[PATCH AUTOSEL 6.6 14/21] vhost-scsi: protect vq->log_used with vq->mutex

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Dongli Zhang <dongli.zhang@oracle.com>,
	Jason Wang <jasowang@redhat.com>,
	Mike Christie <michael.christie@oracle.com>,
	"Michael S . Tsirkin" <mst@redhat.com>,
	Sasha Levin <sashal@kernel.org>,
	virtualization@lists.linux.dev, kvm@vger.kernel.org,
	netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 6.6 14/21] vhost-scsi: protect vq->log_used with vq->mutex
Date: Tue, 29 Apr 2025 19:52:26 -0400	[thread overview]
Message-ID: <20250429235233.537828-14-sashal@kernel.org> (raw)
In-Reply-To: <20250429235233.537828-1-sashal@kernel.org>

From: Dongli Zhang <dongli.zhang@oracle.com>

[ Upstream commit f591cf9fce724e5075cc67488c43c6e39e8cbe27 ]

The vhost-scsi completion path may access vq->log_base when vq->log_used is
already set to false.

    vhost-thread                       QEMU-thread

vhost_scsi_complete_cmd_work()
-> vhost_add_used()
   -> vhost_add_used_n()
      if (unlikely(vq->log_used))
                                      QEMU disables vq->log_used
                                      via VHOST_SET_VRING_ADDR.
                                      mutex_lock(&vq->mutex);
                                      vq->log_used = false now!
                                      mutex_unlock(&vq->mutex);

				      QEMU gfree(vq->log_base)
        log_used()
        -> log_write(vq->log_base)

Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be
reclaimed via gfree(). As a result, this causes invalid memory writes to
QEMU userspace.

The control queue path has the same issue.

Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Message-Id: <20250403063028.16045-2-dongli.zhang@oracle.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/vhost/scsi.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c
index 8d8a22504d71f..724dd69c86489 100644
--- a/drivers/vhost/scsi.c
+++ b/drivers/vhost/scsi.c
@@ -560,6 +560,9 @@ static void vhost_scsi_complete_cmd_work(struct vhost_work *work)
 	int ret;
 
 	llnode = llist_del_all(&svq->completion_list);
+
+	mutex_lock(&svq->vq.mutex);
+
 	llist_for_each_entry_safe(cmd, t, llnode, tvc_completion_list) {
 		se_cmd = &cmd->tvc_se_cmd;
 
@@ -593,6 +596,8 @@ static void vhost_scsi_complete_cmd_work(struct vhost_work *work)
 		vhost_scsi_release_cmd_res(se_cmd);
 	}
 
+	mutex_unlock(&svq->vq.mutex);
+
 	if (signal)
 		vhost_signal(&svq->vs->dev, &svq->vq);
 }
@@ -1301,8 +1306,11 @@ static void vhost_scsi_tmf_resp_work(struct vhost_work *work)
 		resp_code = VIRTIO_SCSI_S_FUNCTION_REJECTED;
 	}
 
+	mutex_lock(&tmf->svq->vq.mutex);
 	vhost_scsi_send_tmf_resp(tmf->vhost, &tmf->svq->vq, tmf->in_iovs,
 				 tmf->vq_desc, &tmf->resp_iov, resp_code);
+	mutex_unlock(&tmf->svq->vq.mutex);
+
 	vhost_scsi_release_tmf_res(tmf);
 }
 
-- 
2.39.5

next prev parent reply	other threads:[~2025-04-29 23:53 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-04-29 23:52 [PATCH AUTOSEL 6.6 01/21] cpufreq: Add SM8650 to cpufreq-dt-platdev blocklist Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 02/21] nvmem: rockchip-otp: Move read-offset into variant-data Sasha Levin
2025-04-29 23:52   ` Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 03/21] nvmem: rockchip-otp: add rk3576 variant data Sasha Levin
2025-04-29 23:52   ` Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 04/21] nvmem: core: verify cell's raw_len Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 05/21] nvmem: core: update raw_len if the bit reading is required Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 06/21] nvmem: qfprom: switch to 4-byte aligned reads Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 07/21] scsi: target: iscsi: Fix timeout on deleted connection Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 08/21] scsi: ufs: Introduce quirk to extend PA_HIBERN8TIME for UFS devices Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 09/21] virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 10/21] intel_th: avoid using deprecated page->mapping, index fields Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 11/21] dma-mapping: avoid potential unused data compilation warning Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 12/21] cgroup: Fix compilation issue due to cgroup_mutex not being exported Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 13/21] vhost_task: fix vhost_task_create() documentation Sasha Levin
2025-04-30  9:10   ` Stefano Garzarella
2025-04-29 23:52 ` Sasha Levin [this message]
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 15/21] scsi: mpi3mr: Add level check to control event logging Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 16/21] net: enetc: refactor bulk flipping of RX buffers to separate function Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 17/21] ima: process_measurement() needlessly takes inode_lock() on MAY_READ Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 18/21] drm/amdgpu: Allow P2P access through XGMI Sasha Levin
2025-04-30 12:57   ` Alex Deucher
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 19/21] selftests/bpf: Mitigate sockmap_ktls disconnect_after_delete failure Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 20/21] bpf: fix possible endless loop in BPF map iteration Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 21/21] samples/bpf: Fix compilation failure for samples/bpf on LoongArch Fedora Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:8d8a22504d71 dfblob:724dd69c8648 )
 OR (
bs:"[PATCH AUTOSEL 6.6 14/21] vhost-scsi: protect vq->log_used with vq->mutex" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250429235233.537828-14-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=dongli.zhang@oracle.com \
    --cc=jasowang@redhat.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=michael.christie@oracle.com \
    --cc=mst@redhat.com \
    --cc=netdev@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=virtualization@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.