CVS commit: src/sys/dev/pci

Fri, 12 Apr 2019 23:18:15 -0700 

Module Name:    src
Committed By:   maxv
Date:           Sat Apr 13 06:17:33 UTC 2019

Modified Files:
        src/sys/dev/pci: vioscsi.c

Log Message:
Fix use-after-free. If we're not polling, virtio_enqueue_commit() will send
the transaction, and it means 'xs' can be immediately freed. So, save the
value of xs_control beforehand.

Detected by KASAN, ok jdolecek@.

Fixes PR/54008
Reported-by: syzbot+6513c4afe66237d72...@syzkaller.appspotmail.com


To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 src/sys/dev/pci/vioscsi.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/dev/pci/vioscsi.c
diff -u src/sys/dev/pci/vioscsi.c:1.20 src/sys/dev/pci/vioscsi.c:1.21
--- src/sys/dev/pci/vioscsi.c:1.20	Sun Jun 10 14:59:23 2018
+++ src/sys/dev/pci/vioscsi.c	Sat Apr 13 06:17:33 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: vioscsi.c,v 1.20 2018/06/10 14:59:23 jakllsch Exp $	*/
+/*	$NetBSD: vioscsi.c,v 1.21 2019/04/13 06:17:33 maxv Exp $	*/
 /*	$OpenBSD: vioscsi.c,v 1.3 2015/03/14 03:38:49 jsg Exp $	*/
 
 /*
@@ -18,7 +18,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vioscsi.c,v 1.20 2018/06/10 14:59:23 jakllsch Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vioscsi.c,v 1.21 2019/04/13 06:17:33 maxv Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -270,6 +270,7 @@ vioscsi_scsipi_request(struct scsipi_cha
 	struct virtio_scsi_req_hdr *req;
 	struct virtqueue *vq = &sc->sc_vqs[VIOSCSI_VQ_REQUEST];
 	int slot, error;
+	bool dopoll;
 
 	DPRINTF(("%s: enter\n", __func__));
 
@@ -418,9 +419,10 @@ stuffup:
             sizeof(struct virtio_scsi_res_hdr), 0);
 	if (xs->xs_control & XS_CTL_DATA_IN)
 		virtio_enqueue(vsc, vq, slot, vr->vr_data, 0);
+	dopoll = (xs->xs_control & XS_CTL_POLL) != 0;
 	virtio_enqueue_commit(vsc, vq, slot, 1);
 
-	if ((xs->xs_control & XS_CTL_POLL) == 0)
+	if (!dopoll)
 		return;
 
 	DPRINTF(("%s: polling...\n", __func__));

Reply via email to