[PATCH net-XXX] vhost-vdpa: fix use after free in vhost_vdpa

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net-XXX] vhost-vdpa: fix use after free in vhost_vdpa_probe()
@ 2023-10-27 12:12 Dan Carpenter
  2023-10-27 12:17 ` Dan Carpenter
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Dan Carpenter @ 2023-10-27 12:12 UTC (permalink / raw)
  To: Bo Liu
  Cc: Michael S. Tsirkin, Jason Wang, kvm, virtualization, netdev,
	kernel-janitors

The put_device() calls vhost_vdpa_release_dev() which calls
ida_simple_remove() and frees "v".  So this call to
ida_simple_remove() is a use after free and a double free.

Fixes: ebe6a354fa7e ("vhost-vdpa: Call ida_simple_remove() when failed")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 drivers/vhost/vdpa.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c
index 9a2343c45df0..1aa67729e188 100644
--- a/drivers/vhost/vdpa.c
+++ b/drivers/vhost/vdpa.c
@@ -1511,7 +1511,6 @@ static int vhost_vdpa_probe(struct vdpa_device *vdpa)
 
 err:
 	put_device(&v->dev);
-	ida_simple_remove(&vhost_vdpa_ida, v->minor);
 	return r;
 }
 
-- 
2.42.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH net-XXX] vhost-vdpa: fix use after free in vhost_vdpa_probe()
  2023-10-27 12:12 [PATCH net-XXX] vhost-vdpa: fix use after free in vhost_vdpa_probe() Dan Carpenter
@ 2023-10-27 12:17 ` Dan Carpenter
  2023-11-01  4:36 ` Jason Wang
  2023-11-01  5:33 ` Michael S. Tsirkin
  2 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2023-10-27 12:17 UTC (permalink / raw)
  To: Bo Liu
  Cc: Michael S. Tsirkin, Jason Wang, kvm, virtualization, netdev,
	kernel-janitors

Ugh...  Crap.

I modified this patch to apply cleanly on net but I still didn't change
the subject to net.  But now that I'm looking at it actually goes
through one of the virt trees.

It should still apply to whatever virt tree as well.  It's just shifted
70 lines.

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net-XXX] vhost-vdpa: fix use after free in vhost_vdpa_probe()
  2023-10-27 12:12 [PATCH net-XXX] vhost-vdpa: fix use after free in vhost_vdpa_probe() Dan Carpenter
  2023-10-27 12:17 ` Dan Carpenter
@ 2023-11-01  4:36 ` Jason Wang
  2023-11-01  5:33 ` Michael S. Tsirkin
  2 siblings, 0 replies; 4+ messages in thread
From: Jason Wang @ 2023-11-01  4:36 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Bo Liu, Michael S. Tsirkin, kvm, virtualization, netdev,
	kernel-janitors

On Fri, Oct 27, 2023 at 8:13 PM Dan Carpenter <dan.carpenter@linaro.org> wrote:
>
> The put_device() calls vhost_vdpa_release_dev() which calls
> ida_simple_remove() and frees "v".  So this call to
> ida_simple_remove() is a use after free and a double free.
>
> Fixes: ebe6a354fa7e ("vhost-vdpa: Call ida_simple_remove() when failed")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

Acked-by: Jason Wang <jasowang@redhat.com>

Thanks

> ---
>  drivers/vhost/vdpa.c | 1 -
>  1 file changed, 1 deletion(-)
>
> diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c
> index 9a2343c45df0..1aa67729e188 100644
> --- a/drivers/vhost/vdpa.c
> +++ b/drivers/vhost/vdpa.c
> @@ -1511,7 +1511,6 @@ static int vhost_vdpa_probe(struct vdpa_device *vdpa)
>
>  err:
>         put_device(&v->dev);
> -       ida_simple_remove(&vhost_vdpa_ida, v->minor);
>         return r;
>  }
>
> --
> 2.42.0
>


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net-XXX] vhost-vdpa: fix use after free in vhost_vdpa_probe()
  2023-10-27 12:12 [PATCH net-XXX] vhost-vdpa: fix use after free in vhost_vdpa_probe() Dan Carpenter
  2023-10-27 12:17 ` Dan Carpenter
  2023-11-01  4:36 ` Jason Wang
@ 2023-11-01  5:33 ` Michael S. Tsirkin
  2 siblings, 0 replies; 4+ messages in thread
From: Michael S. Tsirkin @ 2023-11-01  5:33 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Bo Liu, Jason Wang, kvm, virtualization, netdev, kernel-janitors

On Fri, Oct 27, 2023 at 03:12:54PM +0300, Dan Carpenter wrote:
> The put_device() calls vhost_vdpa_release_dev() which calls
> ida_simple_remove() and frees "v".  So this call to
> ida_simple_remove() is a use after free and a double free.
> 
> Fixes: ebe6a354fa7e ("vhost-vdpa: Call ida_simple_remove() when failed")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

queued, thanks!

> ---
>  drivers/vhost/vdpa.c | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c
> index 9a2343c45df0..1aa67729e188 100644
> --- a/drivers/vhost/vdpa.c
> +++ b/drivers/vhost/vdpa.c
> @@ -1511,7 +1511,6 @@ static int vhost_vdpa_probe(struct vdpa_device *vdpa)
>  
>  err:
>  	put_device(&v->dev);
> -	ida_simple_remove(&vhost_vdpa_ida, v->minor);
>  	return r;
>  }
>  
> -- 
> 2.42.0


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2023-11-01  5:33 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-10-27 12:12 [PATCH net-XXX] vhost-vdpa: fix use after free in vhost_vdpa_probe() Dan Carpenter
2023-10-27 12:17 ` Dan Carpenter
2023-11-01  4:36 ` Jason Wang
2023-11-01  5:33 ` Michael S. Tsirkin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).