Message ID | 1574923128-19956-1-git-send-email-linmiaohe@huawei.com (mailing list archive) |
---|---|
State | Mainlined |
Commit | 0bda9498dd45280e334bfe88b815ebf519602cc3 |
Headers | show |
Series | KVM: vgic: Fix potential double free dist->spis in __kvm_vgic_destroy() | expand |
Hi, On 11/28/19 7:38 AM, linmiaohe wrote: > From: Miaohe Lin <linmiaohe@huawei.com> > > In kvm_vgic_dist_init() called from kvm_vgic_map_resources(), if > dist->vgic_model is invalid, dist->spis will be freed without set > dist->spis = NULL. And in vgicv2 resources clean up path, > __kvm_vgic_destroy() will be called to free allocated resources. > And dist->spis will be freed again in clean up chain because we > forget to set dist->spis = NULL in kvm_vgic_dist_init() failed > path. So double free would happen. > > Signed-off-by: Miaohe Lin <linmiaohe@huawei.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Thanks Eric > --- > virt/kvm/arm/vgic/vgic-init.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/virt/kvm/arm/vgic/vgic-init.c b/virt/kvm/arm/vgic/vgic-init.c > index 53e3969dfb52..c17c29beeb72 100644 > --- a/virt/kvm/arm/vgic/vgic-init.c > +++ b/virt/kvm/arm/vgic/vgic-init.c > @@ -171,6 +171,7 @@ static int kvm_vgic_dist_init(struct kvm *kvm, unsigned int nr_spis) > break; > default: > kfree(dist->spis); > + dist->spis = NULL; > return -EINVAL; > } > } >
On 2019-11-28 06:38, linmiaohe wrote: > From: Miaohe Lin <linmiaohe@huawei.com> > > In kvm_vgic_dist_init() called from kvm_vgic_map_resources(), if > dist->vgic_model is invalid, dist->spis will be freed without set > dist->spis = NULL. And in vgicv2 resources clean up path, > __kvm_vgic_destroy() will be called to free allocated resources. > And dist->spis will be freed again in clean up chain because we > forget to set dist->spis = NULL in kvm_vgic_dist_init() failed > path. So double free would happen. > > Signed-off-by: Miaohe Lin <linmiaohe@huawei.com> > --- > virt/kvm/arm/vgic/vgic-init.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/virt/kvm/arm/vgic/vgic-init.c > b/virt/kvm/arm/vgic/vgic-init.c > index 53e3969dfb52..c17c29beeb72 100644 > --- a/virt/kvm/arm/vgic/vgic-init.c > +++ b/virt/kvm/arm/vgic/vgic-init.c > @@ -171,6 +171,7 @@ static int kvm_vgic_dist_init(struct kvm *kvm, > unsigned int nr_spis) > break; > default: > kfree(dist->spis); > + dist->spis = NULL; > return -EINVAL; > } > } Applied, thanks. M.
diff --git a/virt/kvm/arm/vgic/vgic-init.c b/virt/kvm/arm/vgic/vgic-init.c index 53e3969dfb52..c17c29beeb72 100644 --- a/virt/kvm/arm/vgic/vgic-init.c +++ b/virt/kvm/arm/vgic/vgic-init.c @@ -171,6 +171,7 @@ static int kvm_vgic_dist_init(struct kvm *kvm, unsigned int nr_spis) break; default: kfree(dist->spis); + dist->spis = NULL; return -EINVAL; } }