| Message ID | 1412761044-25859-1-git-send-email-pbonzini@redhat.com |
|---|---|
| State | New |
| Headers | show |
On Wed, 10/08 11:37, Paolo Bonzini wrote: > scsi_req_continue can complete the request and cause the VirtIOSCSIReq > to be freed. Fetch req->sreq just once to avoid the bug. > > Reported-by: Richard Jones <rjones@redhat.com> > Tested-by: Richard Jones <rjones@redhat.com> > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> > --- > hw/scsi/virtio-scsi.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c > index 203e624..6c02fe2 100644 > --- a/hw/scsi/virtio-scsi.c > +++ b/hw/scsi/virtio-scsi.c > @@ -545,11 +545,12 @@ bool virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req) > > void virtio_scsi_handle_cmd_req_submit(VirtIOSCSI *s, VirtIOSCSIReq *req) > { > - if (scsi_req_enqueue(req->sreq)) { > - scsi_req_continue(req->sreq); > + SCSIRequest *sreq = req->sreq; > + if (scsi_req_enqueue(sreq)) { > + scsi_req_continue(sreq); > } > - bdrv_io_unplug(req->sreq->dev->conf.bs); > - scsi_req_unref(req->sreq); > + bdrv_io_unplug(sreq->dev->conf.bs); > + scsi_req_unref(sreq); > } > > static void virtio_scsi_handle_cmd(VirtIODevice *vdev, VirtQueue *vq) > -- > 1.8.3.1 > Reviewed-by: Fam Zheng <famz@redhat.com>
diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c index 203e624..6c02fe2 100644 --- a/hw/scsi/virtio-scsi.c +++ b/hw/scsi/virtio-scsi.c @@ -545,11 +545,12 @@ bool virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req) void virtio_scsi_handle_cmd_req_submit(VirtIOSCSI *s, VirtIOSCSIReq *req) { - if (scsi_req_enqueue(req->sreq)) { - scsi_req_continue(req->sreq); + SCSIRequest *sreq = req->sreq; + if (scsi_req_enqueue(sreq)) { + scsi_req_continue(sreq); } - bdrv_io_unplug(req->sreq->dev->conf.bs); - scsi_req_unref(req->sreq); + bdrv_io_unplug(sreq->dev->conf.bs); + scsi_req_unref(sreq); } static void virtio_scsi_handle_cmd(VirtIODevice *vdev, VirtQueue *vq)