On Wed, Nov 18, 2020 at 03:36:47PM +0100, Andrea Parri (Microsoft) wrote:
> When channel->device_obj is non-NULL, vmbus_onoffer_rescind() could
> invoke put_device(), that will eventually release the device and free
> the channel object (cf. vmbus_device_release()). However, a pointer
> to the object is dereferenced again later to load the primary_channel.
> The use-after-free can be avoided by noticing that this load/check is
> redundant if device_obk is non-NULL: primary_channel must be NULL if
device_obk -> device_obj
> device_obj is non-NULL, cf. vmbus_add_channel_work().
>
Missing a Fixes tag?
> Reported-by: Juan Vazquez <juvazq@xxxxxxxxxxxxx>
> Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@xxxxxxxxx>
> ---
> drivers/hv/channel_mgmt.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
> index 5bc5eef5da159..4072fd1f22146 100644
> --- a/drivers/hv/channel_mgmt.c
> +++ b/drivers/hv/channel_mgmt.c
> @@ -1116,8 +1116,7 @@ static void vmbus_onoffer_rescind(struct vmbus_channel_message_header *hdr)
> vmbus_device_unregister(channel->device_obj);
> put_device(dev);
> }
> - }
> - if (channel->primary_channel != NULL) {
> + } else if (channel->primary_channel != NULL) {
> /*
> * Sub-channel is being rescinded. Following is the channel
> * close sequence when initiated from the driveri (refer to
> --
> 2.25.1
>
