scsi: fix refcounting for reads

Recently introduced FUA support also gave us a use-after-free of the BlockAcctCookie within a SCSIDiskReq, due to unbalanced reference counting. The patch fixes this by making scsi_do_read look like a combination of scsi_*_complete + scsi_*_data. It does both a ref (like scsi_read_data) and an unref (like scsi_flush_complete). Reported-by: N David Gibson <david@gibson.dropbear.id.au> Signed-off-by: N Paolo Bonzini <pbonzini@redhat.com>

scsi: fix refcounting for reads
Recently introduced FUA support also gave us a use-after-free of the BlockAcctCookie within a SCSIDiskReq, due to unbalanced reference counting. The patch fixes this by making scsi_do_read look like a combination of scsi_*_complete + scsi_*_data. It does both a ref (like scsi_read_data) and an unref (like scsi_flush_complete). Reported-by: N David Gibson <david@gibson.dropbear.id.au> Signed-off-by: N Paolo Bonzini <pbonzini@redhat.com>
31e8fd86 · Paolo Bonzini · 12a08998 · 31e8fd86
隐藏空白更改
内联并排

Showing with 7 addition and 0 deletion

hw/scsi-disk.c hw/scsi-disk.c +7 -0

未找到文件。
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -296,6 +296,13 @@ static void scsi_do_read(void *opaque, int ret)
        }
    }

+    if (r->req.io_canceled) {
+        return;
+    }
+
+    /* The request is used as the AIO opaque value, so add a ref.  */
+    scsi_req_ref(&r->req);
+
    if (r->req.sg) {
        dma_acct_start(s->qdev.conf.bs, &r->acct, r->req.sg, BDRV_ACCT_READ);
        r->req.resid -= r->req.sg->size;