All of lore.kernel.org
 help / color / mirror / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Schspa Shi <schspa@gmail.com>, Cornelia Huck <cohuck@redhat.com>,
	Alex Williamson <alex.williamson@redhat.com>,
	Sasha Levin <sashal@kernel.org>,
	kvm@vger.kernel.org
Subject: [PATCH AUTOSEL 5.10 03/19] vfio: Clear the caps->buf to NULL after free
Date: Sun, 14 Aug 2022 12:27:22 -0400	[thread overview]
Message-ID: <20220814162739.2398217-3-sashal@kernel.org> (raw)
In-Reply-To: <20220814162739.2398217-1-sashal@kernel.org>

From: Schspa Shi <schspa@gmail.com>

[ Upstream commit 6641085e8d7b3f061911517f79a2a15a0a21b97b ]

On buffer resize failure, vfio_info_cap_add() will free the buffer,
report zero for the size, and return -ENOMEM.  As additional
hardening, also clear the buffer pointer to prevent any chance of a
double free.

Signed-off-by: Schspa Shi <schspa@gmail.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Link: https://lore.kernel.org/r/20220629022948.55608-1-schspa@gmail.com
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/vfio/vfio.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c
index 2151bc7f87ab..7f60aedc3769 100644
--- a/drivers/vfio/vfio.c
+++ b/drivers/vfio/vfio.c
@@ -1823,6 +1823,7 @@ struct vfio_info_cap_header *vfio_info_cap_add(struct vfio_info_cap *caps,
 	buf = krealloc(caps->buf, caps->size + size, GFP_KERNEL);
 	if (!buf) {
 		kfree(caps->buf);
+		caps->buf = NULL;
 		caps->size = 0;
 		return ERR_PTR(-ENOMEM);
 	}
-- 
2.35.1


  parent reply	other threads:[~2022-08-14 16:36 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-14 16:27 [PATCH AUTOSEL 5.10 01/19] lib/list_debug.c: Detect uninitialized lists Sasha Levin
2022-08-14 16:27 ` [PATCH AUTOSEL 5.10 02/19] tty: serial: Fix refcount leak bug in ucc_uart.c Sasha Levin
2022-08-14 16:27   ` Sasha Levin
2022-08-14 16:27 ` Sasha Levin [this message]
2022-08-14 16:27 ` [PATCH AUTOSEL 5.10 04/19] mips: cavium-octeon: Fix missing of_node_put() in octeon2_usb_clocks_start Sasha Levin
2022-08-14 16:27 ` [PATCH AUTOSEL 5.10 05/19] modules: Ensure natural alignment for .altinstructions and __bug_table sections Sasha Levin
2022-08-14 16:27 ` [PATCH AUTOSEL 5.10 06/19] riscv: dts: sifive: Add fu540 topology information Sasha Levin
2022-08-14 16:27   ` Sasha Levin
2022-08-14 16:27 ` [PATCH AUTOSEL 5.10 07/19] riscv: mmap with PROT_WRITE but no PROT_READ is invalid Sasha Levin
2022-08-14 16:27   ` Sasha Levin
2022-08-14 16:27 ` [PATCH AUTOSEL 5.10 08/19] RISC-V: Add fast call path of crash_kexec() Sasha Levin
2022-08-14 16:27   ` Sasha Levin
2022-08-14 16:27 ` [PATCH AUTOSEL 5.10 09/19] watchdog: export lockup_detector_reconfigure Sasha Levin
2022-08-14 16:27 ` [PATCH AUTOSEL 5.10 10/19] powerpc/32: Don't always pass -mcpu=powerpc to the compiler Sasha Levin
2022-08-14 16:27   ` Sasha Levin
2022-08-14 16:27 ` [PATCH AUTOSEL 5.10 11/19] ALSA: core: Add async signal helpers Sasha Levin
2022-08-14 16:27   ` Sasha Levin
2022-08-14 16:27 ` [PATCH AUTOSEL 5.10 12/19] ALSA: timer: Use deferred fasync helper Sasha Levin
2022-08-14 16:27   ` Sasha Levin
2022-08-14 16:27 ` [PATCH AUTOSEL 5.10 13/19] ALSA: control: " Sasha Levin
2022-08-14 16:27   ` Sasha Levin
2022-08-14 16:27 ` [f2fs-dev] [PATCH AUTOSEL 5.10 14/19] f2fs: fix to avoid use f2fs_bug_on() in f2fs_new_node_page() Sasha Levin
2022-08-14 16:27   ` Sasha Levin
2022-08-14 16:27 ` [f2fs-dev] [PATCH AUTOSEL 5.10 15/19] f2fs: fix to do sanity check on segment type in build_sit_entries() Sasha Levin
2022-08-14 16:27   ` Sasha Levin
2022-08-14 16:27 ` [PATCH AUTOSEL 5.10 16/19] smb3: check xattr value length earlier Sasha Levin
2022-08-14 16:27 ` [PATCH AUTOSEL 5.10 17/19] powerpc/64: Init jump labels before parse_early_param() Sasha Levin
2022-08-14 16:27   ` Sasha Levin
2022-08-14 16:27 ` [PATCH AUTOSEL 5.10 18/19] video: fbdev: i740fb: Check the argument of i740_calc_vclk() Sasha Levin
2022-08-14 16:27   ` Sasha Levin
2022-08-14 16:27 ` [PATCH AUTOSEL 5.10 19/19] MIPS: tlbex: Explicitly compare _PAGE_NO_EXEC against 0 Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220814162739.2398217-3-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=alex.williamson@redhat.com \
    --cc=cohuck@redhat.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=schspa@gmail.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.