+++ /dev/null
-From 3431b01b43584de5f710c40605fe3251f81c0e11 Mon Sep 17 00:00:00 2001
-From: Minjae Kim <flowergom@gmail.com>
-Date: Tue, 27 Apr 2021 02:09:49 +0000
-Subject: [PATCH] scsi: mptsas: dequeue request object in case of an error
- (CVE-2021-3392)
-
-From: Prasad J Pandit <pjp@fedoraproject.org>
-
-While processing SCSI i/o requests in mptsas_process_scsi_io_request(),
-the Megaraid emulator appends new MPTSASRequest object 'req' to
-the 's->pending' queue. In case of an error, this same object gets
-dequeued in mptsas_free_request() only if SCSIRequest object
-'req->sreq' is initialised. This may lead to a use-after-free issue.
-Unconditionally dequeue 'req' object from 's->pending' to avoid it.
-
-Fixes: CVE-2021-3392
-Buglink: https://bugs.launchpad.net/qemu/+bug/1914236
-Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-
-Upstream-Status: Acepted
-[https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg00488.html]
-CVE: CVE-2021-3392
-Signed-off-by: Minjae Kim <flowergom@gmail.com>
----
- hw/scsi/mptsas.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
-index f86616544..adff5b0bf 100644
---- a/hw/scsi/mptsas.c
-+++ b/hw/scsi/mptsas.c
-@@ -257,8 +257,8 @@ static void mptsas_free_request(MPTSASRequest *req)
- req->sreq->hba_private = NULL;
- scsi_req_unref(req->sreq);
- req->sreq = NULL;
-- QTAILQ_REMOVE(&s->pending, req, next);
- }
-+ QTAILQ_REMOVE(&s->pending, req, next);
- qemu_sglist_destroy(&req->qsg);
- g_free(req);
- }
---
-2.17.1
-
