search for: vhost_net_flush

vhost_net_ubuf_put_and_wait has a confusing name: it will actually also free it's argument. Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 "vhost-net: flush outstanding DMAs on memory change" vhost_net_flush tries to use the argument after passing it to vhost_net_ubuf_put_and_wait, this results in use after free. To fix, don't free the argument in vhost_net_ubuf_put_and_wait, add an new API for callers that want to free ubufs. Acked-by: Asias He <asias at redhat.com> Acked-by: Jason Wang &lt...

vhost_net_ubuf_put_and_wait has a confusing name: it will actually also free it's argument. Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 "vhost-net: flush outstanding DMAs on memory change" vhost_net_flush tries to use the argument after passing it to vhost_net_ubuf_put_and_wait, this results in use after free. To fix, don't free the argument in vhost_net_ubuf_put_and_wait, add an new API for callers that want to free ubufs. Acked-by: Asias He <asias at redhat.com> Acked-by: Jason Wang &lt...

vhost_net_ubuf_put_and_wait has a confusing name: it will actually also free it's argument. Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 "vhost-net: flush outstanding DMAs on memory change" vhost_net_flush tries to use the argument after passing it to vhost_net_ubuf_put_and_wait, this results in use after free. To fix, don't free the argument in vhost_net_ubuf_put_and_wait, add an new API for callers that want to free ubufs. Acked-by: Asias He <asias at redhat.com> Acked-by: Jason Wang &lt...

vhost_net_ubuf_put_and_wait has a confusing name: it will actually also free it's argument. Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 "vhost-net: flush outstanding DMAs on memory change" vhost_net_flush tries to use the argument after passing it to vhost_net_ubuf_put_and_wait, this results in use after free. To fix, don't free the argument in vhost_net_ubuf_put_and_wait, add an new API for callers that want to free ubufs. Acked-by: Asias He <asias at redhat.com> Acked-by: Jason Wang &lt...

vhost_net_ubuf_put_and_wait has a confusing name: it will actually also free it's argument. Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 vhost_net_flush tries to use the argument after passing it to vhost_net_ubuf_put_and_wait, this results in use after free. To fix, don't free the argument in vhost_net_ubuf_put_and_wait, add an new API for callers that want to free ubufs. Signed-off-by: Michael S. Tsirkin <mst at redhat.com> --- Dave,...

vhost_net_ubuf_put_and_wait has a confusing name: it will actually also free it's argument. Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 vhost_net_flush tries to use the argument after passing it to vhost_net_ubuf_put_and_wait, this results in use after free. To fix, don't free the argument in vhost_net_ubuf_put_and_wait, add an new API for callers that want to free ubufs. Signed-off-by: Michael S. Tsirkin <mst at redhat.com> --- Dave,...

vhost_net_ubuf_put_and_wait has a confusing name: it will actually also free it's argument. Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 vhost_net_flush tries to use the argument after passing it to vhost_net_ubuf_put_and_wait, this results in use after free. To fix, don't free the argument in vhost_net_ubuf_put_and_wait, add an new API for callers that want to free ubufs. Signed-off-by: Michael S. Tsirkin <mst at redhat.com> --- I sent...

vhost_net_ubuf_put_and_wait has a confusing name: it will actually also free it's argument. Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 vhost_net_flush tries to use the argument after passing it to vhost_net_ubuf_put_and_wait, this results in use after free. To fix, don't free the argument in vhost_net_ubuf_put_and_wait, add an new API for callers that want to free ubufs. Signed-off-by: Michael S. Tsirkin <mst at redhat.com> --- I sent...

...> On Thu, Jun 13, 2019 at 2:07 PM Hillf Danton <hdanton at sina.com> wrote: > > > > > > Hello Jason > > > > > > On Thu, 13 Jun 2019 17:10:39 +0800 Jason Wang wrote: > > > > > > > > This is basically a kfree(ubuf) after the second vhost_net_flush() in > > > > vhost_net_release(). > > > > > > > Fairly good catch. > > > > > > > Could you please post a formal patch? > > > > > > > I'd like very much to do that; but I wont, I am afraid, until I collect a > > &gt...

...:06 +0800 Dmitry Vyukov wrote: > On Thu, Jun 13, 2019 at 2:07 PM Hillf Danton <hdanton at sina.com> wrote: > > > > Hello Jason > > > > On Thu, 13 Jun 2019 17:10:39 +0800 Jason Wang wrote: > > > > > > This is basically a kfree(ubuf) after the second vhost_net_flush() in > > > vhost_net_release(). > > > > > Fairly good catch. > > > > > Could you please post a formal patch? > > > > > I'd like very much to do that; but I wont, I am afraid, until I collect a > > Tested-by because of reproducer withou...

...:06 +0800 Dmitry Vyukov wrote: > On Thu, Jun 13, 2019 at 2:07 PM Hillf Danton <hdanton at sina.com> wrote: > > > > Hello Jason > > > > On Thu, 13 Jun 2019 17:10:39 +0800 Jason Wang wrote: > > > > > > This is basically a kfree(ubuf) after the second vhost_net_flush() in > > > vhost_net_release(). > > > > > Fairly good catch. > > > > > Could you please post a formal patch? > > > > > I'd like very much to do that; but I wont, I am afraid, until I collect a > > Tested-by because of reproducer withou...

