search for: ldigbi

A virtio_blk block device can still be referenced after hot unplug by userspace processes that hold the file descriptor. In this case virtblk_getgeo() can be invoked after virtblk_remove() was called. For example, a program that has /dev/vdb open can call ioctl(HDIO_GETGEO) after hot unplug. Fix this by clearing vblk->disk->private_data and checking that the virtio_blk driver instance is

A virtio_blk block device can still be referenced after hot unplug by userspace processes that hold the file descriptor. In this case virtblk_getgeo() can be invoked after virtblk_remove() was called. For example, a program that has /dev/vdb open can call ioctl(HDIO_GETGEO) after hot unplug. Fix this by clearing vblk->disk->private_data and checking that the virtio_blk driver instance is

On Wed, May 06, 2020 at 03:28:47AM +0000, Justin He wrote: > Hi Michael > > > -----Original Message----- > > From: Michael S. Tsirkin <mst at redhat.com> > > Sent: Monday, May 4, 2020 8:16 PM > > To: Linus Torvalds <torvalds at linux-foundation.org> > > Cc: kvm at vger.kernel.org; virtualization at lists.linux-foundation.org; > > netdev at

On Wed, May 06, 2020 at 03:28:47AM +0000, Justin He wrote: > Hi Michael > > > -----Original Message----- > > From: Michael S. Tsirkin <mst at redhat.com> > > Sent: Monday, May 4, 2020 8:16 PM > > To: Linus Torvalds <torvalds at linux-foundation.org> > > Cc: kvm at vger.kernel.org; virtualization at lists.linux-foundation.org; > > netdev at

On Thu, Apr 30, 2020 at 10:43:23AM +0200, Stefano Garzarella wrote: > On Wed, Apr 29, 2020 at 05:53:45PM +0100, Stefan Hajnoczi wrote: > > A userspace process holding a file descriptor to a virtio_blk device can > > still invoke block_device_operations after hot unplug. This leads to a > > use-after-free accessing vblk->vdev in virtblk_getgeo() when > >

On Thu, Apr 30, 2020 at 10:43:23AM +0200, Stefano Garzarella wrote: > On Wed, Apr 29, 2020 at 05:53:45PM +0100, Stefan Hajnoczi wrote: > > A userspace process holding a file descriptor to a virtio_blk device can > > still invoke block_device_operations after hot unplug. This leads to a > > use-after-free accessing vblk->vdev in virtblk_getgeo() when > >

A userspace process holding a file descriptor to a virtio_blk device can still invoke block_device_operations after hot unplug. This leads to a use-after-free accessing vblk->vdev in virtblk_getgeo() when ioctl(HDIO_GETGEO) is invoked: BUG: unable to handle kernel NULL pointer dereference at 0000000000000090 IP: [<ffffffffc00e5450>] virtio_check_driver_offered_feature+0x10/0x90

A userspace process holding a file descriptor to a virtio_blk device can still invoke block_device_operations after hot unplug. This leads to a use-after-free accessing vblk->vdev in virtblk_getgeo() when ioctl(HDIO_GETGEO) is invoked: BUG: unable to handle kernel NULL pointer dereference at 0000000000000090 IP: [<ffffffffc00e5450>] virtio_check_driver_offered_feature+0x10/0x90

A userspace process holding a file descriptor to a virtio_blk device can still invoke block_device_operations after hot unplug. This leads to a use-after-free accessing vblk->vdev in virtblk_getgeo() when ioctl(HDIO_GETGEO) is invoked: BUG: unable to handle kernel NULL pointer dereference at 0000000000000090 IP: [<ffffffffc00e5450>] virtio_check_driver_offered_feature+0x10/0x90

A userspace process holding a file descriptor to a virtio_blk device can still invoke block_device_operations after hot unplug. This leads to a use-after-free accessing vblk->vdev in virtblk_getgeo() when ioctl(HDIO_GETGEO) is invoked: BUG: unable to handle kernel NULL pointer dereference at 0000000000000090 IP: [<ffffffffc00e5450>] virtio_check_driver_offered_feature+0x10/0x90

