This is a note to let you know that I've just added the patch titled
xen/pvcalls-back: fix double frees with pvcalls_new_active_socket()
to the 4.19-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
xen-pvcalls-back-fix-double-frees-with-pvcalls_new_active_socket.patch
and it can be found in the queue-4.19 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 8fafac202d18230bb9926bda48e563fd2cce2a4f Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Date: Wed, 3 May 2023 18:11:35 +0300
Subject: xen/pvcalls-back: fix double frees with pvcalls_new_active_socket()
From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
commit 8fafac202d18230bb9926bda48e563fd2cce2a4f upstream.
In the pvcalls_new_active_socket() function, most error paths call
pvcalls_back_release_active(fedata->dev, fedata, map) which calls
sock_release() on "sock". The bug is that the caller also frees sock.
Fix this by making every error path in pvcalls_new_active_socket()
release the sock, and don't free it in the caller.
Fixes: 5db4d286a8ef ("xen/pvcalls: implement connect command")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Reviewed-by: Juergen Gross <jgross@xxxxxxxx>
Link: https://lore.kernel.org/r/e5f98dc2-0305-491f-a860-71bbd1398a2f@kili.mountain
Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/xen/pvcalls-back.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/drivers/xen/pvcalls-back.c
+++ b/drivers/xen/pvcalls-back.c
@@ -330,8 +330,10 @@ static struct sock_mapping *pvcalls_new_
void *page;
map = kzalloc(sizeof(*map), GFP_KERNEL);
- if (map == NULL)
+ if (map == NULL) {
+ sock_release(sock);
return NULL;
+ }
map->fedata = fedata;
map->sock = sock;
@@ -423,10 +425,8 @@ static int pvcalls_back_connect(struct x
req->u.connect.ref,
req->u.connect.evtchn,
sock);
- if (!map) {
+ if (!map)
ret = -EFAULT;
- sock_release(sock);
- }
out:
rsp = RING_GET_RESPONSE(&fedata->ring, fedata->ring.rsp_prod_pvt++);
@@ -567,7 +567,6 @@ static void __pvcalls_back_accept(struct
sock);
if (!map) {
ret = -EFAULT;
- sock_release(sock);
goto out_error;
}
Patches currently in stable-queue which might be from dan.carpenter@xxxxxxxxxx are
queue-4.19/coresight-fix-signedness-bug-in-tmc_etr_buf_insert_barrier_packet.patch
queue-4.19/xen-pvcalls-back-fix-double-frees-with-pvcalls_new_active_socket.patch
