]> git.ipfire.org Git - thirdparty/qemu.git/commitdiff
projects / thirdparty / qemu.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a8df524)
scsi: ncr710: Fix use after free in command_complete
authorSoumyajyotii Ssarkar <soumyajyotisarkar23@gmail.com>
Sun, 21 Dec 2025 14:23:09 +0000 (19:53 +0530)
committerHelge Deller <deller@gmx.de>
Tue, 23 Dec 2025 15:40:41 +0000 (16:40 +0100)
Add proper hba_private pointer cleanup in ncr710_command_complete.
This prevents use after free errors from occuring.

This was causing memory corruption in NetBSD device initialization
when commands complete and the request structures were freed while
still being referenced.

Signed-off-by: Soumyajyotii Ssarkar <soumyajyotisarkar23@gmail.com>
Reviewed-by: Helge Deller <deller@gmx.de>
Signed-off-by: Helge Deller <deller@gmx.de>
hw/scsi/ncr53c710.c patch | blob | blame | history

diff --git a/hw/scsi/ncr53c710.c b/hw/scsi/ncr53c710.c
index bab2ea72104a0ed4776a5b0e3d32f81400caad1b..ac1ca4cef8e96d6602ffc15502b4aa1a1a9cffcd 100644 (file)
--- a/hw/scsi/ncr53c710.c
+++ b/hw/scsi/ncr53c710.c
@@ -798,7 +798,13 @@ void ncr710_command_complete(SCSIRequest *req, size_t resid)
 
     ncr710_set_phase(s, PHASE_ST);
 
-    if (req->hba_private == s->current) {
+    if (p) {
+        req->hba_private = NULL;
+        if (p == s->current) {
+            p->req = NULL;
+        } else {
+            ncr710_request_free(s, p);
+        }
         scsi_req_unref(req);
     }
 
Mirror of https://git.qemu.org/git/qemu.git