Displaying 20 results from an estimated 2000 matches similar to: "[PATCH net] vhost-net: fix use-after-free in vhost_net_flush"
2013 Jun 25
2
[PATCHv2] vhost-net: fix use-after-free in vhost_net_flush
vhost_net_ubuf_put_and_wait has a confusing name:
it will actually also free it's argument.
Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01
"vhost-net: flush outstanding DMAs on memory change"
vhost_net_flush tries to use the argument after passing it
to vhost_net_ubuf_put_and_wait, this results
in use after free.
To fix, don't free the argument in
2013 Jun 25
2
[PATCHv2] vhost-net: fix use-after-free in vhost_net_flush
vhost_net_ubuf_put_and_wait has a confusing name:
it will actually also free it's argument.
Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01
"vhost-net: flush outstanding DMAs on memory change"
vhost_net_flush tries to use the argument after passing it
to vhost_net_ubuf_put_and_wait, this results
in use after free.
To fix, don't free the argument in
2013 Jul 07
1
[PATCHv3] vhost-net: fix use-after-free in vhost_net_flush
vhost_net_ubuf_put_and_wait has a confusing name:
it will actually also free it's argument.
Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01
"vhost-net: flush outstanding DMAs on memory change"
vhost_net_flush tries to use the argument after passing it
to vhost_net_ubuf_put_and_wait, this results
in use after free.
To fix, don't free the argument in
2013 Jul 07
1
[PATCHv3] vhost-net: fix use-after-free in vhost_net_flush
vhost_net_ubuf_put_and_wait has a confusing name:
it will actually also free it's argument.
Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01
"vhost-net: flush outstanding DMAs on memory change"
vhost_net_flush tries to use the argument after passing it
to vhost_net_ubuf_put_and_wait, this results
in use after free.
To fix, don't free the argument in
2014 Feb 13
2
[PATCH net v2] vhost: fix ref cnt checking deadlock
vhost checked the counter within the refcnt before decrementing. It
really wanted to know that it is the one that has the last reference, as
a way to batch freeing resources a bit more efficiently.
Note: we only let refcount go to 0 on device release.
This works well but we now access the ref counter twice so there's a
race: all users might see a high count and decide to defer freeing
2014 Feb 13
2
[PATCH net v2] vhost: fix ref cnt checking deadlock
vhost checked the counter within the refcnt before decrementing. It
really wanted to know that it is the one that has the last reference, as
a way to batch freeing resources a bit more efficiently.
Note: we only let refcount go to 0 on device release.
This works well but we now access the ref counter twice so there's a
race: all users might see a high count and decide to defer freeing
2019 Jun 06
1
memory leak in vhost_net_ioctl
On Wed, 05 Jun 2019 16:42:05 -0700 (PDT) syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 788a0249 Merge tag 'arc-5.2-rc4' of git://git.kernel.org/p..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15dc9ea6a00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=d5c73825cbdc7326
2019 Jun 06
1
memory leak in vhost_net_ioctl
On Wed, 05 Jun 2019 16:42:05 -0700 (PDT) syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 788a0249 Merge tag 'arc-5.2-rc4' of git://git.kernel.org/p..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15dc9ea6a00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=d5c73825cbdc7326
2013 Jun 20
0
[PATCH net for-stable] vhost-net: fix use-after-free in vhost_net_flush
vhost_net_ubuf_put_and_wait has a confusing name:
it will actually also free it's argument.
Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01
vhost_net_flush tries to use the argument after passing it
to vhost_net_ubuf_put_and_wait, this results
in use after free.
To fix, don't free the argument in vhost_net_ubuf_put_and_wait,
add an new API for callers that want to free ubufs.
2013 Jun 20
0
[PATCH net for-stable] vhost-net: fix use-after-free in vhost_net_flush
vhost_net_ubuf_put_and_wait has a confusing name:
it will actually also free it's argument.
Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01
vhost_net_flush tries to use the argument after passing it
to vhost_net_ubuf_put_and_wait, this results
in use after free.
To fix, don't free the argument in vhost_net_ubuf_put_and_wait,
add an new API for callers that want to free ubufs.
2013 May 06
13
[PATCH v2 00/11] vhost cleanups
MST, This is on top of [PATCH 0/2] vhost-net fix ubuf.
Asias He (11):
vhost: Remove vhost_enable_zcopy in vhost.h
vhost: Move VHOST_NET_FEATURES to net.c
vhost: Make vhost a separate module
vhost: Remove comments for hdr in vhost.h
vhost: Simplify dev->vqs[i] access
vhost-net: Cleanup vhost_ubuf and vhost_zcopy
vhost-scsi: Remove unnecessary forward struct vhost_scsi declaration
2013 May 06
13
[PATCH v2 00/11] vhost cleanups
MST, This is on top of [PATCH 0/2] vhost-net fix ubuf.
