Commit a0f1d21c authored Nov 30, 2016 by Dan Carpenter Committed by Radim Krčmář Dec 01, 2016

KVM: use after free in kvm_ioctl_create_device()



We should move the ops->destroy(dev) after the list_del(&dev->vm_node)
so that we don't use "dev" after freeing it.

Fixes: a28ebea2 ("KVM: Protect device ops->create and list_add with kvm->lock")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>

parent 0f4828a1

virt/kvm/kvm_main.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -2889,10 +2889,10 @@ static int kvm_ioctl_create_device(struct kvm *kvm,

		ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR \| O_CLOEXEC);
		if (ret < 0) {
		ops->destroy(dev);
		mutex_lock(&kvm->lock);
		list_del(&dev->vm_node);
		mutex_unlock(&kvm->lock);
		ops->destroy(dev);
		return ret;
		}