1 From 4ab0359a8ae182a7ac5c99609667273167703fab Mon Sep 17 00:00:00 2001
2 From: Prasad J Pandit <pjp@fedoraproject.org>
3 Date: Mon, 11 Jan 2016 14:10:42 -0500
4 Subject: [PATCH] ide: ahci: reset ncq object to unused on error
6 When processing NCQ commands, AHCI device emulation prepares a
7 NCQ transfer object; To which an aio control block(aiocb) object
8 is assigned in 'execute_ncq_command'. In case, when the NCQ
9 command is invalid, the 'aiocb' object is not assigned, and NCQ
10 transfer object is left as 'used'. This leads to a use after
11 free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'.
12 Reset NCQ transfer object to 'unused' to avoid it.
14 [Maintainer edit: s/ACHI/AHCI/ in the commit message. --js]
16 Reported-by: Qinghao Tang <luodalongde@gmail.com>
17 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
18 Reviewed-by: John Snow <jsnow@redhat.com>
19 Message-id: 1452282511-4116-1-git-send-email-ppandit@redhat.com
20 Signed-off-by: John Snow <jsnow@redhat.com>
23 1 file changed, 1 insertion(+)
24 # ide_state->error = ABRT_ERR;
25 # ide_state->status = READY_STAT | ERR_STAT;
26 # ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag);
30 # static void ncq_finish(NCQTransferState *ncq_tfs)
35 In 2.1, the code is different. In particular, execute_ncq_command()
36 is part of process_ncq_command(), and there's no ncq_err() function
37 yet. We do the "used = 0" assignment in the exact place where the
38 invalid NCQ command is detected.
40 # DPRINTF(port, "error: tried to process non-NCQ command as NCQ\n");
41 # qemu_sglist_destroy(&ncq_tfs->sglist);
47 In 2.2 the DPRINTF is split in two:
48 diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
49 index dd1912e..17f1cbd 100644
52 @@ -910,6 +910,7 @@ static void ncq_err(NCQTransferState *ncq_tfs)
53 "error: tried to process non-NCQ command as NCQ\n");
55 qemu_sglist_destroy(&ncq_tfs->sglist);
projects / pve-qemu-kvm.git / blob