* [patch] PCI: hv: potential use after free
@ 2016-02-27 10:43 Dan Carpenter
2016-02-29 17:21 ` Jake Oshins
0 siblings, 1 reply; 3+ messages in thread
From: Dan Carpenter @ 2016-02-27 10:43 UTC (permalink / raw)
To: K. Y. Srinivasan, Jake Oshins
Cc: Haiyang Zhang, Bjorn Helgaas, devel, linux-pci, linux-kernel,
kernel-janitors
If we throw away the very last item on the list, then we could end up
with a use after free of "dr".
Fixes: 15ca17645f19 ('PCI: hv: Add paravirtual PCI front-end for Microsoft Hyper-V VMs')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/pci/host/pci-hyperv.c b/drivers/pci/host/pci-hyperv.c
index 9391dee..9b66ffe 100644
--- a/drivers/pci/host/pci-hyperv.c
+++ b/drivers/pci/host/pci-hyperv.c
@@ -1397,6 +1397,7 @@ static void pci_devices_present_work(struct work_struct *work)
/* Throw this away if the list still has stuff in it. */
if (!list_empty(&hbus->dr_list)) {
kfree(dr);
+ dr = NULL;
continue;
}
}
^ permalink raw reply related [flat|nested] 3+ messages in thread
* RE: [patch] PCI: hv: potential use after free
2016-02-27 10:43 [patch] PCI: hv: potential use after free Dan Carpenter
@ 2016-02-29 17:21 ` Jake Oshins
2016-02-29 19:38 ` Dan Carpenter
0 siblings, 1 reply; 3+ messages in thread
From: Jake Oshins @ 2016-02-29 17:21 UTC (permalink / raw)
To: Dan Carpenter, KY Srinivasan
Cc: Haiyang Zhang, Bjorn Helgaas, devel@linuxdriverproject.org,
linux-pci@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-janitors@vger.kernel.org
> -----Original Message-----
> From: Dan Carpenter [mailto:dan.carpenter@oracle.com]
> Sent: Saturday, February 27, 2016 2:44 AM
> To: KY Srinivasan <kys@microsoft.com>; Jake Oshins
> <jakeo@microsoft.com>
> Cc: Haiyang Zhang <haiyangz@microsoft.com>; Bjorn Helgaas
> <bhelgaas@google.com>; devel@linuxdriverproject.org; linux-
> pci@vger.kernel.org; linux-kernel@vger.kernel.org; kernel-
> janitors@vger.kernel.org
> Subject: [patch] PCI: hv: potential use after free
>
> If we throw away the very last item on the list, then we could end up
> with a use after free of "dr".
>
> Fixes: 15ca17645f19 ('PCI: hv: Add paravirtual PCI front-end for Microsoft
> Hyper-V VMs')
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/drivers/pci/host/pci-hyperv.c b/drivers/pci/host/pci-hyperv.c
> index 9391dee..9b66ffe 100644
> --- a/drivers/pci/host/pci-hyperv.c
> +++ b/drivers/pci/host/pci-hyperv.c
> @@ -1397,6 +1397,7 @@ static void pci_devices_present_work(struct
> work_struct *work)
> /* Throw this away if the list still has stuff in it. */
> if (!list_empty(&hbus->dr_list)) {
> kfree(dr);
> + dr = NULL;
> continue;
> }
> }
Thanks for looking at this. I do truly appreciate it. But the code here removes dr from the list and then, before freeing it, checks to see that it was not the last entry in the list. The list lock is still held and the list is not empty even after removing dr from it.
(I suspect that you're going to tell me that I'm missing something here. Please do. I'll appreciate it even more.)
Thanks,
Jake
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [patch] PCI: hv: potential use after free
2016-02-29 17:21 ` Jake Oshins
@ 2016-02-29 19:38 ` Dan Carpenter
0 siblings, 0 replies; 3+ messages in thread
From: Dan Carpenter @ 2016-02-29 19:38 UTC (permalink / raw)
To: Jake Oshins
Cc: KY Srinivasan, Haiyang Zhang, Bjorn Helgaas,
devel@linuxdriverproject.org, linux-pci@vger.kernel.org,
linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org
You're right. My bad.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-02-29 19:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-27 10:43 [patch] PCI: hv: potential use after free Dan Carpenter
2016-02-29 17:21 ` Jake Oshins
2016-02-29 19:38 ` Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).