Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp2243283ybi; Mon, 1 Jul 2019 08:37:21 -0700 (PDT) X-Google-Smtp-Source: APXvYqwFndrkn5ZMOH3HyXtKHc1e/y4wSHM1eTG4UTZc2O9KcF/qpnTP+ArVA8th8X93CPd9/XtO X-Received: by 2002:a17:902:f46:: with SMTP id 64mr20957393ply.235.1561995441480; Mon, 01 Jul 2019 08:37:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561995441; cv=none; d=google.com; s=arc-20160816; b=sysDJRSDCzAVyxmqt6kgKB5xjDjGzOtHUtgHLvd42nKlXqcD73Dj70mip/lLy6R3F1 cdZ0bF5tBTJQPxFD5DV11sCALpcg7sVKYC+BSLH4SLcl4oE0vYDjuAwavp7WbO4Wyhkt pcrjFsWx+6GOILM2mTpNQtVMQOqrl/l5ikhXgrF2VA3CblSjGq8J+BtTjH+aZEvoLlH2 lf4BguDyToFIXieJysvOCX0Mk0LIM6OP8v6SAAuXA+LOh7/TYyyq1Cw5z357Mx0I+3qr 6FHkY5ACJf3Zez/wzX+kR+YaZvnSIIGe7vw0KlCFYwx2RodLd5bMeX29NVqt81Fmuxcx AXqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=CAXSIF6Ao3g4SuCwb5RSzByJ3Q/JacDT0Jn2E1kcim4=; b=igEDlBtlpM3P5W1nlNZKp+KUSxw1c9gMzP4AK5ebLWibXeS5DTeTlwRbkxUbmyr3Hz xiSdCTD1PHp4kIcZlFifi22hzw9Rj6YDmifswMmnwXae2PDeNvUjpW6ep59CvHt5GoN1 +Rq/gqmE8Iithi4lhYD8qC9R7kSjFO6NULPJTGirPpR3KtGS+O5wxlqjXX6CSocjwrQD 96vBUcxt01He+nIJ0U2CCsJ4gk0yLrQVP9jFcSwZ9ZnB8gI3Z8rGhexKDt+28vvy0frS 496P206LWVE9A6+uEipOheDJqS3Se0zOMzSjQ1r3cv0dod81t+ju2wkCkIAjbBtvBpsK 4V8w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=vV0wO44K; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f4si10906594plb.38.2019.07.01.08.37.05; Mon, 01 Jul 2019 08:37:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=vV0wO44K; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729922AbfGAOyR (ORCPT + 99 others); Mon, 1 Jul 2019 10:54:17 -0400 Received: from mail-wm1-f65.google.com ([209.85.128.65]:50262 "EHLO mail-wm1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726967AbfGAOyQ (ORCPT ); Mon, 1 Jul 2019 10:54:16 -0400 Received: by mail-wm1-f65.google.com with SMTP id n9so4303587wmi.0; Mon, 01 Jul 2019 07:54:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=CAXSIF6Ao3g4SuCwb5RSzByJ3Q/JacDT0Jn2E1kcim4=; b=vV0wO44KZqDziwzq3iRnqdyJDdA7zcKHMyjALa20OiZd2Ci2laoS0ILAuulyy/SSsa 9zJzGSGle3y/YQ5lmhnTvY8Qobmy/oAC/Stk7bKFaDja/e4Y48k4D5iRBkZDqqCBGd8Y 73qJfTbJt81QTHdmrK+KP8PbOtNPIG4U+xawb+Sz1OAYyIr0SDFcg2TM64vZHRQK771x uoB6p9fjQVCDITV/KB3pwXIum83iJ1J+cGX1Uini9VlwlB+QYsM0xf48QTiXbmIZcVtX dNsyL3XMPHLaMRgWYQIeUgz27ZKezCSpUIZfimoyzjaUBiw16SeQ99AtCvgofSnsef1r WKgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=CAXSIF6Ao3g4SuCwb5RSzByJ3Q/JacDT0Jn2E1kcim4=; b=SeKUxvs+PzVhdp1jzj5PJxo0dOCvB/dAgyTPc5jKS+hra+9nOPe/oK0G8+kP3+oEqt oapxWcL9UbfGSMXjyT+ddpYlrfmr1ud6U3OLWYy1AcLpMI8nGf4KgijfV+CmisMqe+Z1 /QXDGsIDrtZV40MrxKeVGeXJafs5tLW+zyb9RlJvAWhykWsMEkZgf6MthbRYTMRA1ElU BKHFBNfo9fw9yCaASOfV3J6hgtStlCLddyeERnCvos2Y9wYxjvoZu6IfH3fMgzHH+OEp 3JoCsvXizBujHxLaaKhbIi/W2Z3HU8GtLQU/wUVXtEHlaWNdaJ7UBzIc8lnpWLPG6yBx ONqA== X-Gm-Message-State: APjAAAVhXw6jCrHexg6qm3pmKefaAFnZNeU5zKKsT94jy+IUNMnRU9MU oAohHyxW8fv1eHaunNB5rj0UZWaUdgOAJg== X-Received: by 2002:a1c:b146:: with SMTP id a67mr17097250wmf.124.1561992854086; Mon, 