| From e3de121fe87e267f11168668fb8d86d3bad9d137 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Tue, 13 Apr 2021 13:50:04 +0300 |
| Subject: Drivers: hv: vmbus: Use after free in __vmbus_open() |
| |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| |
| [ Upstream commit 3e9bf43f7f7a46f21ec071cb47be92d0874c48da ] |
| |
| The "open_info" variable is added to the &vmbus_connection.chn_msg_list, |
| but the error handling frees "open_info" without removing it from the |
| list. This will result in a use after free. First remove it from the |
| list, and then free it. |
| |
| Fixes: 6f3d791f3006 ("Drivers: hv: vmbus: Fix rescind handling issues") |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Reviewed-by: Andrea Parri <parri.andrea@gmail.com> |
| Link: https://lore.kernel.org/r/YHV3XLCot6xBS44r@mwanda |
| Signed-off-by: Wei Liu <wei.liu@kernel.org> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/hv/channel.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c |
| index 6fb0c76bfbf8..a59ab2f3d68e 100644 |
| --- a/drivers/hv/channel.c |
| +++ b/drivers/hv/channel.c |
| @@ -653,7 +653,7 @@ static int __vmbus_open(struct vmbus_channel *newchannel, |
| |
| if (newchannel->rescind) { |
| err = -ENODEV; |
| - goto error_free_info; |
| + goto error_clean_msglist; |
| } |
| |
| err = vmbus_post_msg(open_msg, |
| -- |
| 2.30.2 |
| |
