similar to: [PATCH net] vhost-vsock: fix use after free

The access of vsock is not protected by vhost_vsock_lock. This may lead to use after free since vhost_vsock_dev_release() may free the pointer at the same time. Fix this by holding the lock during the access. Reported-by: syzbot+e3e074963495f92a89ed at syzkaller.appspotmail.com Fixes: 16320f363ae1 ("vhost-vsock: add pkt cancel capability") Fixes: 433fc58e6bf2 ("VSOCK: Introduce

The access of vsock is not protected by vhost_vsock_lock. This may lead to use after free since vhost_vsock_dev_release() may free the pointer at the same time. Fix this by holding the lock during the access. Reported-by: syzbot+e3e074963495f92a89ed at syzkaller.appspotmail.com Fixes: 16320f363ae1 ("vhost-vsock: add pkt cancel capability") Fixes: 433fc58e6bf2 ("VSOCK: Introduce

On Thu, Sep 27, 2018 at 08:22:04PM +0800, Jason Wang wrote: > The access of vsock is not protected by vhost_vsock_lock. This may > lead to use after free since vhost_vsock_dev_release() may free the > pointer at the same time. > > Fix this by holding the lock during the access. > > Reported-by: syzbot+e3e074963495f92a89ed at syzkaller.appspotmail.com > Fixes: 16320f363ae1

On 2018?09?28? 01:04, Michael S. Tsirkin wrote: > On Thu, Sep 27, 2018 at 08:22:04PM +0800, Jason Wang wrote: >> The access of vsock is not protected by vhost_vsock_lock. This may >> lead to use after free since vhost_vsock_dev_release() may free the >> pointer at the same time. >> >> Fix this by holding the lock during the access. >> >>

On 2018?09?28? 01:04, Michael S. Tsirkin wrote: > On Thu, Sep 27, 2018 at 08:22:04PM +0800, Jason Wang wrote: >> The access of vsock is not protected by vhost_vsock_lock. This may >> lead to use after free since vhost_vsock_dev_release() may free the >> pointer at the same time. >> >> Fix this by holding the lock during the access. >> >>

To allow canceling all packets of a connection. Signed-off-by: Peng Tao <bergwolf at gmail.com> --- drivers/vhost/vsock.c | 41 +++++++++++++++++++++++++++++++++++++++++ include/linux/virtio_vsock.h | 3 +++ 2 files changed, 44 insertions(+) diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c index a504e2e0..d01e4a4 100644 --- a/drivers/vhost/vsock.c +++

To allow canceling all packets of a connection. Signed-off-by: Peng Tao <bergwolf at gmail.com> --- drivers/vhost/vsock.c | 29 +++++++++++++++++++++++++++++ include/linux/virtio_vsock.h | 3 +++ 2 files changed, 32 insertions(+) diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c index a504e2e0..0c23b55 100644 --- a/drivers/vhost/vsock.c +++ b/drivers/vhost/vsock.c @@

To allow canceling all packets of a connection. Reviewed-by: Stefan Hajnoczi <stefanha at redhat.com> Signed-off-by: Peng Tao <bergwolf at gmail.com> --- drivers/vhost/vsock.c | 41 +++++++++++++++++++++++++++++++++++++++++ include/net/af_vsock.h | 3 +++ 2 files changed, 44 insertions(+) diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c index a504e2e0..fef8808 100644 ---

To allow canceling all packets of a connection. Reviewed-by: Stefan Hajnoczi <stefanha at redhat.com> Signed-off-by: Peng Tao <bergwolf at gmail.com> --- drivers/vhost/vsock.c | 41 +++++++++++++++++++++++++++++++++++++++++ include/net/af_vsock.h | 3 +++ 2 files changed, 44 insertions(+) diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c index a504e2e0..fef8808 100644 ---

