From nobody Sat May 30 18:36:26 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1778837186; cv=none; d=zohomail.com; s=zohoarc; b=LRYOGv/1Q6+UtMvaXHxu/ePoGog8CYMioKuT1crbjJSmgQKjLZBhISo3H1AFHK7lWpmWDZi6FCFXClDS6S07rLBhxL6CIhez6QqRYGeBQ5qSsoNh79mW8GpQsqEvOxO+YBAJ1cTzvVTMAjphvMyzxAOTbqLfSD1nxk1zKKdvcAE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778837186; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=0VgeAWIJpNc6wqjlJZoP6bqRroG+IMcBE3u+efHxuoU=; b=e80aVjaJfDIB4IuGhiqDCOfignpbrhe0piZUUOxVi3oaX9Ch6hsviHyPbmLND6hIYYaDINOfuTOwkUzIG1D1FQ2E8Pzfxd3Sb8kHKktT1SG06mno6DW9Y2kKSosTrbIaOf+lJAupCpxAR+hZjP+pRH6LPWgfuR3FK3MV/70R57E= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778837186957456.87531879518554; Fri, 15 May 2026 02:26:26 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wNone-0004Wd-NR; Fri, 15 May 2026 05:25:42 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wNond-0004WI-4q for qemu-devel@nongnu.org; Fri, 15 May 2026 05:25:41 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wNonb-0001yH-MP for qemu-devel@nongnu.org; Fri, 15 May 2026 05:25:40 -0400 Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-348-f38y6dlnMTC1DTUss4Ndlg-1; Fri, 15 May 2026 05:25:32 -0400 Received: by mail-wr1-f72.google.com with SMTP id ffacd0b85a97d-45ae994d9aaso4598906f8f.1 for ; Fri, 15 May 2026 02:25:32 -0700 (PDT) Received: from [192.168.10.48] ([176.206.106.181]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48fe57944c1sm57016045e9.7.2026.05.15.02.25.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 May 2026 02:25:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1778837138; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=0VgeAWIJpNc6wqjlJZoP6bqRroG+IMcBE3u+efHxuoU=; b=bnWLIfe6dZOqUzhwHgt32VEtEY9mol7fda8dOudY19IDauhOgQwtMgQZqY0Jr0kI7pDKpP dxaJq4n0hPm4vwOFkf49xqNzQC+yWKcPNBLMpXsOETXC/Mf2xJLPgtSmWjouq+msqmPSwp VGFTok/AIitV+OEKA3Y/X5XCsn87znc= X-MC-Unique: f38y6dlnMTC1DTUss4Ndlg-1 X-Mimecast-MFC-AGG-ID: f38y6dlnMTC1DTUss4Ndlg_1778837131 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1778837131; x=1779441931; darn=nongnu.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=0VgeAWIJpNc6wqjlJZoP6bqRroG+IMcBE3u+efHxuoU=; b=ebqMv5IhgkNkM8t14NLU6r4SUv6j2wy2abWgKsRJkhetHJzPfn1XmFyqKmpLNdl4It nRLkDDS6YwMvNzj3sI+Bc6HGuQMTizmZXqLsVxhgApXbd1NOnEWL2BmtVRGKnY27/5Qc vcKgggKELzK0xK8er72W3uR/GmvhLmHCg2w++yW6PRPz8Oe1GWSm0SCU4T3DEIXcRdMA ZiXeCsWrw2GEfpIapkBipphkS+Eoy1IG49o1Z9ijCOWT0Xzn12zA1S98lttyDyYs5fc6 Dclpre4QYguoeIgAwyBtCFKWAM7v4+jKxBwzkewRyvbbpvX1LIMwVHPlJrQn8L9pvdA3 Ftdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778837131; x=1779441931; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=0VgeAWIJpNc6wqjlJZoP6bqRroG+IMcBE3u+efHxuoU=; b=FebZZaisIQThm6nBqLk8jfsZdXMdHha8r9bg0zlJKUrp4Z/Sf8IdXGhdnCoR0TnWp0 WYnSmvAAKFqMqHG1udTYOszzSrJ+cPKgZQ4H8uO5/Q4AqHeYcyWkdLGy4FT1sbac6vqn hU1/2Etm1dIbBJkSQSGWKb+W1dLzRncbiMSEqMeyw2hODG2FoVO1Ccan+4YAZr2hjcPF Txy4GfjF9cZ7iOpm7D8zfWX9+YWvkaJeYJcGFeXY6Pps6E1E5qXcPtjkifQRzNrY+ue2 r/fNGZKalmwX4VYU3IKOOSQ/6MdB1bYGNN2RGiUS70u8STkzwTpcL78n9nx9qi+/PYxf SZsQ== X-Gm-Message-State: AOJu0Yx28byYcjVQvj7qXgjseimZLyex7J1g4smsy6mBKlsKSvQhgEoo rz8FLvA/UOCPgY8eo0jBlQ/sq3cWt345Nfb1KadEN5/tBjRVpY6TJTJNJJgWARt9w7+5vJA0hw0 48IBjGXFK4VTR7lbwVX0EBtvU0KfSLj7fqSUHocIDrfqvBg6smzDGcNnIn7UsOUQLOrSsWRZTUw WBE8yFAfTmMYxOrrEoilJufeDLHYXluOCL3IbLv4sC X-Gm-Gg: Acq92OHFALj266oT/AUS9XyljEsMmLSSytqRb9X6xCfmnrcioWE16MLANKA9aq6CQUk 4UpkL02uogNf1uUO8NxgTdYns0BIm6PKO1bvA9EG9kQHWIp7DkWKDqJs3I0vmPaCuQEqR8ZTUMU aoMSrJXIg/DIxV3VPspc1iiySN7B4dSs2msdc8LlEvDNuBUYa8677Rk0PfoOAE/JaTru3fdoJEr 8haPBOgrQhcKpwRqmRikzSerZV3LAYLtTL8oWKeQEWVKvqRilEvDrqjGoLevCHg5SDYxwqWZ/VM