01 Jul 2019 07:54:14 -0700 (PDT) Received: from localhost ([51.15.41.238]) by smtp.gmail.com with ESMTPSA id 32sm22933497wra.35.2019.07.01.07.54.13 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Mon, 01 Jul 2019 07:54:13 -0700 (PDT) Date: Mon, 1 Jul 2019 15:54:12 +0100 From: Stefan Hajnoczi To: Stefano Garzarella Cc: netdev@vger.kernel.org, kvm@vger.kernel.org, "Michael S. Tsirkin" , linux-kernel@vger.kernel.org, virtualization@lists.linux-foundation.org, Stefan Hajnoczi , "David S. Miller" Subject: Re: [PATCH v2 1/3] vsock/virtio: use RCU to avoid use-after-free on the_virtio_vsock Message-ID: <20190701145412.GA11900@stefanha-x1.localdomain> References: <20190628123659.139576-1-sgarzare@redhat.com> <20190628123659.139576-2-sgarzare@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="fdj2RfSjLxBAspz7" Content-Disposition: inline In-Reply-To: <20190628123659.139576-2-sgarzare@redhat.com> User-Agent: Mutt/1.12.0 (2019-05-25) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --fdj2RfSjLxBAspz7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jun 28, 2019 at 02:36:57PM +0200, Stefano Garzarella wrote: > Some callbacks used by the upper layers can run while we are in the > .remove(). A potential use-after-free can happen, because we free > the_virtio_vsock without knowing if the callbacks are over or not. >=20 > To solve this issue we move the assignment of the_virtio_vsock at the > end of .probe(), when we finished all the initialization, and at the > beginning of .remove(), before to release resources. > For the same reason, we do the same also for the vdev->priv. >=20 > We use RCU to be sure that all callbacks that use the_virtio_vsock > ended before freeing it. This is not required for callbacks that > use vdev->priv, because after the vdev->config->del_vqs() we are sure > that they are ended and will no longer be invoked. ->del_vqs() is only called at the very end, did you forget to move it earlier? In particular, the virtqueue handler callbacks schedule a workqueue. The work functions use container_of() to get vsock. We need to be sure that the work item isn't freed along with vsock while the work item is still pending. How do we know that the virtqueue handler is never called in such a way that it sees vsock !=3D NULL (there is no explicit memory barrier on the read side) and then schedules a work item after flush_work() has run? Stefan --fdj2RfSjLxBAspz7 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhpWov9P5fNqsNXdanKSrs4Grc8gFAl0aHpQACgkQnKSrs4Gr c8h3iggAyuubhQSWc2lhNVpR8Iy+q+vzwq6cn2HkKAJfd12b4HEHPiQthM2torlj Bv8w164J+O/rOon9ZrilyvFEgF2NuQbHiyd7REvtp4tKyZow9wVqj4VT2s0CIxAM 5w3ijDBYRXnC2YmnnjJLJb/xhmkrjboxZcX7BuPjNbsNtkxcVer9KlOZOp9tjL7N OYm4hhy/aHydI1SwBIbVYNvyWGvjhpZqYixHr2uOB/Xd/kisVztQoJE77oRPD6IS 3kScisIJxoNurY1izyyJfSI0OJ+chyeGNLeR/NzvMGiPRUeEIZCC/Z2jGGBGD7WU re2dtf93pyrxquVVa7nd39azFSXO3w== =NQ6E -----END PGP SIGNATURE----- --fdj2RfSjLxBAspz7--