OpenE2K/qemu-e2k
13
4
Fork 0
Code Issues 4 Pull Requests Projects 2 Releases Activity

virtio-blk: Fix use after free in error case

Browse Source 
virtio_blk_req_complete frees the request, so we can't access it any more when
calling bdrv_mon_event. Use the pointer that was copied earlier.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
This commit is contained in:
Kevin Wolf 2010-03-31 17:46:59 +02:00 committed by Aurelien Jarno
parent 5369e3c0b8
commit 908bb9497b
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
hw/virtio-blk.c
View File

@ -65,7 +65,7 @@ static int virtio_blk_handle_rw_error(VirtIOBlockReq *req, int error,
VirtIOBlock *s = req->dev;
if (action == BLOCK_ERR_IGNORE) {
bdrv_mon_event(req->dev->bs, BDRV_ACTION_IGNORE, is_read);
bdrv_mon_event(s->bs, BDRV_ACTION_IGNORE, is_read);
return 0;
}
@ -73,11 +73,11 @@ static int virtio_blk_handle_rw_error(VirtIOBlockReq *req, int error,
|| action == BLOCK_ERR_STOP_ANY) {
req->next = s->rq;
s->rq = req;
bdrv_mon_event(req->dev->bs, BDRV_ACTION_STOP, is_read);
bdrv_mon_event(s->bs, BDRV_ACTION_STOP, is_read);
vm_stop(0);
} else {
virtio_blk_req_complete(req, VIRTIO_BLK_S_IOERR);
bdrv_mon_event(req->dev->bs, BDRV_ACTION_REPORT, is_read);
bdrv_mon_event(s->bs, BDRV_ACTION_REPORT, is_read);
}
return 1;