From patchwork Fri Oct 27 12:12:54 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 13438572 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5D0F4C25B67 for ; Fri, 27 Oct 2023 12:13:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345800AbjJ0MNE (ORCPT ); Fri, 27 Oct 2023 08:13:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49330 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345821AbjJ0MND (ORCPT ); Fri, 27 Oct 2023 08:13:03 -0400 Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EE589128 for ; Fri, 27 Oct 2023 05:12:59 -0700 (PDT) Received: by mail-wr1-x42b.google.com with SMTP id ffacd0b85a97d-307d58b3efbso1296117f8f.0 for ; Fri, 27 Oct 2023 05:12:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1698408778; x=1699013578; darn=vger.kernel.org; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=Ph8ZV619qssLjPgO/yEQk7zJEM+NsPqPerc7acZSWpY=; b=o8daz6rc631MqPzy5xXDSWpQC+qqEDyriqahCFFP9KRW2v++lJAhP/3E+UkavWESWk NjGQCqPCP6iaxR/8iQ1k1cAdnBq/w6mI6oOGXfdinxLKzSAYjVbFF7t6w3U1WM2jE/HS sefaSYFJesUVGHnLJgUCvDTW54reKPRxa4ZjaefZVGU6SdnB2PhFIM7X8FwQg79nbtMw jmpk4LdHu3lkPoWMHmUz8+51aFjt/sx1/RQ9Pcc8xBoMD1DdKodC7FhZpHSj/sl+4WF5 +neR2a5bqH0+fFnPNPIZARb7BD9OyVxg4UuBXpyhRAXX79mIQ+WK7baW3dWEnFNRT9Ew fxzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698408778; x=1699013578; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Ph8ZV619qssLjPgO/yEQk7zJEM+NsPqPerc7acZSWpY=; b=kQmA4++Koy0aPW8RjbypYVBG+nsRk2CSg6KxAoehFW9JkECUz0gG32w8t0SQREHf7d Qj0ZHype1DCB9PYA+yf511ZervsR3Lkc76Ghr3n/C+fbUpkilmUecL5tA34I+EQHJCR9 BmkgZxjPYgTQEZN3PgjX1Bbjx0DFk/FS10U+JkNe3WwAlFpRh9aAksoMmBFyuWiSGZ/Q /csyy9CBsUrjxZruWC+OwMGED3y5uSNn0Dp2Bhynkb82dLdPyaFffQqwQ/Huc9hNwFZ7 9XPu53S6WcR+y18emwXB2MJD/V1U+BpYCaH9nS+bTn6PlPKIRMalqrmlNChMGnGehf+a ew8Q== X-Gm-Message-State: AOJu0YyWikCsulG6lD7e+iSUOLqAwrfJkBHqnnMex9fQAvuBeC47nu7p GMdEEMrjCsEk0vL2juCAPAJX9w== X-Google-Smtp-Source: AGHT+IHQCvYgKC4GIYkhBWYFRXqIbXkxbYn7XjCLJnX8gknw9LeiqQ8kmzYwo5Nm46vJg6lPKDEazw== X-Received: by 2002:a5d:53c9:0:b0:32d:701b:a585 with SMTP id a9-20020a5d53c9000000b0032d701ba585mr2104274wrw.69.1698408778388; Fri, 27 Oct 2023 05:12:58 -0700 (PDT) Received: from localhost ([102.36.222.112]) by smtp.gmail.com with ESMTPSA id p9-20020adff209000000b00324853fc8adsm1642437wro.104.2023.10.27.05.12.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 27 Oct 2023 05:12:58 -0700 (PDT) Date: Fri, 27 Oct 2023 15:12:54 +0300 From: Dan Carpenter To: Bo Liu Cc: "Michael S. Tsirkin" , Jason Wang , kvm@vger.kernel.org, virtualization@lists.linux-foundation.org, netdev@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH net-XXX] vhost-vdpa: fix use after free in vhost_vdpa_probe() Message-ID: MIME-Version: 1.0 Content-Disposition: inline X-Mailer: git-send-email haha only kidding Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org The put_device() calls vhost_vdpa_release_dev() which calls ida_simple_remove() and frees "v". So this call to ida_simple_remove() is a use after free and a double free. Fixes: ebe6a354fa7e ("vhost-vdpa: Call ida_simple_remove() when failed") Signed-off-by: Dan Carpenter Acked-by: Jason Wang --- drivers/vhost/vdpa.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c index 9a2343c45df0..1aa67729e188 100644 --- a/drivers/vhost/vdpa.c +++ b/drivers/vhost/vdpa.c @@ -1511,7 +1511,6 @@ static int vhost_vdpa_probe(struct vdpa_device *vdpa) err: put_device(&v->dev); - ida_simple_remove(&vhost_vdpa_ida, v->minor); return r; }