vhost-vdpa: fix use after free in vhost_vdpa_probe()

Dan Carpenter · mstsirkin · commit e07754e0a1ea · 2023-11-01T09:31:16.000-04:00
The put_device() calls vhost_vdpa_release_dev() which calls ida_simple_remove() and frees "v". So this call to ida_simple_remove() is a use after free and a double free. Fixes: ebe6a35 ("vhost-vdpa: Call ida_simple_remove() when failed") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Message-Id: <cf53cb61-0699-4e36-a980-94fd4268ff00@moroto.mountain> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com>
diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c
@@ -1582,7 +1582,6 @@ static int vhost_vdpa_probe(struct vdpa_device *vdpa)
 
 err:
 	put_device(&v->dev);
-	ida_simple_remove(&vhost_vdpa_ida, v->minor);
 	return r;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1582,7 +1582,6 @@ static int vhost_vdpa_probe(struct vdpa_device *vdpa)`
`1582`	`1582`
`1583`	`1583`	`err:`
`1584`	`1584`	`put_device(&v->dev);`
`1585`		`- ida_simple_remove(&vhost_vdpa_ida, v->minor);`
`1586`	`1585`	`return r;`
`1587`	`1586`	`}`
`1588`	`1587`