[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 03/14] scsi: fix refcounting for reads
|
From: |
Paolo Bonzini |
|
Subject: |
[Qemu-devel] [PATCH 03/14] scsi: fix refcounting for reads |
|
Date: |
Fri, 4 May 2012 10:45:43 +0200 |
Recently introduced FUA support also gave us a use-after-free
of the BlockAcctCookie within a SCSIDiskReq, due to unbalanced
reference counting.
The patch fixes this by making scsi_do_read look like a combination
of scsi_*_complete + scsi_*_data. It does both a ref (like
scsi_read_data) and an unref (like scsi_flush_complete).
Reported-by: David Gibson <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
---
hw/scsi-disk.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index a029ab6..eca00a6 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -296,6 +296,13 @@ static void scsi_do_read(void *opaque, int ret)
}
}
+ if (r->req.io_canceled) {
+ return;
+ }
+
+ /* The request is used as the AIO opaque value, so add a ref. */
+ scsi_req_ref(&r->req);
+
if (r->req.sg) {
dma_acct_start(s->qdev.conf.bs, &r->acct, r->req.sg, BDRV_ACCT_READ);
r->req.resid -= r->req.sg->size;
--
1.7.9.3
[Qemu-devel] [PATCH 04/14] scsi: fix WRITE SAME transfer length and direction, Paolo Bonzini, 2012/05/04
[Qemu-devel] [PATCH 05/14] scsi: Specify the xfer direction for UNMAP and ATA_PASSTHROUGH commands, Paolo Bonzini, 2012/05/04
[Qemu-devel] [PATCH 06/14] scsi: change "removable" field to host many features, Paolo Bonzini, 2012/05/04