Re: [Qemu-devel] [PATCH v3] virtio-blk: Fix double completion for werror=stop

Fam Zheng Sun, 22 Nov 2015 16:41:10 -0800

On Sun, 11/22 20:41, Paolo Bonzini wrote:
> > diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
> > index e70fccf..848f3fe 100644
> > --- a/hw/block/virtio-blk.c
> > +++ b/hw/block/virtio-blk.c
> > @@ -112,6 +112,10 @@ static void virtio_blk_rw_complete(void *opaque, int 
> > ret)
> >               * happen on the other side of the migration).
> >               */
> >              if (virtio_blk_handle_rw_error(req, -ret, is_read)) {
> > +                /* Break the link in case the next request is added to the
> > +                 * restart queue and is going to be parsed from the ring 
> > again.
> > +                 */
> > +                req->mr_next = NULL;
> >                  continue;
> >              }
> >          }
> > 
> 
> This is now a write-after-free for rerror/werror=stop.  The right place
> to set req->mr_next is inside virtio_blk_handle_rw_error, I think.
>


Oh yes :( Sending another patch.

Fam

Re: [Qemu-devel] [PATCH v3] virtio-blk: Fix double completion for werror=stop

Reply via email to