[PATCH v4 15/25] virtio_net: fix use after free on allocation failure

[PATCH v4 00/25] virtio: fix spec compliance issues · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-13
[PATCH v4 01/25] virtio_pci: fix virtio spec compliance on restore · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-13
[PATCH v4 02/25] virtio: unify config_changed handling · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-13
[PATCH v4 03/25] virtio-pci: move freeze/restore to virtio core · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-13
Re: [PATCH v4 03/25] virtio-pci: move freeze/restore to virtio core · Paul Bolle <hidden> · 2014-10-15
[PATCH v4 04/25] virtio: defer config changed notifications · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-13
Re: [PATCH v4 04/25] virtio: defer config changed notifications · Rusty Russell <hidden> · 2014-10-14
Re: [PATCH v4 04/25] virtio: defer config changed notifications · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-14
[PATCH v4 05/25] virtio_blk: drop config_enable · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-13
[PATCH v4 07/25] virtio_net: drop config_enable · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-13
[PATCH v4 22/25] virtio_scsi: fix race on device removal · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-13
[PATCH v4 08/25] virtio-net: drop config_mutex · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-13
[PATCH v4 10/25] virtio: add API to enable VQs early · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-13
[PATCH v4 12/25] virtio_blk: enable VQs early · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-13
[PATCH v4 13/25] virtio_console: enable VQs early · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-13
[PATCH v4 19/25] virtio_console: enable VQs early on restore · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-13
[PATCH v4 16/25] virtio_scsi: move kick event out from virtscsi_init · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-13
[PATCH v4 17/25] virtio_blk: enable VQs early on restore · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-13
[PATCH v4 18/25] virtio_scsi: enable VQs early on restore · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-13
[PATCH v4 20/25] virtio_net: enable VQs early on restore · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-13
[PATCH v4 21/25] virito_scsi: use freezable WQ for events · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-13
[PATCH v4 23/25] virtio_balloon: enable VQs early on restore · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-13
[PATCH v4 24/25] virtio_scsi: drop scan callback · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-13
[PATCH v4 25/25] virtio-rng: refactor probe error handling · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-13
[PATCH v4 14/25] 9p/trans_virtio: enable VQs early · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-13
[PATCH v4 15/25] virtio_net: fix use after free on allocation failure · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-13
[PATCH v4 11/25] virtio_net: enable VQs early · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-13
[PATCH v4 09/25] virtio_net: minor cleanup · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-13
[PATCH v4 06/25] virtio-blk: drop config_mutex · "Michael S. Tsirkin" <mst@redhat.com> · 2014-10-13

STALE4235d REVIEWED: 1 (0M)

Revisions (5)

2014-10-05 v1 [diff vs current]
2014-10-06 v2 [diff vs current]
2014-10-06 v2 [diff vs current]
2014-10-12 v3 [diff vs current]
2014-10-13 v4 current

From: "Michael S. Tsirkin" <mst@redhat.com>
Date: 2014-10-13 07:52:47
Also in: kvm, linux-s390, linux-scsi, lkml, netdev
Subsystem: networking drivers, the rest, virtio net driver · Maintainers: Andrew Lunn, "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Linus Torvalds, "Michael S. Tsirkin", Jason Wang

In the extremely unlikely event that driver initialization fails after
RX buffers are added, virtio net frees RX buffers while VQs are
still active, potentially causing device to use a freed buffer.

To fix, reset device first - same as we do on device removal.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Cornelia Huck <redacted>
---
 drivers/net/virtio_net.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
index 430f3ae..3551417 100644
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c

@@ -1830,6 +1830,8 @@ static int virtnet_probe(struct virtio_device *vdev)
 	return 0;
 
 free_recv_bufs:
+	vi->vdev->config->reset(vdev);
+
 	free_receive_bufs(vi);
 	unregister_netdev(dev);
 free_vqs:

-- 
MST

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help