diff options
| author | Yung-Tse Cheng <mes900903@gmail.com> | 2026-04-05 22:30:39 +0300 |
|---|---|---|
| committer | Miklos Szeredi <mszeredi@redhat.com> | 2026-06-15 15:06:20 +0300 |
| commit | 6af3330ec5d5fb8c06c04eb520a71cf73ea5a765 (patch) | |
| tree | dab5236d36d74893c532d22ee077891271deda83 | |
| parent | 2b0408d0284f4ff376cf5610fa8c9905e93c2541 (diff) | |
| download | linux-6af3330ec5d5fb8c06c04eb520a71cf73ea5a765.tar.xz | |
virtio-fs: avoid double-free on failed queue setup
virtio_fs_setup_vqs() allocates fs->vqs and fs->mq_map before calling
virtio_find_vqs(). If virtio_find_vqs() fails, the error path frees both
pointers and returns an error to virtio_fs_probe().
virtio_fs_probe() then drops the last kobject reference, and
virtio_fs_ktype_release() frees fs->vqs and fs->mq_map again. This leaves
dangling pointers in struct virtio_fs and can trigger a double-free during
probe failure cleanup.
Set fs->vqs and fs->mq_map to NULL immediately after kfree() in the
virtio_fs_setup_vqs() error path so that the later kobject release sees an
uninitialized state and kfree(NULL) becomes harmless.
This can be reproduced when a broken virtio-fs device advertises more
request queues than the transport actually provides. In that case
virtio_find_vqs() fails while setting up the extra queue, and the probe
path reaches the double-free cleanup sequence.
Signed-off-by: Yung-Tse Cheng <mes900903@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
| -rw-r--r-- | fs/fuse/virtio_fs.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c index a4cf813cebfc..df25d4faca41 100644 --- a/fs/fuse/virtio_fs.c +++ b/fs/fuse/virtio_fs.c @@ -1010,7 +1010,9 @@ out: kfree(vqs); if (ret) { kfree(fs->vqs); + fs->vqs = NULL; kfree(fs->mq_map); + fs->mq_map = NULL; } return ret; } |