46:59 +0200
Kevin Wolf <kwolf@redhat.com> wrote:

> virtio_blk_req_complete frees the request, so we can't access it any more when
> calling bdrv_mon_event. Use the pointer that was copied earlier.

 Urgh, of course that I assume that by freeing 'req' we don't free 'req->dev'.

 To make this an oneliner we could just call bdrv_mon_event() before calling
virtio_blk_req_complete() (shouldn't matter for clients), but seems safer to
use 's' instead.

Acked-by: Luiz Capitulino <lcapitulino@redhat.com>

> 
> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
> ---
>  hw/virtio-blk.c |    6 +++---
>  1 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c
> index 9915840..01d77b8 100644
> --- a/hw/virtio-blk.c
> +++ b/hw/virtio-blk.c
> @@ -65,7 +65,7 @@ static int virtio_blk_handle_rw_error(VirtIOBlockReq *req, int error,
>      VirtIOBlock *s = req->dev;
>  
>      if (action == BLOCK_ERR_IGNORE) {
> -        bdrv_mon_event(req->dev->bs, BDRV_ACTION_IGNORE, is_read);
> +        bdrv_mon_event(s->bs, BDRV_ACTION_IGNORE, is_read);
>          return 0;
>      }
>  
> @@ -73,11 +73,11 @@ static int virtio_blk_handle_rw_error(VirtIOBlockReq *req, int error,
>              || action == BLOCK_ERR_STOP_ANY) {
>          req->next = s->rq;
>          s->rq = req;
> -        bdrv_mon_event(req->dev->bs, BDRV_ACTION_STOP, is_read);
> +        bdrv_mon_event(s->bs, BDRV_ACTION_STOP, is_read);
>          vm_stop(0);
>      } else {
>          virtio_blk_req_complete(req, VIRTIO_BLK_S_IOERR);
> -        bdrv_mon_event(req->dev->bs, BDRV_ACTION_REPORT, is_read);
> +        bdrv_mon_event(s->bs, BDRV_ACTION_REPORT, is_read);
>      }
>  
>      return 1;