Asias He (11):
vhost: Remove vhost_enable_zcopy in vhost.h
vhost: Move VHOST_NET_FEATURES to net.c
vhost: Make vhost a separate module
vhost: Remove comments for hdr in vhost.h
vhost: Simplify dev->vqs[i] access
vhost-net: Cleanup vhost_ubuf and vhost_zcopy
vhost-scsi: Remove unnecessary forward struct vhost_scsi declaration
2017 Jan 26
2
[BUG/RFC] vhost: net: big endian viring access despite virtio 1
Hi!
Recently I have been investigating some strange migration problems on
s390x.
It turned out under certain circumstances vhost_net corrupts avail.idx by
using wrong endianness.
I managed to track the problem down (I'm pretty sure). It boils down to
the following.
When stopping vhost userspace (QEMU) calls vhost_net_set_backend with
the fd argument set to -1, this leads to is_le being
2017 Jan 26
2
[BUG/RFC] vhost: net: big endian viring access despite virtio 1
Hi!
Recently I have been investigating some strange migration problems on
s390x.
It turned out under certain circumstances vhost_net corrupts avail.idx by
using wrong endianness.
I managed to track the problem down (I'm pretty sure). It boils down to
the following.
When stopping vhost userspace (QEMU) calls vhost_net_set_backend with
the fd argument set to -1, this leads to is_le being
2014 Feb 12
4
[PATCH net 0/3] vhost fixes for 3.14, -stable
This fixes a deadlock with vhost reported in the field,
as well as a theoretical race issue found by code
review.
Patches 1+2 are needed for stable.
Thanks to Qin Chuanyu for reporting the issue!
Michael S. Tsirkin (3):
kref: add kref_sub_return
vhost: fix ref cnt checking deadlock
vhost: fix a theoretical race in device cleanup
include/linux/kref.h | 33
2014 Feb 12
4
[PATCH net 0/3] vhost fixes for 3.14, -stable
This fixes a deadlock with vhost reported in the field,
as well as a theoretical race issue found by code
review.
Patches 1+2 are needed for stable.
Thanks to Qin Chuanyu for reporting the issue!
Michael S. Tsirkin (3):
kref: add kref_sub_return
vhost: fix ref cnt checking deadlock
vhost: fix a theoretical race in device cleanup
include/linux/kref.h | 33
2019 Jun 13
0
memory leak in vhost_net_ioctl
On 2019/6/6 ??10:40, Hillf Danton wrote:
>
> On Wed, 05 Jun 2019 16:42:05 -0700 (PDT) syzbot wrote:
>> Hello,
>>
>> syzbot found the following crash on:
>>
>> HEAD commit:??? 788a0249 Merge tag 'arc-5.2-rc4' of
>> git://git.kernel.org/p..
>> git tree:?????? upstream
>> console output:
2014 Feb 12
2
[PATCH V2 5/6] vhost_net: poll vhost queue after marking DMA is done
On 2013/8/30 12:29, Jason Wang wrote:
> We used to poll vhost queue before making DMA is done, this is racy if vhost
> thread were waked up before marking DMA is done which can result the signal to
> be missed. Fix this by always poll the vhost thread before DMA is done.
>
> Signed-off-by: Jason Wang <jasowang at redhat.com>
> ---
> drivers/vhost/net.c | 9 +++++----
2014 Feb 12
2
[PATCH V2 5/6] vhost_net: poll vhost queue after marking DMA is done
On 2013/8/30 12:29, Jason Wang wrote:
> We used to poll vhost queue before making DMA is done, this is racy if vhost
> thread were waked up before marking DMA is done which can result the signal to
> be missed. Fix this by always poll the vhost thread before DMA is done.
>
> Signed-off-by: Jason Wang <jasowang at redhat.com>
> ---
> drivers/vhost/net.c | 9 +++++----
2016 Feb 10
1
[PATCH 2/2] vhost: disentangle vring endianness stuff from the core code
On Wed, 10 Feb 2016 14:08:43 +0100
Greg Kurz <gkurz at linux.vnet.ibm.com> wrote:
> But you are right, there is a bug: we should rollback if vhost_init_used()
> fails. Something like below:
>
> err_used:
> vq->private_data = oldsock;
> vhost_net_enable_vq(n, vq);
> + vhost_adjust_vring_endian(vq);
Shouldn't we switch back before we