From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D2934C7EE2C for ; Sun, 28 May 2023 19:28:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230148AbjE1T2o (ORCPT ); Sun, 28 May 2023 15:28:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45306 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230143AbjE1T2n (ORCPT ); Sun, 28 May 2023 15:28:43 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 828EDA3 for ; Sun, 28 May 2023 12:28:42 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 2055261D02 for ; Sun, 28 May 2023 19:28:42 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 41215C433EF; Sun, 28 May 2023 19:28:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1685302121; bh=XwbO+uP9z+euriGaEYmaJKRYaDunT7FebxX5uWb1vxM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hWV0tWk4LeNEYUK5g3YFB8Q32YQwzGvF2K4z7Q4p9nY9t+BC4L2dgd/vA+lW/sVNV SKbMNhQZvqcL9L4YfQuHZbiubRbZPGCvXUjMBMZfKOg7wyDKjYJejmrz77h6m4XImd T2VwLOEYBfpPJhW0IAlW3CdbwBDhrTuRhdzX7LYA= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Dan Carpenter , Juergen Gross Subject: [PATCH 5.4 155/161] xen/pvcalls-back: fix double frees with pvcalls_new_active_socket() Date: Sun, 28 May 2023 20:11:19 +0100 Message-Id: <20230528190841.771658851@linuxfoundation.org> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230528190837.051205996@linuxfoundation.org> References: <20230528190837.051205996@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Dan Carpenter commit 8fafac202d18230bb9926bda48e563fd2cce2a4f upstream. In the pvcalls_new_active_socket() function, most error paths call pvcalls_back_release_active(fedata->dev, fedata, map) which calls sock_release() on "sock". The bug is that the caller also frees sock. Fix this by making every error path in pvcalls_new_active_socket() release the sock, and don't free it in the caller. Fixes: 5db4d286a8ef ("xen/pvcalls: implement connect command") Signed-off-by: Dan Carpenter Reviewed-by: Juergen Gross Link: https://lore.kernel.org/r/e5f98dc2-0305-491f-a860-71bbd1398a2f@kili.mountain Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman --- drivers/xen/pvcalls-back.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) --- a/drivers/xen/pvcalls-back.c +++ b/drivers/xen/pvcalls-back.c @@ -321,8 +321,10 @@ static struct sock_mapping *pvcalls_new_ void *page; map = kzalloc(sizeof(*map), GFP_KERNEL); - if (map == NULL) + if (map == NULL) { + sock_release(sock); return NULL; + } map->fedata = fedata; map->sock = sock; @@ -414,10 +416,8 @@ static int pvcalls_back_connect(struct x req->u.connect.ref, req->u.connect.evtchn, sock); - if (!map) { + if (!map) ret = -EFAULT; - sock_release(sock); - } out: rsp = RING_GET_RESPONSE(&fedata->ring, fedata->ring.rsp_prod_pvt++); @@ -558,7 +558,6 @@ static void __pvcalls_back_accept(struct sock); if (!map) { ret = -EFAULT; - sock_release(sock); goto out_error; }