On Wed, Dec 07, 2016 at 06:00:19PM +0800, Peng Tao wrote: > To allow canceling all packets of a connection. > > Signed-off-by: Peng Tao <bergwolf at gmail.com> > --- > drivers/vhost/vsock.c | 29 +++++++++++++++++++++++++++++ > include/linux/virtio_vsock.h | 3 +++ > 2 files changed, 32 insertions(+) > > diff --git a/drivers/vhost/vsock.c

To allow canceling all packets of a connection. Reviewed-by: Stefan Hajnoczi <stefanha at redhat.com> Signed-off-by: Peng Tao <bergwolf at gmail.com> --- drivers/vhost/vsock.c | 41 +++++++++++++++++++++++++++++++++++++++++ include/net/af_vsock.h | 3 +++ 2 files changed, 44 insertions(+) diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c index a504e2e0..db64d51 100644 ---

To allow canceling all packets of a connection. Reviewed-by: Stefan Hajnoczi <stefanha at redhat.com> Signed-off-by: Peng Tao <bergwolf at gmail.com> --- drivers/vhost/vsock.c | 41 +++++++++++++++++++++++++++++++++++++++++ include/net/af_vsock.h | 3 +++ 2 files changed, 44 insertions(+) diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c index a504e2e0..db64d51 100644 ---

Signed-off-by: Peng Tao <bergwolf at gmail.com> --- net/vmw_vsock/virtio_transport.c | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c index 936d7ee..f88b6ed 100644 --- a/net/vmw_vsock/virtio_transport.c +++ b/net/vmw_vsock/virtio_transport.c @@ -170,6 +170,41 @@

On Fri, Sep 28, 2018 at 07:37:37AM +0800, Jason Wang wrote: > > > On 2018?09?28? 01:04, Michael S. Tsirkin wrote: > > On Thu, Sep 27, 2018 at 08:22:04PM +0800, Jason Wang wrote: > > > The access of vsock is not protected by vhost_vsock_lock. This may > > > lead to use after free since vhost_vsock_dev_release() may free the > > > pointer at the same time.

On Wed, Dec 07, 2016 at 06:00:20PM +0800, Peng Tao wrote: > Signed-off-by: Peng Tao <bergwolf at gmail.com> > --- > net/vmw_vsock/virtio_transport.c | 36 ++++++++++++++++++++++++++++++++++++ > 1 file changed, 36 insertions(+) > > diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c > index 936d7ee..f88b6ed 100644 > ---

Signed-off-by: Peng Tao <bergwolf at gmail.com> --- net/vmw_vsock/virtio_transport.c | 42 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c index 936d7ee..a5f3833 100644 --- a/net/vmw_vsock/virtio_transport.c +++ b/net/vmw_vsock/virtio_transport.c @@ -170,6 +170,47 @@

Reviewed-by: Stefan Hajnoczi <stefanha at redhat.com> Signed-off-by: Peng Tao <bergwolf at gmail.com> --- net/vmw_vsock/virtio_transport.c | 42 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c index 936d7ee..95c1162 100644 --- a/net/vmw_vsock/virtio_transport.c +++

Reviewed-by: Stefan Hajnoczi <stefanha at redhat.com> Signed-off-by: Peng Tao <bergwolf at gmail.com> --- net/vmw_vsock/virtio_transport.c | 42 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c index 936d7ee..b7b78ce 100644 --- a/net/vmw_vsock/virtio_transport.c +++

Since VSOCK already support mergeable rx buffer, so it can implement the balance with performance and guest memory, we can increase the sent pkt len to improve performance. And in order to be compatible with old version, so we still send max default rx buf size once. Signed-off-by: Yiwen Jiang <jiangyiwen at huawei.com> --- drivers/vhost/vsock.c | 33

Hello! On 9/27/2018 11:43 AM, Jason Wang wrote: Just a couple of typos... > The access of vsock is not protected by vhost_vsock_lock. This may > lead use after free since vhost_vsock_dev_release() may free the Lead to use. > pointer at the same time. > > Fix this by holding the lock during the acess. Access. > Reported-by: syzbot+e3e074963495f92a89ed at