search for: vhost_vsock_dev_release

The access of vsock is not protected by vhost_vsock_lock. This may lead use after free since vhost_vsock_dev_release() may free the pointer at the same time. Fix this by holding the lock during the acess. Reported-by: syzbot+e3e074963495f92a89ed at syzkaller.appspotmail.com Fixes: 16320f363ae1 ("vhost-vsock: add pkt cancel capability") Fixes: 433fc58e6bf2 ("VSOCK: Introduce vhost_vsock.ko")...

The access of vsock is not protected by vhost_vsock_lock. This may lead use after free since vhost_vsock_dev_release() may free the pointer at the same time. Fix this by holding the lock during the acess. Reported-by: syzbot+e3e074963495f92a89ed at syzkaller.appspotmail.com Fixes: 16320f363ae1 ("vhost-vsock: add pkt cancel capability") Fixes: 433fc58e6bf2 ("VSOCK: Introduce vhost_vsock.ko")...

The access of vsock is not protected by vhost_vsock_lock. This may lead to use after free since vhost_vsock_dev_release() may free the pointer at the same time. Fix this by holding the lock during the access. Reported-by: syzbot+e3e074963495f92a89ed at syzkaller.appspotmail.com Fixes: 16320f363ae1 ("vhost-vsock: add pkt cancel capability") Fixes: 433fc58e6bf2 ("VSOCK: Introduce vhost_vsock.ko")...

The access of vsock is not protected by vhost_vsock_lock. This may lead to use after free since vhost_vsock_dev_release() may free the pointer at the same time. Fix this by holding the lock during the access. Reported-by: syzbot+e3e074963495f92a89ed at syzkaller.appspotmail.com Fixes: 16320f363ae1 ("vhost-vsock: add pkt cancel capability") Fixes: 433fc58e6bf2 ("VSOCK: Introduce vhost_vsock.ko")...

On 2018?09?28? 01:04, Michael S. Tsirkin wrote: > On Thu, Sep 27, 2018 at 08:22:04PM +0800, Jason Wang wrote: >> The access of vsock is not protected by vhost_vsock_lock. This may >> lead to use after free since vhost_vsock_dev_release() may free the >> pointer at the same time. >> >> Fix this by holding the lock during the access. >> >> Reported-by:syzbot+e3e074963495f92a89ed at syzkaller.appspotmail.com >> Fixes: 16320f363ae1 ("vhost-vsock: add pkt cancel capability") >> Fixes...

On 2018?09?28? 01:04, Michael S. Tsirkin wrote: > On Thu, Sep 27, 2018 at 08:22:04PM +0800, Jason Wang wrote: >> The access of vsock is not protected by vhost_vsock_lock. This may >> lead to use after free since vhost_vsock_dev_release() may free the >> pointer at the same time. >> >> Fix this by holding the lock during the access. >> >> Reported-by:syzbot+e3e074963495f92a89ed at syzkaller.appspotmail.com >> Fixes: 16320f363ae1 ("vhost-vsock: add pkt cancel capability") >> Fixes...

...signed int ioctl, void __user *argp); long vhost_vring_ioctl(struct vhost_dev *d, int ioctl, void __user *argp); diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c index 5a5e981bd8e4..0d14e2ff19f1 100644 --- a/drivers/vhost/vsock.c +++ b/drivers/vhost/vsock.c @@ -599,7 +599,7 @@ static int vhost_vsock_dev_release(struct inode *inode, struct file *file) } spin_unlock_bh(&vsock->send_pkt_list_lock); - vhost_dev_cleanup(&vsock->dev, false); + vhost_dev_cleanup(&vsock->dev); kfree(vsock->dev.vqs); vhost_vsock_free(vsock); return 0; -- 2.15.1

...gt; +static void vhost_vsock_flush(struct vhost_vsock *vsock) > +{ > + int i; > + > + for (i = 0; i < VSOCK_VQ_MAX; i++) > + vhost_poll_flush(&vsock->vqs[i].vq.poll); > + vhost_work_flush(&vsock->dev, &vsock->send_pkt_work); > +} > + > +static int vhost_vsock_dev_release(struct inode *inode, struct file *file) > +{ > + struct vhost_vsock *vsock = file->private_data; > + > + mutex_lock(&vhost_vsock_mutex); > + list_del(&vsock->list); > + mutex_unlock(&vhost_vsock_mutex); > + > + vhost_dev_stop(&vsock->dev); > + vho...

