Patch "vdpa: fix use-after-free on vp_vdpa_remove" has been added to the 5.16-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 12 Mar 2022 03:53:39 -0500

This is a note to let you know that I've just added the patch titled

    vdpa: fix use-after-free on vp_vdpa_remove

to the 5.16-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     vdpa-fix-use-after-free-on-vp_vdpa_remove.patch
and it can be found in the queue-5.16 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 2a1efc6fe0290a9fda99a0c236043dd37e1ac192
Author: Zhang Min <zhang.min9@xxxxxxxxxx>
Date:   Tue Mar 1 17:10:59 2022 +0800

    vdpa: fix use-after-free on vp_vdpa_remove
    
    [ Upstream commit eb057b44dbe35ae14527830236a92f51de8f9184 ]
    
    When vp_vdpa driver is unbind, vp_vdpa is freed in vdpa_unregister_device
    and then vp_vdpa->mdev.pci_dev is dereferenced in vp_modern_remove,
    triggering use-after-free.
    
    Call Trace of unbinding driver free vp_vdpa :
    do_syscall_64
      vfs_write
        kernfs_fop_write_iter
          device_release_driver_internal
            pci_device_remove
              vp_vdpa_remove
                vdpa_unregister_device
                  kobject_release
                    device_release
                      kfree
    
    Call Trace of dereference vp_vdpa->mdev.pci_dev:
    vp_modern_remove
      pci_release_selected_regions
        pci_release_region
          pci_resource_len
            pci_resource_end
              (dev)->resource[(bar)].end
    
    Signed-off-by: Zhang Min <zhang.min9@xxxxxxxxxx>
    Signed-off-by: Yi Wang <wang.yi59@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20220301091059.46869-1-wang.yi59@xxxxxxxxxx
    Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
    Fixes: 64b9f64f80a6 ("vdpa: introduce virtio pci driver")
    Reviewed-by: Stefano Garzarella <sgarzare@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/vdpa/virtio_pci/vp_vdpa.c b/drivers/vdpa/virtio_pci/vp_vdpa.c
index e3ff7875e123..fab161961160 100644
--- a/drivers/vdpa/virtio_pci/vp_vdpa.c
+++ b/drivers/vdpa/virtio_pci/vp_vdpa.c
@@ -525,8 +525,8 @@ static void vp_vdpa_remove(struct pci_dev *pdev)
 {
 	struct vp_vdpa *vp_vdpa = pci_get_drvdata(pdev);
 
-	vdpa_unregister_device(&vp_vdpa->vdpa);
 	vp_modern_remove(&vp_vdpa->mdev);
+	vdpa_unregister_device(&vp_vdpa->vdpa);
 }
 
 static struct pci_driver vp_vdpa_driver = {






