On Tue, Nov 24, 2020 at 04:26:33PM +0000, Wei Liu wrote: > On Wed, Nov 18, 2020 at 03:36:47PM +0100, Andrea Parri (Microsoft) wrote: > > When channel->device_obj is non-NULL, vmbus_onoffer_rescind() could > > invoke put_device(), that will eventually release the device and free > > the channel object (cf. vmbus_device_release()). However, a pointer > > to the object is dereferenced again later to load the primary_channel. > > The use-after-free can be avoided by noticing that this load/check is > > redundant if device_obk is non-NULL: primary_channel must be NULL if > > device_obk -> device_obj
Fixed. > > > device_obj is non-NULL, cf. vmbus_add_channel_work(). > > > > Missing a Fixes tag? Yes, I've added the tag. Thanks, Andrea
