From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Cc: Fam Zheng <famz@redhat.com>, qemu-stable@nongnu.org
Subject: [Qemu-devel] [PULL 16/20] virtio-scsi: Unset hotplug handler when unrealize
Date: Fri, 19 May 2017 13:21:08 +0200 [thread overview]
Message-ID: <1495192872-27667-17-git-send-email-pbonzini@redhat.com> (raw)
In-Reply-To: <1495192872-27667-1-git-send-email-pbonzini@redhat.com>
From: Fam Zheng <famz@redhat.com>
This matches the qbus_set_hotplug_handler in realize, and it releases
the final reference to the embedded VirtIODevice so that it is
properly finalized.
A use-after-free is fixed with this patch, indirectly:
virtio_device_instance_finalize wasn't called at hot-unplug, and the
vdev->listener would be a dangling pointer in the global and the per
address space listener list. See also RHBZ 1449031.
Cc: qemu-stable@nongnu.org
Signed-off-by: Fam Zheng <famz@redhat.com>
Message-Id: <20170518102808.30046-1-famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/scsi/virtio-scsi.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
index 46a3e3f..f46f06d 100644
--- a/hw/scsi/virtio-scsi.c
+++ b/hw/scsi/virtio-scsi.c
@@ -918,6 +918,9 @@ void virtio_scsi_common_unrealize(DeviceState *dev, Error **errp)
static void virtio_scsi_device_unrealize(DeviceState *dev, Error **errp)
{
+ VirtIOSCSI *s = VIRTIO_SCSI(dev);
+
+ qbus_set_hotplug_handler(BUS(&s->bus), NULL, &error_abort);
virtio_scsi_common_unrealize(dev, errp);
}
--
1.8.3.1
next prev parent reply other threads:[~2017-05-19 11:21 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-19 11:20 [Qemu-devel] [PULL 00/20] Misc patches for 2017-05-19 Paolo Bonzini
2017-05-19 11:20 ` [Qemu-devel] [PULL 01/20] mc146818rtc: update periodic timer only if it is needed Paolo Bonzini
2017-05-19 11:20 ` [Qemu-devel] [PULL 02/20] mc146818rtc: precisely count the clock for periodic timer Paolo Bonzini
2017-05-19 11:20 ` [Qemu-devel] [PULL 03/20] mc146818rtc: ensure LOST_TICK_POLICY_SLEW is only enabled on TARGET_I386 Paolo Bonzini
2017-05-19 11:20 ` [Qemu-devel] [PULL 04/20] mc146818rtc: drop unnecessary '#ifdef TARGET_I386' Paolo Bonzini
2017-05-19 11:20 ` [Qemu-devel] [PULL 05/20] mc146818rtc: embrace all x86 specific code Paolo Bonzini
2017-05-19 11:20 ` [Qemu-devel] [PULL 06/20] kvm: irqchip: trace changes on msi add/remove Paolo Bonzini
2017-05-19 11:20 ` [Qemu-devel] [PULL 07/20] msix: trace control bit write op Paolo Bonzini
2017-05-19 11:21 ` [Qemu-devel] [PULL 08/20] kvm: irqchip: skip update msi when disabled Paolo Bonzini
2017-05-19 11:21 ` [Qemu-devel] [PULL 09/20] Check the return value of fcntl in qemu_set_cloexec Paolo Bonzini
2017-05-19 11:21 ` [Qemu-devel] [PULL 10/20] nbd: strict nbd_wr_syncv Paolo Bonzini
2017-05-19 11:21 ` [Qemu-devel] [PULL 11/20] nbd: read_sync and friends: return 0 on success Paolo Bonzini
2017-05-19 11:21 ` [Qemu-devel] [PULL 12/20] nbd: add errp parameter to nbd_wr_syncv() Paolo Bonzini
2017-05-19 11:21 ` [Qemu-devel] [PULL 13/20] nbd: add errp to read_sync, write_sync and drop_sync Paolo Bonzini
2017-05-19 11:21 ` [Qemu-devel] [PULL 14/20] nbd/client.c: use errp instead of LOG Paolo Bonzini
2017-05-26 11:09 ` [Qemu-devel] [PATCH v2] " Vladimir Sementsov-Ogievskiy
2017-05-26 13:43 ` Eric Blake
2017-05-19 11:21 ` [Qemu-devel] [PULL 15/20] exec: simplify phys_page_find() params Paolo Bonzini
2017-05-19 11:21 ` Paolo Bonzini [this message]
2017-05-19 11:21 ` [Qemu-devel] [PULL 17/20] vhost-user-scsi: Introduce vhost-user-scsi host device Paolo Bonzini
2017-05-19 11:21 ` [Qemu-devel] [PULL 18/20] vhost-user-scsi: Introduce a vhost-user-scsi sample application Paolo Bonzini
2017-05-19 11:21 ` [Qemu-devel] [PULL 19/20] target/i386: enable A20 automatically in system management mode Paolo Bonzini
2017-05-19 11:21 ` [Qemu-devel] [PULL 20/20] target/i386: use multiple CPU AddressSpaces Paolo Bonzini
2017-05-19 12:41 ` [Qemu-devel] [PULL 00/20] Misc patches for 2017-05-19 no-reply
2017-05-19 15:51 ` Stefan Hajnoczi
2017-05-19 16:09 ` Paolo Bonzini
2017-05-19 15:49 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1495192872-27667-17-git-send-email-pbonzini@redhat.com \
--to=pbonzini@redhat.com \
--cc=famz@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.