diff options
author | Paolo Bonzini <pbonzini@redhat.com> | 2012-04-24 08:41:04 +0200 |
---|---|---|
committer | Paolo Bonzini <pbonzini@redhat.com> | 2012-05-04 10:39:52 +0200 |
commit | 31e8fd86f24b4eec8a1708d712bf0532460bb0a5 (patch) | |
tree | 6a8e344234861da4aea779d6c95ee45e04a6df54 | |
parent | 12a08998fe4f749af3622385521829a5143e6ff1 (diff) | |
download | qemu-31e8fd86f24b4eec8a1708d712bf0532460bb0a5.tar.gz qemu-31e8fd86f24b4eec8a1708d712bf0532460bb0a5.tar.bz2 qemu-31e8fd86f24b4eec8a1708d712bf0532460bb0a5.zip |
scsi: fix refcounting for reads
Recently introduced FUA support also gave us a use-after-free
of the BlockAcctCookie within a SCSIDiskReq, due to unbalanced
reference counting.
The patch fixes this by making scsi_do_read look like a combination
of scsi_*_complete + scsi_*_data. It does both a ref (like
scsi_read_data) and an unref (like scsi_flush_complete).
Reported-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-rw-r--r-- | hw/scsi-disk.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c index a029ab6e84..eca00a6b1d 100644 --- a/hw/scsi-disk.c +++ b/hw/scsi-disk.c @@ -296,6 +296,13 @@ static void scsi_do_read(void *opaque, int ret) } } + if (r->req.io_canceled) { + return; + } + + /* The request is used as the AIO opaque value, so add a ref. */ + scsi_req_ref(&r->req); + if (r->req.sg) { dma_acct_start(s->qdev.conf.bs, &r->acct, r->req.sg, BDRV_ACCT_READ); r->req.resid -= r->req.sg->size; |