From: Dan Carpenter <dan.carpenter@oracle.com>
To: jakeo@microsoft.com
Cc: devel@linuxdriverproject.org, linux-pci@vger.kernel.org
Subject: [bug report] PCI: hv: Add paravirtual PCI front-end for Microsoft Hyper-V VMs
Date: Tue, 7 Feb 2017 10:12:19 +0300 [thread overview]
Message-ID: <20170207071219.GA15335@mwanda> (raw)
[ No idea why I haven never sent this email before. I was just going
through all the use after free warnings again today and noticed it. ]
Hello Jake Oshins,
The patch 4daace0d8ce8: "PCI: hv: Add paravirtual PCI front-end for
Microsoft Hyper-V VMs" from Feb 16, 2016, leads to the following
static checker warning:
drivers/pci/host/pci-hyperv.c:1441 pci_devices_present_work()
error: dereferencing freed memory 'dr'
drivers/pci/host/pci-hyperv.c
1410 /* Pull this off the queue and process it if it was the last one. */
1411 spin_lock_irqsave(&hbus->device_list_lock, flags);
1412 while (!list_empty(&hbus->dr_list)) {
1413 dr = list_first_entry(&hbus->dr_list, struct hv_dr_state,
1414 list_entry);
1415 list_del(&dr->list_entry);
1416
1417 /* Throw this away if the list still has stuff in it. */
1418 if (!list_empty(&hbus->dr_list)) {
1419 kfree(dr);
^^^^^^^^^
We free "dr". Presumably we should set dr = NULL here?
1420 continue;
1421 }
1422 }
1423 spin_unlock_irqrestore(&hbus->device_list_lock, flags);
1424
1425 if (!dr) {
1426 up(&hbus->enum_sem);
1427 put_hvpcibus(hbus);
1428 return;
1429 }
1430
1431 /* First, mark all existing children as reported missing. */
1432 spin_lock_irqsave(&hbus->device_list_lock, flags);
1433 list_for_each(iter, &hbus->children) {
1434 hpdev = container_of(iter, struct hv_pci_dev,
1435 list_entry);
1436 hpdev->reported_missing = true;
1437 }
1438 spin_unlock_irqrestore(&hbus->device_list_lock, flags);
1439
1440 /* Next, add back any reported devices. */
1441 for (child_no = 0; child_no < dr->device_count; child_no++) {
^^^^^^^^^^^^^^^^
Use after free.
1442 found = false;
1443 new_desc = &dr->func[child_no];
1444
1445 spin_lock_irqsave(&hbus->device_list_lock, flags);
regards,
dan carpenter
next reply other threads:[~2017-02-07 7:12 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-07 7:12 Dan Carpenter [this message]
2017-02-07 16:11 ` [bug report] PCI: hv: Add paravirtual PCI front-end for Microsoft Hyper-V VMs Jake Oshins
2017-02-07 21:02 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170207071219.GA15335@mwanda \
--to=dan.carpenter@oracle.com \
--cc=devel@linuxdriverproject.org \
--cc=jakeo@microsoft.com \
--cc=linux-pci@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).