Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2176789imm; Thu, 27 Sep 2018 08:34:59 -0700 (PDT) X-Google-Smtp-Source: ACcGV62g6Bw92AHMVIw1qXOrJks2fmirXnH3GnA+EiQ97LqmwN01mkV+f47OJDf2Q1VaX32nyORO X-Received: by 2002:a17:902:6501:: with SMTP id b1-v6mr11738494plk.31.1538062499748; Thu, 27 Sep 2018 08:34:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538062499; cv=none; d=google.com; s=arc-20160816; b=Z+peGShxQPVILHGi1jJoiYpvFsJ0zZLL5EsO5R9VknJh86GD0HNPBZag8uGRMDjCQX qDkLU7BhSLrwEfFUjSa3DDM8lEpbXEqMl2bnCHbvhlUF4b3gczQeBx9qFJcnlzo/ODRm 7Fm8398EjOop+19uo8WEPUaEVcLtw1UIASW7hDdZxOp6hKDsF1RgMnceOLfEqSJtdNRa YWaqA8RAMzFt0efRSEMZOoph2RqmwV5r7YkQQ7p/jYoTzyr2cG/Q7rk3kw7b3S/kN1yW B4Wzje1ghCOuz2QlpcmasoKZ4Z4ARaV9rbzR+4wt/PHvBmrozc93cS8IRUE/dTX4jGgX RIsA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=BcrrpzauZTg2m91GD6IXPBx5zfLQRMQY4Hxk/zIAQi0=; b=CP7VPb4s9iJQ3v3SraQtMO6X5pt3+hC5VMZIWy1MRwuQjQpuTQM1orXzvLb+4R84js 68zY3bh5jSlLF/judUvIW5rxKK8Q0A3lMuN2suw2G+ncMw/6zgYN5ZjfTd32zSIfJiy1 VVhTk/Mu5qpU2aZ7aeakK9uhB/l5bTgsXLcin8r+Rjbuuc3EDtB2CBFYGeYDDgUSBT8a X3u/qrvkM40uqmLn4XVVatVpxQJ9uJ6xCYKyHWiM68kBzBECKxMqKcPyGOH7KP/kz3n8 2a8au3p/GGyZ4+lG5FEsZYeHvdHmgA1tfGO8B7SddDVper7FcfveK+xfEvcsiFBpVb4p 0CIw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p13-v6si2196008pgi.317.2018.09.27.08.34.42; Thu, 27 Sep 2018 08:34:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728229AbeI0VwO (ORCPT + 99 others); Thu, 27 Sep 2018 17:52:14 -0400 Received: from mx1.redhat.com ([209.132.183.28]:41860 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728049AbeI0VwO (ORCPT ); Thu, 27 Sep 2018 17:52:14 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6500D86672; Thu, 27 Sep 2018 15:33:26 +0000 (UTC) Received: from localhost (ovpn-116-35.ams2.redhat.com [10.36.116.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 86DFD65328; Thu, 27 Sep 2018 15:33:22 +0000 (UTC) Date: Thu, 27 Sep 2018 16:33:21 +0100 From: Stefan Hajnoczi To: Jason Wang Cc: mst@redhat.com, kvm@vger.kernel.org, virtualization@lists.linux-foundation.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, sergei.shtylyov@cogentembedded.com Subject: Re: [PATCH net V2] vhost-vsock: fix use after free Message-ID: <20180927153321.GB10133@stefanha-x1.localdomain> References: <20180927122204.4188-1-jasowang@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="O5XBE6gyVG5Rl6Rj" Content-Disposition: inline In-Reply-To: <20180927122204.4188-1-jasowang@redhat.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Thu, 27 Sep 2018 15:33:26 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --O5XBE6gyVG5Rl6Rj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 27, 2018 at 08:22:04PM +0800, Jason Wang wrote: > The access of vsock is not protected by vhost_vsock_lock. This may > lead to use after free since vhost_vsock_dev_release() may free the > pointer at the same time. >=20 > Fix this by holding the lock during the access. >=20 > Reported-by: syzbot+e3e074963495f92a89ed@syzkaller.appspotmail.com > Fixes: 16320f363ae1 ("vhost-vsock: add pkt cancel capability") > Fixes: 433fc58e6bf2 ("VSOCK: Introduce vhost_vsock.ko") > Cc: Stefan Hajnoczi > Signed-off-by: Jason Wang > --- > - V2: fix typos > - The patch is needed for -stable. > --- > drivers/vhost/vsock.c | 26 +++++++++++++++++++------- > 1 file changed, 19 insertions(+), 7 deletions(-) Thank you, Jason! Reviewed-by: Stefan Hajnoczi --O5XBE6gyVG5Rl6Rj Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJbrPhBAAoJEJykq7OBq3PI4+YH/iTCwaaWk6eiQLX6SQFLM1S5 dtkS+0+ja7FhmKnTwHQYN+tB025xfmFwtDhSEb+F582co7ggqflOhNUdh3t8Ehel SNkeDGEeolpB1IX5evuvbnZuFpAjPhMqBIUqnoxIoJNAyYo6fMbQkdfyBXnqDsnH c5oS9yz5OvUzu4IhR/KYqKtljwZNUcniitMKYNN1+LpH7g0QzLpeAs3FADVtoNUB HEAFFhvOa7k+7EFJfw7FgccC5zWsDSVyoVtdxtFK2BPujrW3JfFLRWKQgrUKhY2u TKVp0htYP4qG2YXbBPjbbC8OUrILllvtxENF2mgZZXvDE3lIZw9Vl8b5+WVVrlo= =wXAN -----END PGP SIGNATURE----- --O5XBE6gyVG5Rl6Rj--