Patchwork [1/3] vhost-scsi: fix k->set_guest_notifiers() NULL dereference

login
register
mail settings
Submitter Stefan Hajnoczi
Date May 30, 2013, 2:14 p.m.
Message ID <1369923286-22260-2-git-send-email-stefanha@redhat.com>
Download mbox | patch
Permalink /patch/247611/
State New
Headers show

Comments

Stefan Hajnoczi - May 30, 2013, 2:14 p.m.
Coverity picked up a copy-paste bug.  In vhost_scsi_start() we check for
!k->set_guest_notifiers and error out.  The check probably got copied
but instead of erroring we actually use the function pointer!

Cc: Nicholas Bellinger <nab@linux-iscsi.org>
Cc: Asias He <asias@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 hw/scsi/vhost-scsi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Michael Roth - June 11, 2013, 10:58 p.m.
On Thu, May 30, 2013 at 04:14:44PM +0200, Stefan Hajnoczi wrote:
> Coverity picked up a copy-paste bug.  In vhost_scsi_start() we check for
> !k->set_guest_notifiers and error out.  The check probably got copied
> but instead of erroring we actually use the function pointer!
> 
> Cc: Nicholas Bellinger <nab@linux-iscsi.org>
> Cc: Asias He <asias@redhat.com>
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

Hi Paolo,

Looking to pick this up for 1.5.1 along with a few other goodies in your
scsi branch:

iscsi: reorganize iscsi_readcapacity_sync
iscsi: simplify freeing of tasks
scsi-disk: scsi-block device for scsi pass-through should not be remo…
scsi-generic: check the return value of bdrv_aio_ioctl in execute_com…
scsi-generic: fix sign extension of READ CAPACITY(10) data
scsi: reset cdrom tray statuses on scsi_disk_reset

Freeze for 1.5.1 is planned for June 19. Willing to pluck from
maintainer branches for the more important ones but would prefer
upstream if you can send a PULL for these.

> ---
>  hw/scsi/vhost-scsi.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/scsi/vhost-scsi.c b/hw/scsi/vhost-scsi.c
> index d7a1c33..785e93f 100644
> --- a/hw/scsi/vhost-scsi.c
> +++ b/hw/scsi/vhost-scsi.c
> @@ -123,7 +123,7 @@ static void vhost_scsi_stop(VHostSCSI *s)
>      VirtioBusClass *k = VIRTIO_BUS_GET_CLASS(qbus);
>      int ret = 0;
> 
> -    if (!k->set_guest_notifiers) {
> +    if (k->set_guest_notifiers) {
>          ret = k->set_guest_notifiers(qbus->parent, s->dev.nvqs, false);
>          if (ret < 0) {
>                  error_report("vhost guest notifier cleanup failed: %d\n", ret);
> -- 
> 1.8.1.4
> 
>
Paolo Bonzini - June 12, 2013, 12:47 p.m.
Il 11/06/2013 18:58, mdroth ha scritto:
> iscsi: reorganize iscsi_readcapacity_sync
> iscsi: simplify freeing of tasks
> scsi-disk: scsi-block device for scsi pass-through should not be remo…
> scsi-generic: check the return value of bdrv_aio_ioctl in execute_com…
> scsi-generic: fix sign extension of READ CAPACITY(10) data
> scsi: reset cdrom tray statuses on scsi_disk_reset
> 
> Freeze for 1.5.1 is planned for June 19. Willing to pluck from
> maintainer branches for the more important ones but would prefer
> upstream if you can send a PULL for these.

Yes, I'll be back from holiday on Monday and will send pull requests then.

Paolo

Patch

diff --git a/hw/scsi/vhost-scsi.c b/hw/scsi/vhost-scsi.c
index d7a1c33..785e93f 100644
--- a/hw/scsi/vhost-scsi.c
+++ b/hw/scsi/vhost-scsi.c
@@ -123,7 +123,7 @@  static void vhost_scsi_stop(VHostSCSI *s)
     VirtioBusClass *k = VIRTIO_BUS_GET_CLASS(qbus);
     int ret = 0;
 
-    if (!k->set_guest_notifiers) {
+    if (k->set_guest_notifiers) {
         ret = k->set_guest_notifiers(qbus->parent, s->dev.nvqs, false);
         if (ret < 0) {
                 error_report("vhost guest notifier cleanup failed: %d\n", ret);