Module Name: src
Committed By: martin
Date: Mon Jul 15 08:23:23 UTC 2019
Modified Files:
src/sys/dev/pci [netbsd-8]: vioscsi.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1289):
sys/dev/pci/vioscsi.c: revision 1.21
Fix use-after-free. If we're not polling, virtio_enqueue_commit() will send
the transaction, and it means 'xs' can be immediately freed. So, save the
value of xs_control beforehand.
Detected by KASAN, ok jdolecek@.
Fixes PR/54008
To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.19.2.1 src/sys/dev/pci/vioscsi.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/pci/vioscsi.c
diff -u src/sys/dev/pci/vioscsi.c:1.19 src/sys/dev/pci/vioscsi.c:1.19.2.1
--- src/sys/dev/pci/vioscsi.c:1.19 Mon May 15 21:30:37 2017
+++ src/sys/dev/pci/vioscsi.c Mon Jul 15 08:23:23 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: vioscsi.c,v 1.19 2017/05/15 21:30:37 jdolecek Exp $ */
+/* $NetBSD: vioscsi.c,v 1.19.2.1 2019/07/15 08:23:23 martin Exp $ */
/* $OpenBSD: vioscsi.c,v 1.3 2015/03/14 03:38:49 jsg Exp $ */
/*
@@ -18,7 +18,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vioscsi.c,v 1.19 2017/05/15 21:30:37 jdolecek Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vioscsi.c,v 1.19.2.1 2019/07/15 08:23:23 martin Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -274,6 +274,7 @@ vioscsi_scsipi_request(struct scsipi_cha
struct virtio_scsi_req_hdr *req;
struct virtqueue *vq = &sc->sc_vqs[VIOSCSI_VQ_REQUEST];
int slot, error;
+ bool dopoll;
DPRINTF(("%s: enter\n", __func__));
@@ -422,9 +423,10 @@ stuffup:
sizeof(struct virtio_scsi_res_hdr), 0);
if (xs->xs_control & XS_CTL_DATA_IN)
virtio_enqueue(vsc, vq, slot, vr->vr_data, 0);
+ dopoll = (xs->xs_control & XS_CTL_POLL) != 0;
virtio_enqueue_commit(vsc, vq, slot, 1);
- if ((xs->xs_control & XS_CTL_POLL) == 0)
+ if (!dopoll)
return;
DPRINTF(("%s: polling...\n", __func__));
