Re: [PATCH 4/6] Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind()

[PATCH 0/6] Drivers: hv: vmbus: More VMBus-hardening changes · "Andrea Parri (Microsoft)" <parri.andrea@gmail.com> · 2020-11-18
[PATCH 1/6] Drivers: hv: vmbus: Initialize memory to be sent to the host · "Andrea Parri (Microsoft)" <parri.andrea@gmail.com> · 2020-11-18
RE: [PATCH 1/6] Drivers: hv: vmbus: Initialize memory to be sent to the host · Michael Kelley <hidden> · 2020-12-06
Re: [PATCH 1/6] Drivers: hv: vmbus: Initialize memory to be sent to the host · Andrea Parri <parri.andrea@gmail.com> · 2020-12-06
[PATCH 2/6] Drivers: hv: vmbus: Avoid double fetch of msgtype in vmbus_on_msg_dpc() · "Andrea Parri (Microsoft)" <parri.andrea@gmail.com> · 2020-11-18
RE: [PATCH 2/6] Drivers: hv: vmbus: Avoid double fetch of msgtype in vmbus_on_msg_dpc() · Michael Kelley <hidden> · 2020-12-06
Re: [PATCH 2/6] Drivers: hv: vmbus: Avoid double fetch of msgtype in vmbus_on_msg_dpc() · Andrea Parri <parri.andrea@gmail.com> · 2020-12-06
[PATCH 4/6] Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() · "Andrea Parri (Microsoft)" <parri.andrea@gmail.com> · 2020-11-18
Re: [PATCH 4/6] Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() · Wei Liu <wei.liu@kernel.org> · 2020-11-24
Re: [PATCH 4/6] Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() · Andrea Parri <parri.andrea@gmail.com> · 2020-11-24
RE: [PATCH 4/6] Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() · Michael Kelley <hidden> · 2020-12-06
[PATCH 3/6] Drivers: hv: vmbus: Avoid double fetch of payload_size in vmbus_on_msg_dpc() · "Andrea Parri (Microsoft)" <parri.andrea@gmail.com> · 2020-11-18
RE: [PATCH 3/6] Drivers: hv: vmbus: Avoid double fetch of payload_size in vmbus_on_msg_dpc() · Michael Kelley <hidden> · 2020-12-06
Re: [PATCH 3/6] Drivers: hv: vmbus: Avoid double fetch of payload_size in vmbus_on_msg_dpc() · Andrea Parri <parri.andrea@gmail.com> · 2020-12-06
[PATCH 5/6] Drivers: hv: vmbus: Resolve race condition in vmbus_onoffer_rescind() · "Andrea Parri (Microsoft)" <parri.andrea@gmail.com> · 2020-11-18
[PATCH 6/6] Drivers: hv: vmbus: Do not allow overwriting vmbus_connection.channels[] · "Andrea Parri (Microsoft)" <parri.andrea@gmail.com> · 2020-11-18

From: Andrea Parri <parri.andrea@gmail.com>
Date: 2020-11-24 19:54:40
Also in: lkml

On Tue, Nov 24, 2020 at 04:26:33PM +0000, Wei Liu wrote:

On Wed, Nov 18, 2020 at 03:36:47PM +0100, Andrea Parri (Microsoft) wrote:

quoted

When channel->device_obj is non-NULL, vmbus_onoffer_rescind() could
invoke put_device(), that will eventually release the device and free
the channel object (cf. vmbus_device_release()).  However, a pointer
to the object is dereferenced again later to load the primary_channel.
The use-after-free can be avoided by noticing that this load/check is
redundant if device_obk is non-NULL: primary_channel must be NULL if

device_obk -> device_obj

Fixed.

quoted

device_obj is non-NULL, cf. vmbus_add_channel_work().

Missing a Fixes tag?

Yes, I've added the tag.

Thanks,
  Andrea

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help