...gt; +static void vhost_vsock_flush(struct vhost_vsock *vsock) > +{ > + int i; > + > + for (i = 0; i < VSOCK_VQ_MAX; i++) > + vhost_poll_flush(&vsock->vqs[i].vq.poll); > + vhost_work_flush(&vsock->dev, &vsock->send_pkt_work); > +} > + > +static int vhost_vsock_dev_release(struct inode *inode, struct file *file) > +{ > + struct vhost_vsock *vsock = file->private_data; > + > + mutex_lock(&vhost_vsock_mutex); > + list_del(&vsock->list); > + mutex_unlock(&vhost_vsock_mutex); > + > + vhost_dev_stop(&vsock->dev); > + vho...

...e(vqs); +out: + kfree(vsock); + return ret; +} + +static void vhost_vsock_flush(struct vhost_vsock *vsock) +{ + int i; + + for (i = 0; i < VSOCK_VQ_MAX; i++) + vhost_poll_flush(&vsock->vqs[i].vq.poll); + vhost_work_flush(&vsock->dev, &vsock->send_pkt_work); +} + +static int vhost_vsock_dev_release(struct inode *inode, struct file *file) +{ + struct vhost_vsock *vsock = file->private_data; + + mutex_lock(&vhost_vsock_mutex); + list_del(&vsock->list); + mutex_unlock(&vhost_vsock_mutex); + + vhost_dev_stop(&vsock->dev); + vhost_vsock_flush(vsock); + vhost_dev_cleanup(&a...

...ertion(+) > > diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c > index 0d14e2ff19f16..d0e65e92110e5 100644 > --- a/drivers/vhost/vsock.c > +++ b/drivers/vhost/vsock.c > @@ -705,6 +705,7 @@ static const struct file_operations vhost_vsock_fops = { > .release = vhost_vsock_dev_release, > .llseek = noop_llseek, > .unlocked_ioctl = vhost_vsock_dev_ioctl, > + .compat_ioctl = vhost_vsock_dev_ioctl, > }; > > static struct miscdevice vhost_vsock_misc = { > -- > 2.13.5

Hello! On 9/27/2018 11:43 AM, Jason Wang wrote: Just a couple of typos... > The access of vsock is not protected by vhost_vsock_lock. This may > lead use after free since vhost_vsock_dev_release() may free the Lead to use. > pointer at the same time. > > Fix this by holding the lock during the acess. Access. > Reported-by: syzbot+e3e074963495f92a89ed at syzkaller.appspotmail.com > Fixes: 16320f363ae1 ("vhost-vsock: add pkt cancel capability") > Fixes...

On Thu, Sep 27, 2018 at 08:22:04PM +0800, Jason Wang wrote: > The access of vsock is not protected by vhost_vsock_lock. This may > lead to use after free since vhost_vsock_dev_release() may free the > pointer at the same time. > > Fix this by holding the lock during the access. > > Reported-by: syzbot+e3e074963495f92a89ed at syzkaller.appspotmail.com > Fixes: 16320f363ae1 ("vhost-vsock: add pkt cancel capability") > Fixes: 433fc58e6bf2 ("VSO...

...at 07:37:37AM +0800, Jason Wang wrote: > > > On 2018?09?28? 01:04, Michael S. Tsirkin wrote: > > On Thu, Sep 27, 2018 at 08:22:04PM +0800, Jason Wang wrote: > > > The access of vsock is not protected by vhost_vsock_lock. This may > > > lead to use after free since vhost_vsock_dev_release() may free the > > > pointer at the same time. > > > > > > Fix this by holding the lock during the access. > > > > > > Reported-by:syzbot+e3e074963495f92a89ed at syzkaller.appspotmail.com > > > Fixes: 16320f363ae1 ("vhost-vsock: add pkt c...

