| Message ID | 20170510111350.18422-1-ppandit@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 10/05/2017 13:13, P J P wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > When processing completed commands, if SCSIRequest object > 'cmd->req' was null, it could lead to null pointer dereference > in megasas_complete_command. Add check to avoid it. > > Reported-by: Zhangyanyu <zyy4013@stu.ouc.edu.cn> > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> What version was this reported for? It should be fixed in v2.8.0 and newer by commit 9e55d58806 ("megasas: clean up and fix request completion/cancellation", 2016-11-28). Thanks, Paolo
Hello Paolo,
+-- On Wed, 10 May 2017, Paolo Bonzini wrote --+
| What version was this reported for? It should be fixed in v2.8.0 and
| newer by commit 9e55d58806 ("megasas: clean up and fix request
| completion/cancellation", 2016-11-28).
I checked the reproducer against current upstream git, it does work. IIUC, the
above commit appears to have introduced the issue.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c index 84b8caf..25e3541 100644 --- a/hw/scsi/megasas.c +++ b/hw/scsi/megasas.c @@ -580,9 +580,11 @@ static void megasas_complete_command(MegasasCmd *cmd) cmd->iov_size = 0; cmd->iov_offset = 0; - cmd->req->hba_private = NULL; - scsi_req_unref(cmd->req); - cmd->req = NULL; + if (cmd->req) { + cmd->req->hba_private = NULL; + scsi_req_unref(cmd->req); + cmd->req = NULL; + } megasas_unmap_frame(cmd->state, cmd); megasas_complete_frame(cmd->state, cmd->context);