mirror of
https://github.com/torvalds/linux
synced 2024-09-20 02:57:25 +00:00
5e0ce1455c
The guest sequence of: a) XEN_PCI_OP_enable_msix b) XEN_PCI_OP_enable_msix results in hitting an NULL pointer due to using freed pointers. The device passed in the guest MUST have MSI-X capability. The a) constructs and SysFS representation of MSI and MSI groups. The b) adds a second set of them but adding in to SysFS fails (duplicate entry). 'populate_msi_sysfs' frees the newly allocated msi_irq_groups (note that in a) pdev->msi_irq_groups is still set) and also free's ALL of the MSI-X entries of the device (the ones allocated in step a) and b)). The unwind code: 'free_msi_irqs' deletes all the entries and tries to delete the pdev->msi_irq_groups (which hasn't been set to NULL). However the pointers in the SysFS are already freed and we hit an NULL pointer further on when 'strlen' is attempted on a freed pointer. The patch adds a simple check in the XEN_PCI_OP_enable_msix to guard against that. The check for msi_enabled is not stricly neccessary. This is part of XSA-157 CC: stable@vger.kernel.org Reviewed-by: David Vrabel <david.vrabel@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
||
|---|---|---|
| .. | ||
| events | ||
| xen-pciback | ||
| xenbus | ||
| xenfs | ||
| acpi.c | ||
| balloon.c | ||
| biomerge.c | ||
| cpu_hotplug.c | ||
| dbgp.c | ||
| efi.c | ||
| evtchn.c | ||
| fallback.c | ||
| features.c | ||
| gntalloc.c | ||
| gntdev.c | ||
| grant-table.c | ||
| Kconfig | ||
| Makefile | ||
| manage.c | ||
| mcelog.c | ||
| pci.c | ||
| pcpu.c | ||
| platform-pci.c | ||
| preempt.c | ||
| privcmd.c | ||
| privcmd.h | ||
| swiotlb-xen.c | ||
| sys-hypervisor.c | ||
| tmem.c | ||
| xen-acpi-cpuhotplug.c | ||
| xen-acpi-memhotplug.c | ||
| xen-acpi-pad.c | ||
| xen-acpi-processor.c | ||
| xen-balloon.c | ||
| xen-scsiback.c | ||
| xen-selfballoon.c | ||
| xen-stub.c | ||
| xlate_mmu.c | ||