...rn 0; + +out: + kfree(vsock); + return ret; +} + +static void vhost_vsock_flush(struct vhost_vsock *vsock) +{ + int i; + + for (i = 0; i < VSOCK_VQ_MAX; i++) + vhost_poll_flush(&vsock->vqs[i].vq.poll); + vhost_work_flush(&vsock->dev, &vsock->send_pkt_work); +} + +static int vhost_vsock_dev_release(struct inode *inode, struct file *file) +{ + struct vhost_vsock *vsock = file->private_data; + + mutex_lock(&vhost_vsock_mutex); + list_del(&vsock->list); + mutex_unlock(&vhost_vsock_mutex); + + vhost_dev_stop(&vsock->dev); + vhost_vsock_flush(vsock); + vhost_dev_cleanup(&a...

...[inline] > __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 > kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 > __cache_free mm/slab.c:3498 [inline] > kfree+0xd9/0x260 mm/slab.c:3813 > kvfree+0x61/0x70 mm/util.c:442 > vhost_vsock_free drivers/vhost/vsock.c:499 [inline] > vhost_vsock_dev_release+0x4fd/0x750 drivers/vhost/vsock.c:604 > __fput+0x355/0x8b0 fs/file_table.c:209 > ____fput+0x15/0x20 fs/file_table.c:243 > task_work_run+0x1ec/0x2a0 kernel/task_work.c:113 > tracehook_notify_resume include/linux/tracehook.h:192 [inline] > exit_to_usermode_loop+0x313/0x370 arch/x8...

On Wed, May 31, 2023 at 11:27:12AM -0500, Mike Christie wrote: >On 5/31/23 10:15 AM, Mike Christie wrote: >>>> rcu would work for your case and for what Jason had requested. >>> Yeah, so you already have some patches? >>> >>> Do you want to send it to solve this problem? >>> >> Yeah, I'll break them out and send them later today when I

...gt; +static void vhost_vsock_flush(struct vhost_vsock *vsock) > +{ > + int i; > + > + for (i = 0; i < VSOCK_VQ_MAX; i++) > + vhost_poll_flush(&vsock->vqs[i].vq.poll); > + vhost_work_flush(&vsock->dev, &vsock->send_pkt_work); > +} > + > +static int vhost_vsock_dev_release(struct inode *inode, struct file *file) > +{ > + struct vhost_vsock *vsock = file->private_data; > + > + mutex_lock(&vhost_vsock_mutex); > + list_del(&vsock->list); > + mutex_unlock(&vhost_vsock_mutex); > + > + vhost_dev_stop(&vsock->dev); > + vho...

...gt; +static void vhost_vsock_flush(struct vhost_vsock *vsock) > +{ > + int i; > + > + for (i = 0; i < VSOCK_VQ_MAX; i++) > + vhost_poll_flush(&vsock->vqs[i].vq.poll); > + vhost_work_flush(&vsock->dev, &vsock->send_pkt_work); > +} > + > +static int vhost_vsock_dev_release(struct inode *inode, struct file *file) > +{ > + struct vhost_vsock *vsock = file->private_data; > + > + mutex_lock(&vhost_vsock_mutex); > + list_del(&vsock->list); > + mutex_unlock(&vhost_vsock_mutex); > + > + vhost_dev_stop(&vsock->dev); > + vho...

...t file *f, unsigned int ioctl, - unsigned long arg) -{ - return vhost_vsock_dev_ioctl(f, ioctl, (unsigned long)compat_ptr(arg)); -} -#endif - static const struct file_operations vhost_vsock_fops = { .owner = THIS_MODULE, .open = vhost_vsock_dev_open, .release = vhost_vsock_dev_release, .llseek = noop_llseek, .unlocked_ioctl = vhost_vsock_dev_ioctl, -#ifdef CONFIG_COMPAT - .compat_ioctl = vhost_vsock_dev_compat_ioctl, -#endif + .compat_ioctl = compat_ptr_ioctl, }; static struct miscdevice vhost_vsock_misc = { diff --git a/fs/fat/file.c b/fs/fat/file.c index b3bed3294...