forked from luck/tmp_suning_uos_patched
71a6979d54
[ Upstream commit e3fa4b747f085d2cda09bba0533b86fa76038635 ]
When channel->device_obj is non-NULL, vmbus_onoffer_rescind() could
invoke put_device(), that will eventually release the device and free
the channel object (cf. vmbus_device_release()). However, a pointer
to the object is dereferenced again later to load the primary_channel.
The use-after-free can be avoided by noticing that this load/check is
redundant if device_obj is non-NULL: primary_channel must be NULL if
device_obj is non-NULL, cf. vmbus_add_channel_work().
Fixes:
|
||
---|---|---|
.. | ||
channel_mgmt.c | ||
channel.c | ||
connection.c | ||
hv_balloon.c | ||
hv_debugfs.c | ||
hv_fcopy.c | ||
hv_kvp.c | ||
hv_snapshot.c | ||
hv_trace_balloon.h | ||
hv_trace.c | ||
hv_trace.h | ||
hv_util.c | ||
hv_utils_transport.c | ||
hv_utils_transport.h | ||
hv.c | ||
hyperv_vmbus.h | ||
Kconfig | ||
Makefile | ||
ring_buffer.c | ||
vmbus_drv.c |