diff mbox series

[net-XXX] vhost-vdpa: fix use after free in vhost_vdpa_probe()

Message ID cf53cb61-0699-4e36-a980-94fd4268ff00@moroto.mountain (mailing list archive)
State New, archived
Headers show
Series [net-XXX] vhost-vdpa: fix use after free in vhost_vdpa_probe() | expand

Commit Message

Dan Carpenter Oct. 27, 2023, 12:12 p.m. UTC 
The put_device() calls vhost_vdpa_release_dev() which calls
ida_simple_remove() and frees "v".  So this call to
ida_simple_remove() is a use after free and a double free.

Fixes: ebe6a354fa7e ("vhost-vdpa: Call ida_simple_remove() when failed")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 drivers/vhost/vdpa.c | 1 -
 1 file changed, 1 deletion(-)

Comments

Dan Carpenter Oct. 27, 2023, 12:17 p.m. UTC | #1 
Ugh...  Crap.

I modified this patch to apply cleanly on net but I still didn't change
the subject to net.  But now that I'm looking at it actually goes
through one of the virt trees.

It should still apply to whatever virt tree as well.  It's just shifted
70 lines.

regards,
dan carpenter
Jason Wang Nov. 1, 2023, 4:36 a.m. UTC | #2 
On Fri, Oct 27, 2023 at 8:13 PM Dan Carpenter <dan.carpenter@linaro.org> wrote:
>
> The put_device() calls vhost_vdpa_release_dev() which calls
> ida_simple_remove() and frees "v".  So this call to
> ida_simple_remove() is a use after free and a double free.
>
> Fixes: ebe6a354fa7e ("vhost-vdpa: Call ida_simple_remove() when failed")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

Acked-by: Jason Wang <jasowang@redhat.com>

Thanks

> ---
>  drivers/vhost/vdpa.c | 1 -
>  1 file changed, 1 deletion(-)
>
> diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c
> index 9a2343c45df0..1aa67729e188 100644
> --- a/drivers/vhost/vdpa.c
> +++ b/drivers/vhost/vdpa.c
> @@ -1511,7 +1511,6 @@ static int vhost_vdpa_probe(struct vdpa_device *vdpa)
>
>  err:
>         put_device(&v->dev);
> -       ida_simple_remove(&vhost_vdpa_ida, v->minor);
>         return r;
>  }
>
> --
> 2.42.0
>
Michael S. Tsirkin Nov. 1, 2023, 5:33 a.m. UTC | #3 
On Fri, Oct 27, 2023 at 03:12:54PM +0300, Dan Carpenter wrote:
> The put_device() calls vhost_vdpa_release_dev() which calls
> ida_simple_remove() and frees "v".  So this call to
> ida_simple_remove() is a use after free and a double free.
> 
> Fixes: ebe6a354fa7e ("vhost-vdpa: Call ida_simple_remove() when failed")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

queued, thanks!

> ---
>  drivers/vhost/vdpa.c | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c
> index 9a2343c45df0..1aa67729e188 100644
> --- a/drivers/vhost/vdpa.c
> +++ b/drivers/vhost/vdpa.c
> @@ -1511,7 +1511,6 @@ static int vhost_vdpa_probe(struct vdpa_device *vdpa)
>  
>  err:
>  	put_device(&v->dev);
> -	ida_simple_remove(&vhost_vdpa_ida, v->minor);
>  	return r;
>  }
>  
> -- 
> 2.42.0
diff mbox series

Patch

diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c
index 9a2343c45df0..1aa67729e188 100644
--- a/drivers/vhost/vdpa.c
+++ b/drivers/vhost/vdpa.c
@@ -1511,7 +1511,6 @@  static int vhost_vdpa_probe(struct vdpa_device *vdpa)
 
 err:
 	put_device(&v->dev);
-	ida_simple_remove(&vhost_vdpa_ida, v->minor);
 	return r;
 }