| Message ID | 1344257343-11298-1-git-send-email-avi@redhat.com |
|---|---|
| State | New |
| Headers | show |
On Mon, Aug 6, 2012 at 1:49 PM, Avi Kivity <avi@redhat.com> wrote: > The scsi passthrough handler falls through after completing a > request into the failure path, resulting in a use after free. > > Reprducible by running a guest with aio=native on a block device. > > Reported-by: Stefan Priebe <s.priebe@profihost.ag> > Signed-off-by: Avi Kivity <avi@redhat.com> > --- > hw/virtio-blk.c | 1 + > 1 file changed, 1 insertion(+) It would be nice to fix up the commit message: s/virtio-mlk/virtio-blk/ Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
On 08/06/2012 04:11 PM, Stefan Hajnoczi wrote: > On Mon, Aug 6, 2012 at 1:49 PM, Avi Kivity <avi@redhat.com> wrote: >> The scsi passthrough handler falls through after completing a >> request into the failure path, resulting in a use after free. >> >> Reprducible by running a guest with aio=native on a block device. >> >> Reported-by: Stefan Priebe <s.priebe@profihost.ag> >> Signed-off-by: Avi Kivity <avi@redhat.com> >> --- >> hw/virtio-blk.c | 1 + >> 1 file changed, 1 insertion(+) > > It would be nice to fix up the commit message: > s/virtio-mlk/virtio-blk/ Sorry, an off-by-two. Presumably Kevin will fix it up. > > Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com> > Thanks.
Am 06.08.2012 15:11, schrieb Stefan Hajnoczi: > On Mon, Aug 6, 2012 at 1:49 PM, Avi Kivity <avi@redhat.com> wrote: >> The scsi passthrough handler falls through after completing a >> request into the failure path, resulting in a use after free. >> >> Reprducible by running a guest with aio=native on a block device. While at it, also "Reproducible". /-F >> >> Reported-by: Stefan Priebe <s.priebe@profihost.ag> >> Signed-off-by: Avi Kivity <avi@redhat.com> >> --- >> hw/virtio-blk.c | 1 + >> 1 file changed, 1 insertion(+) > > It would be nice to fix up the commit message: > s/virtio-mlk/virtio-blk/ > > Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c index f21757e..552b3b6 100644 --- a/hw/virtio-blk.c +++ b/hw/virtio-blk.c @@ -254,6 +254,7 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req) virtio_blk_req_complete(req, status); g_free(req); + return; #else abort(); #endif
The scsi passthrough handler falls through after completing a request into the failure path, resulting in a use after free. Reprducible by running a guest with aio=native on a block device. Reported-by: Stefan Priebe <s.priebe@profihost.ag> Signed-off-by: Avi Kivity <avi@redhat.com> --- hw/virtio-blk.c | 1 + 1 file changed, 1 insertion(+)