diff options
| author | Yung-Tse Cheng <mes900903@gmail.com> | 2026-04-05 22:30:39 +0300 |
|---|---|---|
| committer | Miklos Szeredi <mszeredi@redhat.com> | 2026-06-15 15:06:20 +0300 |
| commit | 6af3330ec5d5fb8c06c04eb520a71cf73ea5a765 (patch) | |
| tree | dab5236d36d74893c532d22ee077891271deda83 /include/linux/errqueue.h | |
| parent | 2b0408d0284f4ff376cf5610fa8c9905e93c2541 (diff) | |
| download | linux-6af3330ec5d5fb8c06c04eb520a71cf73ea5a765.tar.xz | |
virtio-fs: avoid double-free on failed queue setup
virtio_fs_setup_vqs() allocates fs->vqs and fs->mq_map before calling
virtio_find_vqs(). If virtio_find_vqs() fails, the error path frees both
pointers and returns an error to virtio_fs_probe().
virtio_fs_probe() then drops the last kobject reference, and
virtio_fs_ktype_release() frees fs->vqs and fs->mq_map again. This leaves
dangling pointers in struct virtio_fs and can trigger a double-free during
probe failure cleanup.
Set fs->vqs and fs->mq_map to NULL immediately after kfree() in the
virtio_fs_setup_vqs() error path so that the later kobject release sees an
uninitialized state and kfree(NULL) becomes harmless.
This can be reproduced when a broken virtio-fs device advertises more
request queues than the transport actually provides. In that case
virtio_find_vqs() fails while setting up the extra queue, and the probe
path reaches the double-free cleanup sequence.
Signed-off-by: Yung-Tse Cheng <mes900903@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Diffstat (limited to 'include/linux/errqueue.h')
0 files changed, 0 insertions, 0 deletions