On 12/1/15 1:35 PM, Konrad Rzeszutek Wilk wrote:
> On Tue, Dec 01, 2015 at 11:47:17AM -0500, Konrad Rzeszutek Wilk wrote:
>> On Thu, Nov 26, 2015 at 02:32:39PM -0600, Doug Goldstein wrote:
>>> When allocating a pciback device fails, avoid the possibility of a
>>> use after free.
>>
>> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
>>
>> Ugh, and it looks like xen-blkfront has the same issue.
> 
> <whew> Nope. No problems there.
> 
> The ->probe if it fails (so xenbus_dev_probe returns the error)
> ends up in the 'probe_failed' label in really_probe which takes care by doing:
> 
> dev_set_drvdata(dev, NULL);
> 
> Wheew!
> 
> either way the patch should go in, but the 'possibility' should
> be perhaps removed? Unless there is some other path I missed?

I put 'possibility' in there because it will only happen when the
function returns failure. I was also trying to not make it sound panicky
I guess. I can resubmit the patch with that word dropped if that's
desirable.

> 
>>
>>>
>>> Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com>
>>> Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
>>> ---
>>>  drivers/xen/xen-pciback/xenbus.c | 4 +++-
>>>  1 file changed, 3 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/xen/xen-pciback/xenbus.c b/drivers/xen/xen-pciback/xenbus.c
>>> index 98bc345..4843741 100644
>>> --- a/drivers/xen/xen-pciback/xenbus.c
>>> +++ b/drivers/xen/xen-pciback/xenbus.c
>>> @@ -44,7 +44,6 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
>>>  	dev_dbg(&xdev->dev, "allocated pdev @ 0x%p\n", pdev);
>>>  
>>>  	pdev->xdev = xdev;
>>> -	dev_set_drvdata(&xdev->dev, pdev);
>>>  
>>>  	mutex_init(&pdev->dev_lock);
>>>  
>>> @@ -58,6 +57,9 @@ static struct xen_pcibk_device *alloc_pdev(struct xenbus_device *xdev)
>>>  		kfree(pdev);
>>>  		pdev = NULL;
>>>  	}
>>> +
>>> +	dev_set_drvdata(&xdev->dev, pdev);
>>> +
>>>  out:
>>>  	return pdev;
>>>  }
>>> -- 
>>> 2.4.10
>>>


-- 
Doug Goldstein