A userspace process holding a file descriptor to a virtio_blk device can still invoke block_device_operations after hot unplug. For example, a program that has /dev/vdb open can call ioctl(HDIO_GETGEO) after hot unplug to invoke virtblk_getgeo(). Introduce a reference count in struct virtio_blk so that its lifetime covers both virtio_driver probe/remove and block_device_operations open/release

A userspace process holding a file descriptor to a virtio_blk device can still invoke block_device_operations after hot unplug. For example, a program that has /dev/vdb open can call ioctl(HDIO_GETGEO) after hot unplug to invoke virtblk_getgeo(). Introduce a reference count in struct virtio_blk so that its lifetime covers both virtio_driver probe/remove and block_device_operations open/release

On Thu, Apr 23, 2020 at 01:37:17PM +0100, Stefan Hajnoczi wrote: > A virtio_blk block device can still be referenced after hot unplug by > userspace processes that hold the file descriptor. In this case > virtblk_getgeo() can be invoked after virtblk_remove() was called. For > example, a program that has /dev/vdb open can call ioctl(HDIO_GETGEO) > after hot unplug. > > Fix

On Wed, May 06, 2020 at 03:19:55AM -0400, Michael S. Tsirkin wrote: > On Wed, May 06, 2020 at 03:28:47AM +0000, Justin He wrote: > > Hi Michael > > > > > -----Original Message----- > > > From: Michael S. Tsirkin <mst at redhat.com> > > > Sent: Monday, May 4, 2020 8:16 PM > > > To: Linus Torvalds <torvalds at linux-foundation.org> >

On Tue, Apr 28, 2020 at 11:25:07AM -0400, Michael S. Tsirkin wrote: > On Tue, Apr 28, 2020 at 03:30:09PM +0100, Stefan Hajnoczi wrote: > > A userspace process holding a file descriptor to a virtio_blk device can > > still invoke block_device_operations after hot unplug. For example, a > > program that has /dev/vdb open can call ioctl(HDIO_GETGEO) after hot > > unplug to

On Thu, Apr 30, 2020 at 11:14:10AM +0100, Stefan Hajnoczi wrote: > On Thu, Apr 30, 2020 at 10:43:23AM +0200, Stefano Garzarella wrote: > > On Wed, Apr 29, 2020 at 05:53:45PM +0100, Stefan Hajnoczi wrote: > > > A userspace process holding a file descriptor to a virtio_blk device can > > > still invoke block_device_operations after hot unplug. This leads to a > >

On Thu, 30 Apr 2020 15:04:42 +0100 Stefan Hajnoczi <stefanha at redhat.com> wrote: > A userspace process holding a file descriptor to a virtio_blk device can > still invoke block_device_operations after hot unplug. This leads to a > use-after-free accessing vblk->vdev in virtblk_getgeo() when > ioctl(HDIO_GETGEO) is invoked: > > BUG: unable to handle kernel NULL

On Tue, Apr 28, 2020 at 03:30:09PM +0100, Stefan Hajnoczi wrote: > A userspace process holding a file descriptor to a virtio_blk device can > still invoke block_device_operations after hot unplug. For example, a > program that has /dev/vdb open can call ioctl(HDIO_GETGEO) after hot > unplug to invoke virtblk_getgeo(). which causes what? a use after free? > > Introduce a

On Wed, Apr 29, 2020 at 05:53:45PM +0100, Stefan Hajnoczi wrote: > A userspace process holding a file descriptor to a virtio_blk device can > still invoke block_device_operations after hot unplug. This leads to a > use-after-free accessing vblk->vdev in virtblk_getgeo() when > ioctl(HDIO_GETGEO) is invoked: > > BUG: unable to handle kernel NULL pointer dereference at

From: Stefan Hajnoczi <stefanha at redhat.com> [ Upstream commit 90b5feb8c4bebc76c27fcaf3e1a0e5ca2d319e9e ] A userspace process holding a file descriptor to a virtio_blk device can still invoke block_device_operations after hot unplug. This leads to a use-after-free accessing vblk->vdev in virtblk_getgeo() when ioctl(HDIO_GETGEO) is invoked: BUG: unable to handle kernel NULL pointer