From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Andrey Ryabinin <arbn@yandex-team.com>,
Hillf Danton <hdanton@sina.com>,
Nikolay Kuratov <kniv@yandex-team.ru>,
"Michael S. Tsirkin" <mst@redhat.com>
Subject: [PATCH 5.4 04/23] vhost/net: Protect ubufs with rcu read lock in vhost_net_ubuf_put()
Date: Tue, 2 Sep 2025 15:21:50 +0200 [thread overview]
Message-ID: <20250902131924.898424395@linuxfoundation.org> (raw)
In-Reply-To: <20250902131924.720400762@linuxfoundation.org>
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Kuratov <kniv@yandex-team.ru>
commit dd54bcf86c91a4455b1f95cbc8e9ac91205f3193 upstream.
When operating on struct vhost_net_ubuf_ref, the following execution
sequence is theoretically possible:
CPU0 is finalizing DMA operation CPU1 is doing VHOST_NET_SET_BACKEND
// ubufs->refcount == 2
vhost_net_ubuf_put() vhost_net_ubuf_put_wait_and_free(oldubufs)
vhost_net_ubuf_put_and_wait()
vhost_net_ubuf_put()
int r = atomic_sub_return(1, &ubufs->refcount);
// r = 1
int r = atomic_sub_return(1, &ubufs->refcount);
// r = 0
wait_event(ubufs->wait, !atomic_read(&ubufs->refcount));
// no wait occurs here because condition is already true
kfree(ubufs);
if (unlikely(!r))
wake_up(&ubufs->wait); // use-after-free
This leads to use-after-free on ubufs access. This happens because CPU1
skips waiting for wake_up() when refcount is already zero.
To prevent that use a read-side RCU critical section in vhost_net_ubuf_put(),
as suggested by Hillf Danton. For this lock to take effect, free ubufs with
kfree_rcu().
Cc: stable@vger.kernel.org
Fixes: 0ad8b480d6ee9 ("vhost: fix ref cnt checking deadlock")
Reported-by: Andrey Ryabinin <arbn@yandex-team.com>
Suggested-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: Nikolay Kuratov <kniv@yandex-team.ru>
Message-Id: <20250805130917.727332-1-kniv@yandex-team.ru>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vhost/net.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -95,6 +95,7 @@ struct vhost_net_ubuf_ref {
atomic_t refcount;
wait_queue_head_t wait;
struct vhost_virtqueue *vq;
+ struct rcu_head rcu;
};
#define VHOST_NET_BATCH 64
@@ -248,9 +249,13 @@ vhost_net_ubuf_alloc(struct vhost_virtqu
static int vhost_net_ubuf_put(struct vhost_net_ubuf_ref *ubufs)
{
- int r = atomic_sub_return(1, &ubufs->refcount);
+ int r;
+
+ rcu_read_lock();
+ r = atomic_sub_return(1, &ubufs->refcount);
if (unlikely(!r))
wake_up(&ubufs->wait);
+ rcu_read_unlock();
return r;
}
@@ -263,7 +268,7 @@ static void vhost_net_ubuf_put_and_wait(
static void vhost_net_ubuf_put_wait_and_free(struct vhost_net_ubuf_ref *ubufs)
{
vhost_net_ubuf_put_and_wait(ubufs);
- kfree(ubufs);
+ kfree_rcu(ubufs, rcu);
}
static void vhost_net_clear_ubuf_info(struct vhost_net *n)
next prev parent reply other threads:[~2025-09-02 13:46 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-02 13:21 [PATCH 5.4 00/23] 5.4.298-rc1 review Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.4 01/23] pinctrl: STMFX: add missing HAS_IOMEM dependency Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.4 02/23] ftrace: Fix potential warning in trace_printk_seq during ftrace_dump Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.4 03/23] scsi: core: sysfs: Correct sysfs attributes access rights Greg Kroah-Hartman
2025-09-02 13:21 ` Greg Kroah-Hartman [this message]
2025-09-02 13:21 ` [PATCH 5.4 05/23] net: ipv4: fix regression in local-broadcast routes Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.4 06/23] powerpc/kvm: Fix ifdef to remove build warning Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.4 07/23] Bluetooth: hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.4 08/23] net/atm: remove the atmdev_ops {get, set}sockopt methods Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.4 09/23] atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control() Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.4 10/23] net: dlink: fix multicast stats being counted incorrectly Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.4 11/23] net/mlx5e: Update and set Xon/Xoff upon MTU set Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.4 12/23] net/mlx5e: Update and set Xon/Xoff upon port speed set Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 5.4 13/23] net/mlx5e: Set local Xoff after FW update Greg Kroah-Hartman
2025-09-02 13:22 ` [PATCH 5.4 14/23] net: stmmac: xgmac: Do not enable RX FIFO Overflow interrupts Greg Kroah-Hartman
2025-09-02 13:22 ` [PATCH 5.4 15/23] sctp: initialize more fields in sctp_v6_from_sk() Greg Kroah-Hartman
2025-09-02 13:22 ` [PATCH 5.4 16/23] efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare Greg Kroah-Hartman
2025-09-02 13:22 ` [PATCH 5.4 17/23] KVM: x86: use array_index_nospec with indices that come from guest Greg Kroah-Hartman
2025-09-02 13:22 ` [PATCH 5.4 18/23] HID: asus: fix UAF via HID_CLAIMED_INPUT validation Greg Kroah-Hartman
2025-09-02 13:22 ` [PATCH 5.4 19/23] HID: wacom: Add a new Art Pen 2 Greg Kroah-Hartman
2025-09-02 13:22 ` [PATCH 5.4 20/23] HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version() Greg Kroah-Hartman
2025-09-02 13:22 ` [PATCH 5.4 21/23] Revert "drm/amdgpu: fix incorrect vm flags to map bo" Greg Kroah-Hartman
2025-09-02 13:22 ` [PATCH 5.4 22/23] net: usb: qmi_wwan: add Telit Cinterion LE910C4-WWX new compositions Greg Kroah-Hartman
2025-09-02 13:22 ` [PATCH 5.4 23/23] Revert "drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS" Greg Kroah-Hartman
2025-09-02 16:32 ` 5.4.298-rc1 review Brett A C Sheffield
2025-09-02 17:10 ` [PATCH 5.4 00/23] " Florian Fainelli
2025-09-02 18:03 ` Jon Hunter
2025-09-03 9:41 ` Naresh Kamboju
2025-09-03 9:48 ` Greg Kroah-Hartman
2025-09-03 17:28 ` Nathan Chancellor
2025-09-03 18:49 ` [External] : " ALOK TIWARI
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250902131924.898424395@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=arbn@yandex-team.com \
--cc=hdanton@sina.com \
--cc=kniv@yandex-team.ru \
--cc=mst@redhat.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.