From mboxrd@z Thu Jan  1 00:00:00 1970
From: Radim =?utf-8?B?S3LEjW3DocWZ?= <rkrcmar@redhat.com>
Subject: Re: [patch] KVM: use after free in kvm_ioctl_create_device()
Date: Thu, 1 Dec 2016 16:14:33 +0100
Message-ID: <20161201151432.GH1682@potion>
References: <20161130192105.GC28180@mwanda>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: Paolo Bonzini <pbonzini@redhat.com>,
        Christoffer Dall <christoffer.dall@linaro.org>,
        kvm@vger.kernel.org, kernel-janitors@vger.kernel.org
To: Dan Carpenter <dan.carpenter@oracle.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mx1.redhat.com ([209.132.183.28]:59698 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S933237AbcLAPOl (ORCPT <rfc822;kvm@vger.kernel.org>);
        Thu, 1 Dec 2016 10:14:41 -0500
Content-Disposition: inline
In-Reply-To: <20161130192105.GC28180@mwanda>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

2016-11-30 22:21+0300, Dan Carpenter:
> We should move the ops->destroy(dev) after the list_del(&dev->vm_node)
> so that we don't use "dev" after freeing it.
> 
> Fixes: a28ebea2adc4 ("KVM: Protect device ops->create and list_add with kvm->lock")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Applied to kvm/master, thanks.