...oo.gl/tpsmEJ#status for how to communicate with syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches > Ignore my noise if you have no interest seeing the syzbot report. After commit c38e39c378f46f ("vhost-net: fix use-after-free in vhost_net_flush") flush would no longer free ubuf, just wait until ubuf users disappear instead. The following diff, in hope that may perhaps help you handle the memory leak, makes flush able to free ubuf in the path of file release. Thanks Hillf --- drivers/vhost/net.c | 8 +++++++- 1 file changed, 7 inse...

...oo.gl/tpsmEJ#status for how to communicate with syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches > Ignore my noise if you have no interest seeing the syzbot report. After commit c38e39c378f46f ("vhost-net: fix use-after-free in vhost_net_flush") flush would no longer free ubuf, just wait until ubuf users disappear instead. The following diff, in hope that may perhaps help you handle the memory leak, makes flush able to free ubuf in the path of file release. Thanks Hillf --- drivers/vhost/net.c | 8 +++++++- 1 file changed, 7 inse...

...communicate with syzbot. >> syzbot can test patches for this bug, for details see: >> https://goo.gl/tpsmEJ#testing-patches >> > Ignore my noise if you have no interest seeing the syzbot report. > > After commit c38e39c378f46f ("vhost-net: fix use-after-free in > vhost_net_flush") flush would no longer free ubuf, just wait until > ubuf users > disappear instead. > > The following diff, in hope that may perhaps help you handle the > memory leak, > makes flush able to free ubuf in the path of file release. > > Thanks > Hillf > --- > dr...

...a51f..c9be601 100644 --- a/drivers/vhost/net.c +++ b/drivers/vhost/net.c @@ -586,6 +586,7 @@ static int vhost_net_release(struct inode *inode, struct file *f) struct socket *tx_sock; struct socket *rx_sock; + mutex_lock(&n->dev.mutex); vhost_net_stop(n, &tx_sock, &rx_sock); vhost_net_flush(n); vhost_dev_cleanup(&n->dev); @@ -596,6 +597,7 @@ static int vhost_net_release(struct inode *inode, struct file *f) /* We do an extra flush before freeing memory, * since jobs can re-queue themselves. */ vhost_net_flush(n); + mutex_unlock(&n->dev.mutex); kfree(n); retur...

...a51f..c9be601 100644 --- a/drivers/vhost/net.c +++ b/drivers/vhost/net.c @@ -586,6 +586,7 @@ static int vhost_net_release(struct inode *inode, struct file *f) struct socket *tx_sock; struct socket *rx_sock; + mutex_lock(&n->dev.mutex); vhost_net_stop(n, &tx_sock, &rx_sock); vhost_net_flush(n); vhost_dev_cleanup(&n->dev); @@ -596,6 +597,7 @@ static int vhost_net_release(struct inode *inode, struct file *f) /* We do an extra flush before freeing memory, * since jobs can re-queue themselves. */ vhost_net_flush(n); + mutex_unlock(&n->dev.mutex); kfree(n); retur...

Hello Jason On Thu, 13 Jun 2019 17:10:39 +0800 Jason Wang wrote: > > This is basically a kfree(ubuf) after the second vhost_net_flush() in > vhost_net_release(). > Fairly good catch. > Could you please post a formal patch? > I'd like very much to do that; but I wont, I am afraid, until I collect a Tested-by because of reproducer without a cutting edge. Thanks Hillf

Hello Jason On Thu, 13 Jun 2019 17:10:39 +0800 Jason Wang wrote: > > This is basically a kfree(ubuf) after the second vhost_net_flush() in > vhost_net_release(). > Fairly good catch. > Could you please post a formal patch? > I'd like very much to do that; but I wont, I am afraid, until I collect a Tested-by because of reproducer without a cutting edge. Thanks Hillf

..._rx_kick; + for (i = 0; i < VHOST_NET_VQ_MAX; i++) { + n->vqs[i].ubufs = NULL; + n->vqs[i].ubuf_info = NULL; + n->vqs[i].upend_idx = 0; + n->vqs[i].done_idx = 0; + } r = vhost_dev_init(dev, vqs, VHOST_NET_VQ_MAX); if (r < 0) { kfree(n); @@ -710,15 +818,15 @@ static void vhost_net_flush(struct vhost_net *n) { vhost_net_flush_vq(n, VHOST_NET_VQ_TX); vhost_net_flush_vq(n, VHOST_NET_VQ_RX); - if (n->vqs[VHOST_NET_VQ_TX].vq.ubufs) { + if (n->vqs[VHOST_NET_VQ_TX].ubufs) { mutex_lock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex); n->tx_flush = true; mutex_unlock(&...

..._rx_kick; + for (i = 0; i < VHOST_NET_VQ_MAX; i++) { + n->vqs[i].ubufs = NULL; + n->vqs[i].ubuf_info = NULL; + n->vqs[i].upend_idx = 0; + n->vqs[i].done_idx = 0; + } r = vhost_dev_init(dev, vqs, VHOST_NET_VQ_MAX); if (r < 0) { kfree(n); @@ -710,15 +818,15 @@ static void vhost_net_flush(struct vhost_net *n) { vhost_net_flush_vq(n, VHOST_NET_VQ_TX); vhost_net_flush_vq(n, VHOST_NET_VQ_RX); - if (n->vqs[VHOST_NET_VQ_TX].vq.ubufs) { + if (n->vqs[VHOST_NET_VQ_TX].ubufs) { mutex_lock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex); n->tx_flush = true; mutex_unlock(&...