From: Paolo Bonzini <pbonzini@redhat.com>
Date: Tue, 24 Apr 2012 06:41:04 +0000 (+0200)
Subject: scsi: fix refcounting for reads
X-Git-Tag: v1.1-rc1~15^2~11
X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=31e8fd86f24b4eec8a1708d712bf0532460bb0a5;p=qemu.git

scsi: fix refcounting for reads

Recently introduced FUA support also gave us a use-after-free
of the BlockAcctCookie within a SCSIDiskReq, due to unbalanced
reference counting.

The patch fixes this by making scsi_do_read look like a combination
of scsi_*_complete + scsi_*_data.  It does both a ref (like
scsi_read_data) and an unref (like scsi_flush_complete).

Reported-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---

diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index a029ab6e8..eca00a6b1 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -296,6 +296,13 @@ static void scsi_do_read(void *opaque, int ret)
         }
     }
 
+    if (r->req.io_canceled) {
+        return;
+    }
+
+    /* The request is used as the AIO opaque value, so add a ref.  */
+    scsi_req_ref(&r->req);
+
     if (r->req.sg) {
         dma_acct_start(s->qdev.conf.bs, &r->acct, r->req.sg, BDRV_ACCT_READ);
         r->req.resid -= r->req.sg->size;