lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 22 Feb 2022 10:47:42 +0100 From: Stefano Garzarella <sgarzare@...hat.com> To: "Michael S. Tsirkin" <mst@...hat.com> Cc: Stefan Hajnoczi <stefanha@...hat.com>, Jason Wang <jasowang@...hat.com>, netdev@...r.kernel.org, virtualization@...ts.linux-foundation.org, Stefano Garzarella <sgarzare@...hat.com>, syzbot+1e3ea63db39f2b4440e0@...kaller.appspotmail.com, kvm@...r.kernel.org, Anirudh Rayabharam <mail@...rudhrb.com>, syzbot+3140b17cb44a7b174008@...kaller.appspotmail.com, linux-kernel@...r.kernel.org, Mike Christie <michael.christie@...cle.com>, Dan Carpenter <dan.carpenter@...cle.com>, stable@...r.kernel.org Subject: [PATCH v2] vhost/vsock: don't check owner in vhost_vsock_stop() while releasing vhost_vsock_stop() calls vhost_dev_check_owner() to check the device ownership. It expects current->mm to be valid. vhost_vsock_stop() is also called by vhost_vsock_dev_release() when the user has not done close(), so when we are in do_exit(). In this case current->mm is invalid and we're releasing the device, so we should clean it anyway. Let's check the owner only when vhost_vsock_stop() is called by an ioctl. When invoked from release we can not fail so we don't check return code of vhost_vsock_stop(). We need to stop vsock even if it's not the owner. Fixes: 433fc58e6bf2 ("VSOCK: Introduce vhost_vsock.ko") Cc: stable@...r.kernel.org Reported-by: syzbot+1e3ea63db39f2b4440e0@...kaller.appspotmail.com Reported-and-tested-by: syzbot+3140b17cb44a7b174008@...kaller.appspotmail.com Signed-off-by: Stefano Garzarella <sgarzare@...hat.com> --- v2: - initialized `ret` in vhost_vsock_stop [Dan] - added comment about vhost_vsock_stop() calling in the code and an explanation in the commit message [MST] v1: https://lore.kernel.org/virtualization/20220221114916.107045-1-sgarzare@redhat.com --- drivers/vhost/vsock.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c index d6ca1c7ad513..37f0b4274113 100644 --- a/drivers/vhost/vsock.c +++ b/drivers/vhost/vsock.c @@ -629,16 +629,18 @@ static int vhost_vsock_start(struct vhost_vsock *vsock) return ret; } -static int vhost_vsock_stop(struct vhost_vsock *vsock) +static int vhost_vsock_stop(struct vhost_vsock *vsock, bool check_owner) { size_t i; - int ret; + int ret = 0; mutex_lock(&vsock->dev.mutex); - ret = vhost_dev_check_owner(&vsock->dev); - if (ret) - goto err; + if (check_owner) { + ret = vhost_dev_check_owner(&vsock->dev); + if (ret) + goto err; + } for (i = 0; i < ARRAY_SIZE(vsock->vqs); i++) { struct vhost_virtqueue *vq = &vsock->vqs[i]; @@ -753,7 +755,12 @@ static int vhost_vsock_dev_release(struct inode *inode, struct file *file) * inefficient. Room for improvement here. */ vsock_for_each_connected_socket(vhost_vsock_reset_orphans); - vhost_vsock_stop(vsock); + /* Don't check the owner, because we are in the release path, so we + * need to stop the vsock device in any case. + * vhost_vsock_stop() can not fail in this case, so we don't need to + * check the return code. + */ + vhost_vsock_stop(vsock, false); vhost_vsock_flush(vsock); vhost_dev_stop(&vsock->dev); @@ -868,7 +875,7 @@ static long vhost_vsock_dev_ioctl(struct file *f, unsigned int ioctl, if (start) return vhost_vsock_start(vsock); else - return vhost_vsock_stop(vsock); + return vhost_vsock_stop(vsock, true); case VHOST_GET_FEATURES: features = VHOST_VSOCK_FEATURES; if (copy_to_user(argp, &features, sizeof(features))) -- 2.35.1
Powered by blists - more mailing lists