Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753654AbdFQWif (ORCPT <rfc822;w@1wt.eu>);
        Sat, 17 Jun 2017 18:38:35 -0400
Received: from omzsmtpe03.verizonbusiness.com ([199.249.25.208]:34376 "EHLO
        omzsmtpe03.verizonbusiness.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1753114AbdFQWZk (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 17 Jun 2017 18:25:40 -0400
X-IronPort-Anti-Spam-Filtered: false
From: "Levin, Alexander (Sasha Levin)" <alexander.levin@verizon.com>
Cc: "G. Campana" <gcampana@quarkslab.com>,
        "Michael S . Tsirkin" <mst@redhat.com>,
        "Levin, Alexander (Sasha Levin)" <alexander.levin@verizon.com>
X-IronPort-AV: E=Sophos;i="5.39,316,1493683200"; 
   d="scan'208";a="372653746"
X-Host: ranger.odc.vzwcorp.com
To: "stable@vger.kernel.org" <stable@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: [PATCH for v4.9 LTS 33/86] virtio_console: fix a crash in
 config_work_handler
Thread-Topic: [PATCH for v4.9 LTS 33/86] virtio_console: fix a crash in
 config_work_handler
Thread-Index: AQHS57iCmtHL7VtKu0S6eIjmy7YY+Q==
Date: Sat, 17 Jun 2017 22:24:38 +0000
Message-ID: <20170617222420.19316-33-alexander.levin@verizon.com>
References: <20170617222420.19316-1-alexander.levin@verizon.com>
In-Reply-To: <20170617222420.19316-1-alexander.levin@verizon.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.144.60.250]
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by mail.home.local id v5HMd4ts023221
Content-Length: 1363
Lines: 38

From: "G. Campana" <gcampana@quarkslab.com>

[ Upstream commit 8379cadf71c3ee8173a1c6fc1ea7762a9638c047 ]

Using control_work instead of config_work as the 3rd argument to
container_of results in an invalid portdev pointer. Indeed, the work
structure is initialized as below:

    INIT_WORK(&portdev->config_work, &config_work_handler);

It leads to a crash when portdev->vdev is dereferenced later. This
bug
is triggered when the guest uses a virtio-console without multiport
feature and receives a config_changed virtio interrupt.

Signed-off-by: G. Campana <gcampana@quarkslab.com>
Reviewed-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
---
 drivers/char/virtio_console.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
index 471a301d63e3..8f890c1aca57 100644
--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -1870,7 +1870,7 @@ static void config_work_handler(struct work_struct *work)
 {
 	struct ports_device *portdev;
 
-	portdev = container_of(work, struct ports_device, control_work);
+	portdev = container_of(work, struct ports_device, config_work);
 	if (!use_multiport(portdev)) {
 		struct virtio_device *vdev;
 		struct port *port;
-- 
2.11.0