Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-8]: src/sys/dev/pci Pull up following revision(s) (requested by m...

details:   https://anonhg.NetBSD.org/src/rev/b4c9932e7a4f
branches:  netbsd-8
changeset: 852430:b4c9932e7a4f
user:      martin <martin%NetBSD.org@localhost>
date:      Mon Jul 15 08:23:23 2019 +0000

description:
Pull up following revision(s) (requested by maxv in ticket #1289):

        sys/dev/pci/vioscsi.c: revision 1.21

Fix use-after-free. If we're not polling, virtio_enqueue_commit() will send
the transaction, and it means 'xs' can be immediately freed. So, save the
value of xs_control beforehand.

Detected by KASAN, ok jdolecek@.
Fixes PR/54008

diffstat:

 sys/dev/pci/vioscsi.c |  8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diffs (38 lines):

diff -r 5261f2035f02 -r b4c9932e7a4f sys/dev/pci/vioscsi.c
--- a/sys/dev/pci/vioscsi.c     Mon Jul 15 08:20:57 2019 +0000
+++ b/sys/dev/pci/vioscsi.c     Mon Jul 15 08:23:23 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: vioscsi.c,v 1.19 2017/05/15 21:30:37 jdolecek Exp $    */
+/*     $NetBSD: vioscsi.c,v 1.19.2.1 2019/07/15 08:23:23 martin Exp $  */
 /*     $OpenBSD: vioscsi.c,v 1.3 2015/03/14 03:38:49 jsg Exp $ */
 
 /*
@@ -18,7 +18,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vioscsi.c,v 1.19 2017/05/15 21:30:37 jdolecek Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vioscsi.c,v 1.19.2.1 2019/07/15 08:23:23 martin Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -274,6 +274,7 @@
        struct virtio_scsi_req_hdr *req;
        struct virtqueue *vq = &sc->sc_vqs[VIOSCSI_VQ_REQUEST];
        int slot, error;
+       bool dopoll;
 
        DPRINTF(("%s: enter\n", __func__));
 
@@ -422,9 +423,10 @@
             sizeof(struct virtio_scsi_res_hdr), 0);
        if (xs->xs_control & XS_CTL_DATA_IN)
                virtio_enqueue(vsc, vq, slot, vr->vr_data, 0);
+       dopoll = (xs->xs_control & XS_CTL_POLL) != 0;
        virtio_enqueue_commit(vsc, vq, slot, 1);
 
-       if ((xs->xs_control & XS_CTL_POLL) == 0)
+       if (!dopoll)
                return;
 
        DPRINTF(("%s: polling...\n", __func__));
Home | Main Index | Thread Index | Old Index