diff options
| author | Stefan Hajnoczi <stefanha@redhat.com> | 2018-11-05 10:35:47 +0000 |
|---|---|---|
| committer | Alistair Strachan <astrachan@google.com> | 2019-01-15 17:08:38 -0800 |
| commit | e633b6d8e0dfbb5d3497faabf19d9f42bd2f5827 (patch) | |
| tree | b8ed5fff7a17b8397455b4f9c2b6ec0b7e09c402 /fs/btrfs/struct-funcs.c | |
| parent | eb2ca3c19653d03815a491cb914e21247f0dc177 (diff) | |
UPSTREAM: vhost/vsock: fix use-after-free in network stack callers
[ Upstream commit 834e772c8db0c6a275d75315d90aba4ebbb1e249 ]
If the network stack calls .send_pkt()/.cancel_pkt() during .release(),
a struct vhost_vsock use-after-free is possible. This occurs because
.release() does not wait for other CPUs to stop using struct
vhost_vsock.
Switch to an RCU-enabled hashtable (indexed by guest CID) so that
.release() can wait for other CPUs by calling synchronize_rcu(). This
also eliminates vhost_vsock_lock acquisition in the data path so it
could have a positive effect on performance.
This is CVE-2018-14625 "kernel: use-after-free Read in vhost_transport_send_pkt".
Cc: stable@vger.kernel.org
Reported-and-tested-by: syzbot+bd391451452fb0b93039@syzkaller.appspotmail.com
Reported-by: syzbot+e3e074963495f92a89ed@syzkaller.appspotmail.com
Reported-by: syzbot+d5a0a170c5069658b141@syzkaller.appspotmail.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 569fc4ffb5de8f12fe01759f0b85098b7b9bba8e)
Bug: 121166534
Test: Ran cuttlefish with android-4.4 + vsock adb tunnel
Signed-off-by: Cody Schuffelen <schuffelen@google.com>
Change-Id: I87f1e0fbe3fc01ccc18924085e33220373856e29
Diffstat (limited to 'fs/btrfs/struct-funcs.c')
0 files changed, 0 insertions, 0 deletions