37 lines
1.1 KiB
Diff
37 lines
1.1 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Li Zhijian <lizhijian@cn.fujitsu.com>
|
|
Date: Fri, 31 Aug 2018 10:59:04 +0800
|
|
Subject: [PATCH] vhm: fix client use-after-free
|
|
|
|
free_client() will free resource of client
|
|
|
|
V2: adjust order to avoid use-after-free (yu1.wang@intel.com)
|
|
|
|
Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com>
|
|
Reviewed-by: Jason Chen CJ <jason.cj.chen@intel.com>
|
|
Reviewed-by: Zhao Yakui <yakui.zhao@intel.com>
|
|
---
|
|
drivers/vhm/vhm_ioreq.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/drivers/vhm/vhm_ioreq.c b/drivers/vhm/vhm_ioreq.c
|
|
index 0bcb0e0..6bf07e8 100644
|
|
--- a/drivers/vhm/vhm_ioreq.c
|
|
+++ b/drivers/vhm/vhm_ioreq.c
|
|
@@ -282,10 +282,11 @@ static void acrn_ioreq_destroy_client_pervm(struct ioreq_client *client,
|
|
spin_lock_irqsave(&vm->ioreq_client_lock, flags);
|
|
list_del(&client->list);
|
|
spin_unlock_irqrestore(&vm->ioreq_client_lock, flags);
|
|
- free_client(client->id);
|
|
|
|
if (client->id == vm->ioreq_fallback_client)
|
|
vm->ioreq_fallback_client = -1;
|
|
+
|
|
+ free_client(client->id);
|
|
}
|
|
|
|
void acrn_ioreq_destroy_client(int client_id)
|
|
--
|
|
https://clearlinux.org
|
|
|