[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <caa4f006-6c74-4e16-961f-23ea90e26606@suse.com>
Date: Tue, 2 Jul 2024 12:15:57 +0200
From: Juergen Gross <jgross@...e.com>
To: Viresh Kumar <viresh.kumar@...aro.org>,
Stefano Stabellini <sstabellini@...nel.org>,
Oleksandr Tyshchenko <oleksandr_tyshchenko@...m.com>
Cc: Vincent Guittot <vincent.guittot@...aro.org>,
Alex Bennée <alex.bennee@...aro.org>,
Manos Pitsidianakis <manos.pitsidianakis@...aro.org>,
Paolo Bonzini <pbonzini@...hat.com>, Al Viro <viro@...iv.linux.org.uk>,
xen-devel@...ts.xenproject.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/2] xen: privcmd: Fix possible access to a freed kirqfd
instance
On 18.06.24 11:42, Viresh Kumar wrote:
> Nothing prevents simultaneous ioctl calls to privcmd_irqfd_assign() and
> privcmd_irqfd_deassign(). If that happens, it is possible that a kirqfd
> created and added to the irqfds_list by privcmd_irqfd_assign() may get
> removed by another thread executing privcmd_irqfd_deassign(), while the
> former is still using it after dropping the locks.
>
> This can lead to a situation where an already freed kirqfd instance may
> be accessed and cause kernel oops.
>
> Use SRCU locking to prevent the same, as is done for the KVM
> implementation for irqfds.
>
> Reported-by: Al Viro <viro@...iv.linux.org.uk>
> Suggested-by: Paolo Bonzini <pbonzini@...hat.com>
> Signed-off-by: Viresh Kumar <viresh.kumar@...aro.org>
Reviewed-by: Juergen Gross <jgross@...e.com>
Juergen
Download attachment "OpenPGP_0xB0DE9DD628BF132F.asc" of type "application/pgp-keys" (3684 bytes)
Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (496 bytes)
Powered by blists - more mailing lists