Commit f591cf9
vhost-scsi: protect vq->log_used with vq->mutex
The vhost-scsi completion path may access vq->log_base when vq->log_used is
already set to false.
vhost-thread QEMU-thread
vhost_scsi_complete_cmd_work()
-> vhost_add_used()
-> vhost_add_used_n()
if (unlikely(vq->log_used))
QEMU disables vq->log_used
via VHOST_SET_VRING_ADDR.
mutex_lock(&vq->mutex);
vq->log_used = false now!
mutex_unlock(&vq->mutex);
QEMU gfree(vq->log_base)
log_used()
-> log_write(vq->log_base)
Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be
reclaimed via gfree(). As a result, this causes invalid memory writes to
QEMU userspace.
The control queue path has the same issue.
Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Message-Id: <20250403063028.16045-2-dongli.zhang@oracle.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>1 parent fec0abf commit f591cf9
1 file changed
Lines changed: 8 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
627 | 627 | | |
628 | 628 | | |
629 | 629 | | |
| 630 | + | |
| 631 | + | |
| 632 | + | |
630 | 633 | | |
631 | 634 | | |
632 | 635 | | |
| |||
660 | 663 | | |
661 | 664 | | |
662 | 665 | | |
| 666 | + | |
| 667 | + | |
663 | 668 | | |
664 | 669 | | |
665 | 670 | | |
| |||
1432 | 1437 | | |
1433 | 1438 | | |
1434 | 1439 | | |
| 1440 | + | |
1435 | 1441 | | |
1436 | 1442 | | |
| 1443 | + | |
| 1444 | + | |
1437 | 1445 | | |
1438 | 1446 | | |
1439 | 1447 | | |
| |||
0 commit comments