b1Kcbxp+iDPk4k9gzZcX1t1S10/XyrwZtu2IDqIqUMosRQQ2mCFaT6I/MoBZl//turYO1t5cneh Zy15HZgnbysfSSoYbPTkXIrC1IOTg6H2ojOW3BKohV+d3IPlC7EJB/WfggOJjdTUQsbmEQr6Htk jV20JeXlLpJLo6GYisE2WJR0oRQyDX X-Received: by 2002:a05:600c:3e1b:b0:48a:9562:7a30 with SMTP id 5b1f17b1804b1-48fe6515f20mr38481725e9.24.1778837131156; Fri, 15 May 2026 02:25:31 -0700 (PDT) X-Received: by 2002:a05:600c:3e1b:b0:48a:9562:7a30 with SMTP id 5b1f17b1804b1-48fe6515f20mr38481345e9.24.1778837130696; Fri, 15 May 2026 02:25:30 -0700 (PDT) From: Paolo Bonzini To: qemu-devel@nongnu.org Cc: Wei Che Kao Subject: [PATCH] lsi53c895a: fix use-after-free of cancelled request Date: Fri, 15 May 2026 11:25:27 +0200 Message-ID: <20260515092528.3860322-1-pbonzini@redhat.com> X-Mailer: git-send-email 2.54.0 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=pbonzini@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -24 X-Spam_score: -2.5 X-Spam_bar: -- X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.445, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1778837189268158500 Content-Type: text/plain; charset="utf-8" When processing the Message Out phase, the lsi53c895a controller can cancel a request and the continue by processing more messages. When this happens, it is important that a cancelled request is not processed further, because scsi_req_cancel can cause the request to be freed. Right now this is happening in two cases, but not when cancelling the entire queue of requests after an ABORT, CLEAR QUEUE or BUS DEVICE RESET message. In that case, a subsequent ABORT TAG message can use a dangling current_req. There are three possible fixes: - add a missing check inside the loop, clearing current_req if p->req =3D=3D current_req. This is obvious but complicates the code inside the foreach loop. - change the conditional prior to the loop from "if (s->current)" to "if (current_req)". This would work, because s->current !=3D NULL implies current_req !=3D NULL, and would clear current_req correctly. However it is less obvious because the point of the code is to clear the entire queue, which consists of s->current and s->queue; current_req is not special here. - delay the retrieval of current_req until an ABORT TAG message is seen. This is the most correct option, because the SCSI protocol only deals with tags; requests are a QEMU concept that only makes sense for the purpose of calling into the SCSI layer. Reported-by: Wei Che Kao Signed-off-by: Paolo Bonzini --- hw/scsi/lsi53c895a.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c index 54123f77579..0843d325ab1 100644 --- a/hw/scsi/lsi53c895a.c +++ b/hw/scsi/lsi53c895a.c @@ -1000,10 +1000,8 @@ static void lsi_do_msgout(LSIState *s) =20 if (s->current) { current_tag =3D s->current->tag; - current_req =3D s->current; } else { current_tag =3D s->select_tag; - current_req =3D lsi_find_by_tag(s, current_tag); } =20 trace_lsi_do_msgout(s->dbc); @@ -1058,9 +1056,13 @@ static void lsi_do_msgout(LSIState *s) case 0x0d: /* The ABORT TAG message clears the current I/O process only. = */ trace_lsi_do_msgout_abort(current_tag); + if (s->current) { + current_req =3D s->current; + } else { + current_req =3D lsi_find_by_tag(s, current_tag); + } if (current_req && current_req->req) { scsi_req_cancel(current_req->req); - current_req =3D NULL; } lsi_disconnect(s); break; @@ -1086,7 +1088,6 @@ static void lsi_do_msgout(LSIState *s) /* clear the current I/O process */ if (s->current) { scsi_req_cancel(s->current->req); - current_req =3D NULL; } =20 /* As the current implemented devices scsi_disk and scsi_gener= ic --=20 2.54.0