summaryrefslogtreecommitdiff
path: root/rust/helpers/mm.c
diff options
context:
space:
mode:
authorNikolay Kuratov <kniv@yandex-team.ru>2025-08-05 16:09:17 +0300
committerMichael S. Tsirkin <mst@redhat.com>2025-08-26 03:38:10 -0400
commitdd54bcf86c91a4455b1f95cbc8e9ac91205f3193 (patch)
tree16fce6d75cdb1064e42e3781991081117a1cf426 /rust/helpers/mm.c
parenta39d13e291c2681e475d9fd41655764dab09be7b (diff)
vhost/net: Protect ubufs with rcu read lock in vhost_net_ubuf_put()
When operating on struct vhost_net_ubuf_ref, the following execution sequence is theoretically possible: CPU0 is finalizing DMA operation CPU1 is doing VHOST_NET_SET_BACKEND // ubufs->refcount == 2 vhost_net_ubuf_put() vhost_net_ubuf_put_wait_and_free(oldubufs) vhost_net_ubuf_put_and_wait() vhost_net_ubuf_put() int r = atomic_sub_return(1, &ubufs->refcount); // r = 1 int r = atomic_sub_return(1, &ubufs->refcount); // r = 0 wait_event(ubufs->wait, !atomic_read(&ubufs->refcount)); // no wait occurs here because condition is already true kfree(ubufs); if (unlikely(!r)) wake_up(&ubufs->wait); // use-after-free This leads to use-after-free on ubufs access. This happens because CPU1 skips waiting for wake_up() when refcount is already zero. To prevent that use a read-side RCU critical section in vhost_net_ubuf_put(), as suggested by Hillf Danton. For this lock to take effect, free ubufs with kfree_rcu(). Cc: stable@vger.kernel.org Fixes: 0ad8b480d6ee9 ("vhost: fix ref cnt checking deadlock") Reported-by: Andrey Ryabinin <arbn@yandex-team.com> Suggested-by: Hillf Danton <hdanton@sina.com> Signed-off-by: Nikolay Kuratov <kniv@yandex-team.ru> Message-Id: <20250805130917.727332-1-kniv@yandex-team.ru> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Diffstat (limited to 'rust/helpers/mm.c')
0 files changed, 0 insertions, 0 deletions