git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Yung-Tse Cheng <mes900903@gmail.com>
	Sun, 5 Apr 2026 19:30:39 +0000 (03:30 +0800)
committer	Miklos Szeredi <mszeredi@redhat.com>
	Mon, 15 Jun 2026 12:06:20 +0000 (14:06 +0200)
commit	6af3330ec5d5fb8c06c04eb520a71cf73ea5a765
tree	dab5236d36d74893c532d22ee077891271deda83	tree \| snapshot
parent	2b0408d0284f4ff376cf5610fa8c9905e93c2541	commit \| diff

virtio-fs: avoid double-free on failed queue setup

virtio_fs_setup_vqs() allocates fs->vqs and fs->mq_map before calling
virtio_find_vqs(). If virtio_find_vqs() fails, the error path frees both
pointers and returns an error to virtio_fs_probe().

virtio_fs_probe() then drops the last kobject reference, and
virtio_fs_ktype_release() frees fs->vqs and fs->mq_map again. This leaves
dangling pointers in struct virtio_fs and can trigger a double-free during
probe failure cleanup.

Set fs->vqs and fs->mq_map to NULL immediately after kfree() in the
virtio_fs_setup_vqs() error path so that the later kobject release sees an
uninitialized state and kfree(NULL) becomes harmless.

This can be reproduced when a broken virtio-fs device advertises more
request queues than the transport actually provides. In that case
virtio_find_vqs() fails while setting up the extra queue, and the probe
path reaches the double-free cleanup sequence.

Signed-off-by: Yung-Tse Cheng <mes900903@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>