diff options
| author | Dan Carpenter <dan.carpenter@oracle.com> | 2016-11-30 14:21:05 -0500 |
|---|---|---|
| committer | Radim Krčmář <rkrcmar@redhat.com> | 2016-12-01 10:10:50 -0500 |
| commit | a0f1d21c1ccb1da66629627a74059dd7f5ac9c61 (patch) | |
| tree | 50974c8b8a1564bd35353043f3202510f7cec4de /virt/kvm | |
| parent | 0f4828a1da3342be81e812b28fbcf29261146d25 (diff) | |
KVM: use after free in kvm_ioctl_create_device()
We should move the ops->destroy(dev) after the list_del(&dev->vm_node)
so that we don't use "dev" after freeing it.
Fixes: a28ebea2adc4 ("KVM: Protect device ops->create and list_add with kvm->lock")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Diffstat (limited to 'virt/kvm')
| -rw-r--r-- | virt/kvm/kvm_main.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 5c360347a1e9..7f9ee2929cfe 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c | |||
| @@ -2889,10 +2889,10 @@ static int kvm_ioctl_create_device(struct kvm *kvm, | |||
| 2889 | 2889 | ||
| 2890 | ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC); | 2890 | ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC); |
| 2891 | if (ret < 0) { | 2891 | if (ret < 0) { |
| 2892 | ops->destroy(dev); | ||
| 2893 | mutex_lock(&kvm->lock); | 2892 | mutex_lock(&kvm->lock); |
| 2894 | list_del(&dev->vm_node); | 2893 | list_del(&dev->vm_node); |
| 2895 | mutex_unlock(&kvm->lock); | 2894 | mutex_unlock(&kvm->lock); |
| 2895 | ops->destroy(dev); | ||
| 2896 | return ret; | 2896 | return ret; |
| 2897 | } | 2897 | } |
| 2898 | 2898 | ||