virtio-blk: fix use-after-free while handling scsi commands

The scsi passthrough handler falls through after completing a request into the failure path, resulting in a use after free. Reproducible by running a guest with aio=native on a block device. Reported-by: N Stefan Priebe <s.priebe@profihost.ag> Signed-off-by: N Avi Kivity <avi@redhat.com> Signed-off-by: N Stefan Hajnoczi <stefanha@linux.vnet.ibm.com> Signed-off-by: N Kevin Wolf <kwolf@redhat.com> (cherry picked from commit 730a9c53) Signed-off-by: N Michael Roth <mdroth@linux.vnet.ibm.com>

virtio-blk: fix use-after-free while handling scsi commands
The scsi passthrough handler falls through after completing a request into the failure path, resulting in a use after free. Reproducible by running a guest with aio=native on a block device. Reported-by: N Stefan Priebe <s.priebe@profihost.ag> Signed-off-by: N Avi Kivity <avi@redhat.com> Signed-off-by: N Stefan Hajnoczi <stefanha@linux.vnet.ibm.com> Signed-off-by: N Kevin Wolf <kwolf@redhat.com> (cherry picked from commit 730a9c53) Signed-off-by: N Michael Roth <mdroth@linux.vnet.ibm.com>
3b389727 · Avi Kivity · Michael Roth · 36ed3378 · 3b389727
隐藏空白更改
内联并排

Showing with 1 addition and 0 deletion

hw/virtio-blk.c hw/virtio-blk.c +1 -0

未找到文件。
--- a/hw/virtio-blk.c
+++ b/hw/virtio-blk.c
@@ -253,6 +253,7 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req)

    virtio_blk_req_complete(req, status);
    g_free(req);
+    return;
 #else
    abort();
 #endif