virtio_pci: fix use after free on release

mstsirkin · mstsirkin · commit 2989be09a8a9 · 2016-01-26T10:18:28.000+02:00
KASan detected a use-after-free error in virtio-pci remove code. In virtio_pci_remove(), vp_dev is still used after being freed in unregister_virtio_device() (in virtio_pci_release_dev() more precisely). To fix, keep a reference until cleanup is done. Fixes: 63bd62a ("virtio_pci: defer kfree until release callback") Reported-by: Jerome Marchand <jmarchan@redhat.com> Cc: stable@vger.kernel.org Cc: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Tested-by: Jerome Marchand <jmarchan@redhat.com>
diff --git a/drivers/virtio/virtio_pci_common.c b/drivers/virtio/virtio_pci_common.c
@@ -545,6 +545,7 @@ static int virtio_pci_probe(struct pci_dev *pci_dev,
 static void virtio_pci_remove(struct pci_dev *pci_dev)
 {
 	struct virtio_pci_device *vp_dev = pci_get_drvdata(pci_dev);
+	struct device *dev = get_device(&vp_dev->vdev.dev);
 
 	unregister_virtio_device(&vp_dev->vdev);
 
@@ -554,6 +555,7 @@ static void virtio_pci_remove(struct pci_dev *pci_dev)
 		virtio_pci_modern_remove(vp_dev);
 
 	pci_disable_device(pci_dev);
+	put_device(dev);
 }
 
 static struct pci_driver virtio_pci_driver = {

Original file line number	Diff line number	Diff line change
`@@ -545,6 +545,7 @@ static int virtio_pci_probe(struct pci_dev *pci_dev,`
`545`	`545`	`static void virtio_pci_remove(struct pci_dev *pci_dev)`
`546`	`546`	`{`
`547`	`547`	`struct virtio_pci_device *vp_dev = pci_get_drvdata(pci_dev);`
	`548`	`+ struct device *dev = get_device(&vp_dev->vdev.dev);`
`548`	`549`
`549`	`550`	`unregister_virtio_device(&vp_dev->vdev);`
`550`	`551`
`@@ -554,6 +555,7 @@ static void virtio_pci_remove(struct pci_dev *pci_dev)`
`554`	`555`	`virtio_pci_modern_remove(vp_dev);`
`555`	`556`
`556`	`557`	`pci_disable_device(pci_dev);`
	`558`	`+ put_device(dev);`
`557`	`559`	`}`
`558`	`560`
`559`	`561`	`static struct pci_driver virtio_pci_driver = {`