From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751594AbdEPGXb (ORCPT ); Tue, 16 May 2017 02:23:31 -0400 Received: from mx2.suse.de ([195.135.220.15]:42901 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751418AbdEPGX2 (ORCPT ); Tue, 16 May 2017 02:23:28 -0400 From: Juergen Gross To: linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org Cc: konrad.wilk@oracle.com, roger.pau@citrix.com, netwiz@crc.id.au, Juergen Gross , stable@vger.kernel.org Subject: [PATCH 2/3] xen/blkback: don't free be structure too early Date: Tue, 16 May 2017 08:23:19 +0200 Message-Id: <20170516062320.22008-3-jgross@suse.com> X-Mailer: git-send-email 2.12.0 In-Reply-To: <20170516062320.22008-1-jgross@suse.com> References: <20170516062320.22008-1-jgross@suse.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The be structure must nor be freed when freeing the blkif structure isn't done. Otherwise a use-after-free of be when unmapping the ring used for communicating with the frontend will occur in case of a late call of xenblk_disconnect() (e.g. due to an I/O still active when trying to disconnect). Cc: stable@vger.kernel.org Reported-by: Glenn Enright Signed-off-by: Juergen Gross --- drivers/block/xen-blkback/xenbus.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/block/xen-blkback/xenbus.c b/drivers/block/xen-blkback/xenbus.c index e68df9de8858..4d2f57fa35da 100644 --- a/drivers/block/xen-blkback/xenbus.c +++ b/drivers/block/xen-blkback/xenbus.c @@ -315,9 +315,10 @@ static int xen_blkif_disconnect(struct xen_blkif *blkif) static void xen_blkif_free(struct xen_blkif *blkif) { - - xen_blkif_disconnect(blkif); + WARN_ON(xen_blkif_disconnect(blkif)); xen_vbd_free(&blkif->vbd); + kfree(blkif->be->mode); + kfree(blkif->be); /* Make sure everything is drained before shutting down */ kmem_cache_free(xen_blkif_cachep, blkif); @@ -514,8 +515,6 @@ static int xen_blkbk_remove(struct xenbus_device *dev) xen_blkif_put(be->blkif); } - kfree(be->mode); - kfree(be); return 0; } -- 2.12.0