On 8/12/22 16:50, Peter Maydell wrote:
As I said previously, this is still absolutely wrong. If we ever get to this function with either of these fields being NULL then there has been a serious problem, probably a memory corruption or use-after-free, or possibly an attempt to use a partially constructed object.
Yeah, this would still be a use-after-free. s->version is never written (see for example release_string in hw/core/qdev-properties.c) so it means that the storage for "s" has been reused. The bug has been fixed in version 5.2 of QEMU with the following commit: 7a8202c521 scsi/scsi_bus: switch search direction in scsi_device_find 7bed89958b device_core: use drain_call_rcu in in qmp_device_add 2d24a64661 device-core: use RCU for list of children of a bus 42a90a899e scsi: switch to bus->check_address a23151e8cc device-core: use atomic_set on .realized property 8ddf958e8d scsi/scsi-bus: scsi_device_find: don't return unrealized devices 8ff3449560 scsi/scsi_bus: Add scsi_device_get 07a47d4a18 virtio-scsi: use scsi_device_get 8cfe8013ba scsi/scsi_bus: fix races in REPORT LUNS Feel free to pass this information to Canonical so that they can fix their old version of QEMU. Paolo
