| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Wed, 30 Nov 2016 22:21:05 +0300 |
| Subject: KVM: use after free in kvm_ioctl_create_device() |
| MIME-Version: 1.0 |
| Content-Type: text/plain; charset=UTF-8 |
| Content-Transfer-Encoding: 8bit |
| |
| commit a0f1d21c1ccb1da66629627a74059dd7f5ac9c61 upstream. |
| |
| We should move the ops->destroy(dev) after the list_del(&dev->vm_node) |
| so that we don't use "dev" after freeing it. |
| |
| Fixes: a28ebea2adc4 ("KVM: Protect device ops->create and list_add with kvm->lock") |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Reviewed-by: David Hildenbrand <david@redhat.com> |
| Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| virt/kvm/kvm_main.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/virt/kvm/kvm_main.c |
| +++ b/virt/kvm/kvm_main.c |
| @@ -2342,10 +2342,10 @@ static int kvm_ioctl_create_device(struc |
| |
| ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC); |
| if (ret < 0) { |
| - ops->destroy(dev); |
| mutex_lock(&kvm->lock); |
| list_del(&dev->vm_node); |
| mutex_unlock(&kvm->lock); |
| + ops->destroy(dev); |
| return ret; |
| } |
| |
