Commit dc6455a7 authored Mar 27, 2018 by Jason Wang Committed by David S. Miller Mar 27, 2018

vhost: correctly remove wait queue during poll failure



We tried to remove vq poll from wait queue, but do not check whether
or not it was in a list before. This will lead double free. Fixing
this by switching to use vhost_poll_stop() which zeros poll->wqh after
removing poll from waitqueue to make sure it won't be freed twice.

Cc: Darren Kenny <darren.kenny@oracle.com>
Reported-by:  <syzbot+c0272972b01b872e604a@syzkaller.appspotmail.com>
Fixes: 2b8b328b ("vhost_net: handle polling errors when setting backend")
Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent d222a084

drivers/vhost/vhost.c

+1 −2

Original line number	Diff line number	Diff line
		@@ -212,8 +212,7 @@ int vhost_poll_start(struct vhost_poll poll, struct file file)
		if (mask)
		vhost_poll_wakeup(&poll->wait, 0, 0, poll_to_key(mask));
		if (mask & EPOLLERR) {
		if (poll->wqh)
		remove_wait_queue(poll->wqh, &poll->wait);
		vhost_poll_stop(poll);
		ret = -EINVAL;
		}