[bug report] KVM: Don't null dereference ops->destroy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Alexey Kardashevskiy,

The patch e8bc24270188: "KVM: Don't null dereference ops->destroy"
from Jun 1, 2022, leads to the following Smatch static checker
warning:

	arch/x86/kvm/../../../virt/kvm/kvm_main.c:4462 kvm_ioctl_create_device()
	warn: 'dev' was already freed.

arch/x86/kvm/../../../virt/kvm/kvm_main.c
    4449         if (ops->init)
    4450                 ops->init(dev);
    4451 
    4452         kvm_get_kvm(kvm);
    4453         ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC);
    4454         if (ret < 0) {
    4455                 kvm_put_kvm_no_destroy(kvm);
    4456                 mutex_lock(&kvm->lock);
    4457                 list_del(&dev->vm_node);
    4458                 if (ops->release)
    4459                         ops->release(dev);
                                              ^^^
The kvm_vfio_release() frees "dev".


    4460                 mutex_unlock(&kvm->lock);
    4461                 if (ops->destroy)
--> 4462                         ops->destroy(dev);
                                              ^^^
Use after free.

    4463                 return ret;
    4464         }
    4465 
    4466         cd->fd = ret;
    4467         return 0;
    4468 }

regards,
dan carpenter



[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux