Re: [PATCH 4/6] Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind()

From: Andrea Parri
Date: Tue Nov 24 2020 - 14:54:39 EST

Next message: Paul E. McKenney: "Re: [PATCH 2/2] rcu: eliminate the __kvfree_rcu() macro"
Previous message: Pavel Machek: "Re: [PATCH 4.19 00/91] 4.19.160-rc1 review"
In reply to: Wei Liu: "Re: [PATCH 4/6] Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Nov 24, 2020 at 04:26:33PM +0000, Wei Liu wrote:
> On Wed, Nov 18, 2020 at 03:36:47PM +0100, Andrea Parri (Microsoft) wrote:
> > When channel->device_obj is non-NULL, vmbus_onoffer_rescind() could
> > invoke put_device(), that will eventually release the device and free
> > the channel object (cf. vmbus_device_release()). However, a pointer
> > to the object is dereferenced again later to load the primary_channel.
> > The use-after-free can be avoided by noticing that this load/check is
> > redundant if device_obk is non-NULL: primary_channel must be NULL if
>
> device_obk -> device_obj

Fixed.

>
> > device_obj is non-NULL, cf. vmbus_add_channel_work().
> >
>
> Missing a Fixes tag?

Yes, I've added the tag.

Thanks,
Andrea

Next message: Paul E. McKenney: "Re: [PATCH 2/2] rcu: eliminate the __kvfree_rcu() macro"
Previous message: Pavel Machek: "Re: [PATCH 4.19 00/91] 4.19.160-rc1 review"
In reply to: Wei Liu: "Re: [PATCH 4/6] Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]