qemu/hw
Prasad J Pandit 4ab0359a8a ide: ahci: reset ncq object to unused on error
When processing NCQ commands, AHCI device emulation prepares a
NCQ transfer object; To which an aio control block(aiocb) object
is assigned in 'execute_ncq_command'. In case, when the NCQ
command is invalid, the 'aiocb' object is not assigned, and NCQ
transfer object is left as 'used'. This leads to a use after
free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'.
Reset NCQ transfer object to 'unused' to avoid it.

[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js]

Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: John Snow <jsnow@redhat.com>
Message-id: 1452282511-4116-1-git-send-email-ppandit@redhat.com
Signed-off-by: John Snow <jsnow@redhat.com>
2016-01-11 14:10:42 -05:00
..
9pfs virtio-9p: use accessor to get thread_pool 2015-12-23 10:56:58 +01:00
acpi trivial patches for 2016-01-11 2016-01-11 12:56:58 +00:00
alpha alpha: convert "naked" qemu_log to tracepoint 2015-12-17 17:33:47 +01:00
arm hw/arm/virt: Support legacy -nic command line syntax 2016-01-11 16:04:50 +00:00
audio Remove macros IO_READ_PROTO and IO_WRITE_PROTO 2015-10-19 09:03:53 +02:00
block block: Rename BLOCK_OP_TYPE_MIRROR to BLOCK_OP_TYPE_MIRROR_SOURCE 2016-01-07 21:30:17 +01:00
bt bt: avoid unintended sign extension 2015-12-04 09:39:55 +03:00
char cris: avoid "naked" qemu_log 2015-12-17 17:33:47 +01:00
core hw/core/qdev: Remove superfluous return statement 2016-01-11 11:39:28 +03:00
cpu icc_bus: drop the unused files 2015-10-02 16:22:02 -03:00
cris cris: Remove ELF_MACHINE from cpu.h 2015-09-25 12:04:43 +02:00
display ui/curses: Fix color attribute of monitor for curses 2016-01-08 12:20:07 +01:00
dma hw/dma/xilinx_axidma: remove dead code 2016-01-11 15:52:18 +00:00
gpio i.MX: add support for lower and upper interrupt in GPIO. 2015-12-17 13:37:13 +00:00
i2c i.MX: Standardize i.MX I2C debug 2015-10-27 15:59:46 +00:00
i386 i386/pc: expose identifying the floppy controller 2016-01-09 23:20:20 +02:00
ide ide: ahci: reset ncq object to unused on error 2016-01-11 14:10:42 -05:00
input qapi: Change munging of CamelCase enum values 2015-12-17 08:21:28 +01:00
intc kvm: x86: add support for KVM_CAP_SPLIT_IRQCHIP 2015-12-17 17:33:47 +01:00
ipack pci: Trivial device model conversions to realize 2015-02-26 12:42:16 +01:00
ipmi ipmi: Add a force off function 2015-12-22 18:39:19 +02:00
isa hw/isa/lpc_ich9: inject the SMI on the VCPU that is writing to APM_CNT 2015-10-22 14:39:09 +03:00
lm32 ui/opengl: Reduce build required libraries for opengl 2015-11-03 10:13:42 +01:00
m68k m68k: Remove ELF_MACHINE from cpu.h 2015-09-25 12:04:43 +02:00
mem nvdimm: implement NVDIMM device abstract 2015-12-22 18:39:20 +02:00
microblaze petalogix-ml605: Set the MicroBlaze CPU version to 8.10.a 2016-01-07 14:57:26 +01:00
mips gt64120: convert to realize() 2016-01-11 11:39:28 +03:00
misc i.MX: move i.MX31 CCM object to register array 2016-01-11 15:52:18 +00:00
moxie moxie: Remove ELF_MACHINE from cpu.h 2015-09-25 12:04:43 +02:00
net ether/slirp: Avoid redefinition of the same constants 2016-01-11 11:01:35 +08:00
nvram fw_cfg: replace ioport data read with generic method 2015-12-15 11:46:13 +01:00
openrisc * First batch of MAINTAINERS updates 2015-09-25 21:52:30 +01:00
pci fix bad indentation in pcie_cap_slot_write_config() 2015-11-06 15:42:38 +03:00
pci-bridge hw/pxb: introduce pxb-pcie expander for PCIe machines 2015-12-22 17:45:13 +02:00
pci-host trivial patches for 2016-01-11 2016-01-11 12:56:58 +00:00
pcmcia hw: do not pass NULL to memory_region_init from instance_init 2015-10-09 15:25:56 +02:00
ppc hw/ppc/spapr: fix spapr->kvm_type leak 2016-01-11 15:29:05 +11:00
s390x hw/s390x: Remove superfluous return statements 2016-01-11 11:39:28 +03:00
scsi scsi: always call notifier on async cancellation 2015-12-17 17:33:49 +01:00
sd sdhci: add optional quirk property to disable card insertion/removal interrupts 2015-12-22 16:34:26 +08:00
sh4 SH PCI Host: convert to realize() 2016-01-11 11:39:28 +03:00
smbios smbios: add smbios 3.0 support 2015-09-07 10:39:28 +01:00
sparc sparc: Remove ELF_MACHINE from cpu.h 2015-09-25 12:04:44 +02:00
sparc64 sun4u: split NPT and INT_DIS accesses between timer and compare registers 2016-01-07 12:21:02 +00:00
ssi arm: Use g_new() & friends where that makes obvious sense 2015-09-07 10:39:27 +01:00
timer pc: acpi: move HPET from DSDT to SSDT 2016-01-09 23:20:18 +02:00
tpm tpm: avoid clang shifting negative signed warning 2015-11-17 18:35:56 +08:00
tricore tricore: Remove ELF_MACHINE from cpu.h 2015-09-25 12:04:44 +02:00
unicore32 Use DEFINE_MACHINE() to register all machines 2015-09-19 16:40:15 +02:00
usb ohci: clear pending SOF on suspend 2016-01-08 09:29:24 +01:00
vfio vfio: Use g_new() & friends where that makes obvious sense 2015-11-10 12:11:08 -07:00
virtio virtio: fix error message for number of queues 2016-01-09 23:20:20 +02:00
watchdog i6300esb: remove muldiv64() 2015-09-25 14:52:17 +02:00
xen xen/Makefile.objs: simplify 2016-01-11 11:39:28 +03:00
xenpv xen: fix usage of xc_domain_create in domain builder 2015-11-13 17:38:06 +00:00
xtensa target-xtensa: xtfpga: attach FLASH to system IO 2015-10-21 21:28:33 +03:00
Makefile.objs Add a base IPMI interface 2015-12-22 18:39:19 +02:00