On Wed, 10/08 11:37, Paolo Bonzini wrote:
> scsi_req_continue can complete the request and cause the VirtIOSCSIReq
> to be freed. Fetch req->sreq just once to avoid the bug.
>
> Reported-by: Richard Jones <rjo...@redhat.com>
> Tested-by: Richard Jones <rjo...@redhat.com>
> Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
> ---
> hw/scsi/virtio-scsi.c | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
> index 203e624..6c02fe2 100644
> --- a/hw/scsi/virtio-scsi.c
> +++ b/hw/scsi/virtio-scsi.c
> @@ -545,11 +545,12 @@ bool virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s,
> VirtIOSCSIReq *req)
>
> void virtio_scsi_handle_cmd_req_submit(VirtIOSCSI *s, VirtIOSCSIReq *req)
> {
> - if (scsi_req_enqueue(req->sreq)) {
> - scsi_req_continue(req->sreq);
> + SCSIRequest *sreq = req->sreq;
> + if (scsi_req_enqueue(sreq)) {
> + scsi_req_continue(sreq);
> }
> - bdrv_io_unplug(req->sreq->dev->conf.bs);
> - scsi_req_unref(req->sreq);
> + bdrv_io_unplug(sreq->dev->conf.bs);
> + scsi_req_unref(sreq);
> }
>
> static void virtio_scsi_handle_cmd(VirtIODevice *vdev, VirtQueue *vq)
> --
> 1.8.3.1
>
Reviewed-by: Fam Zheng <f...@redhat.com>
