RE: [PATCH 4/6] Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind()

From: Andrea Parri (Microsoft) Sent: Wednesday, November 18, 2020 6:37 AM > > When channel->device_obj is non-NULL, vmbus_onoffer_rescind() could > invoke put_device(), that will eventually release the device and free > the channel object (cf. vmbus_device_release()). However, a pointer > to

Re: [PATCH 4/6] Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind()

On Tue, Nov 24, 2020 at 04:26:33PM +, Wei Liu wrote: > On Wed, Nov 18, 2020 at 03:36:47PM +0100, Andrea Parri (Microsoft) wrote: > > When channel->device_obj is non-NULL, vmbus_onoffer_rescind() could > > invoke put_device(), that will eventually release the device and free > > the channel

Re: [PATCH 4/6] Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind()

On Wed, Nov 18, 2020 at 03:36:47PM +0100, Andrea Parri (Microsoft) wrote: > When channel->device_obj is non-NULL, vmbus_onoffer_rescind() could > invoke put_device(), that will eventually release the device and free > the channel object (cf. vmbus_device_release()). However, a pointer > to the

[PATCH 4/6] Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind()

When channel->device_obj is non-NULL, vmbus_onoffer_rescind() could invoke put_device(), that will eventually release the device and free the channel object (cf. vmbus_device_release()). However, a pointer to the object is dereferenced again later to load the primary_channel. The use-after-free