From: Christophe JAILLET christophe.jaillet@wanadoo.fr
stable inclusion from stable-v5.10.40 commit d84b5e912212b05f6b5bde9f682046accfbe0354 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I956GH CVE: CVE-2021-47071
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
commit 3ee098f96b8b6c1a98f7f97915f8873164e6af9d upstream.
If 'vmbus_establish_gpadl()' fails, the (recv|send)_gpadl will not be updated and 'hv_uio_cleanup()' in the error handling path will not be able to free the corresponding buffer.
In such a case, we need to free the buffer explicitly.
Fixes: cdfa835c6e5e ("uio_hv_generic: defer opening vmbus until first use") Cc: stable stable@vger.kernel.org Signed-off-by: Christophe JAILLET christophe.jaillet@wanadoo.fr Link: https://lore.kernel.org/r/4fdaff557deef6f0475d02ba7922ddbaa1ab08a6.162054405... Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Guo Mengqi guomengqi3@huawei.com --- drivers/uio/uio_hv_generic.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/uio/uio_hv_generic.c b/drivers/uio/uio_hv_generic.c index 170fa1f8f00e..b58e7c582d3f 100644 --- a/drivers/uio/uio_hv_generic.c +++ b/drivers/uio/uio_hv_generic.c @@ -250,8 +250,10 @@ hv_uio_probe(struct hv_device *dev,
ret = vmbus_establish_gpadl(dev->channel, pdata->recv_buf, RECV_BUFFER_SIZE, &pdata->recv_gpadl); - if (ret) + if (ret) { + vfree(pdata->recv_buf); goto fail_close; + }
/* put Global Physical Address Label in name */ snprintf(pdata->recv_name, sizeof(pdata->recv_name), @@ -271,8 +273,10 @@ hv_uio_probe(struct hv_device *dev,
ret = vmbus_establish_gpadl(dev->channel, pdata->send_buf, SEND_BUFFER_SIZE, &pdata->send_gpadl); - if (ret) + if (ret) { + vfree(pdata->send_buf); goto fail_close; + }
snprintf(pdata->send_name, sizeof(pdata->send_name), "send:%u", pdata->send_gpadl);