[SCSI] virtio_scsi: fix TMF use-after-free
Fix a use-after-free in the TMF path, where cmd may have been already freed by virtscsi_complete_free when wait_for_completion restarts executing virtscsi_tmf. Technically a race, but in practice the command will always be freed long before the completion waiter is awoken. The fix is to make callers specifying a completion responsible for freeing the command in all cases. Signed-off-by: NHu Tao <hutao@cn.fujitsu.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> Signed-off-by: NJames Bottomley <JBottomley@Parallels.com>
Showing
想要评论请 注册 或 登录