linux/drivers
Stefano Garzarella f6bbf0010b vhost-vdpa: fix use-after-free of v->config_ctx
When the 'v->config_ctx' eventfd_ctx reference is released we didn't
set it to NULL. So if the same character device (e.g. /dev/vhost-vdpa-0)
is re-opened, the 'v->config_ctx' is invalid and calling again
vhost_vdpa_config_put() causes use-after-free issues like the
following refcount_t underflow:

    refcount_t: underflow; use-after-free.
    WARNING: CPU: 2 PID: 872 at lib/refcount.c:28 refcount_warn_saturate+0xae/0xf0
    RIP: 0010:refcount_warn_saturate+0xae/0xf0
    Call Trace:
     eventfd_ctx_put+0x5b/0x70
     vhost_vdpa_release+0xcd/0x150 [vhost_vdpa]
     __fput+0x8e/0x240
     ____fput+0xe/0x10
     task_work_run+0x66/0xa0
     exit_to_user_mode_prepare+0x118/0x120
     syscall_exit_to_user_mode+0x21/0x50
     ? __x64_sys_close+0x12/0x40
     do_syscall_64+0x45/0x50
     entry_SYSCALL_64_after_hwframe+0x44/0xae

Fixes: 776f395004 ("vhost_vdpa: Support config interrupt in vdpa")
Cc: lingshan.zhu@intel.com
Cc: stable@vger.kernel.org
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://lore.kernel.org/r/20210311135257.109460-2-sgarzare@redhat.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Zhu Lingshan <lingshan.zhu@intel.com>
Acked-by: Jason Wang <jasowang@redhat.com>
2021-03-14 18:10:07 -04:00
..
accessibility speakup: fix uninitialized flush_lock 2020-12-09 15:38:13 +01:00
acpi Revert "ACPICA: Interpreter: fix memory leak by using existing buffer" 2021-02-08 13:46:53 +01:00
amba
android Merge branch 'exec-for-v5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2020-12-15 19:29:43 -08:00
ata
atm atm: idt77252: call pci_disable_device() on error path 2020-12-21 17:34:09 -08:00
auxdisplay
base Driver core fixes for 5.11-rc5 2021-01-24 11:05:48 -08:00
bcma
block virtio-blk: support per-device queue depth 2021-02-23 07:52:59 -05:00
bluetooth Bluetooth: btusb: Add workaround for remote-wakeup issues with Barrot 8041a02 fake CSR controllers 2020-12-07 17:01:54 +02:00
bus Fixes for omaps for v5.11-rc cycle 2021-01-28 13:52:47 +01:00
cdrom cdrom: Reset sector_size back it is not 2048. 2020-12-12 11:12:25 -07:00
char UAPI Changes: 2020-12-18 12:38:28 -08:00
clk One small fix for the Allwinner clk driver so that display clks figure 2021-02-13 14:25:22 -08:00
clocksource asm-generic: cross-architecture timer cleanup 2020-12-16 00:07:17 -08:00
connector net/connector: Add const qualifier to cb_id 2020-12-16 11:06:49 -08:00
counter counter:ti-eqep: remove floor 2021-01-14 20:56:56 +00:00
cpufreq cpufreq: ACPI: Update arch scale-invariance max perf ratio if CPPC is not there 2021-02-08 13:45:51 +01:00
cpuidle ARM: SoC drivers for v5.11 2020-12-16 16:38:41 -08:00
crypto crypto: marvel/cesa - Fix tdma descriptor on 64-bit 2021-01-22 14:57:31 +11:00
dax libnvdimm for 5.11 2020-12-24 12:18:11 -08:00
dca
devfreq Merge branches 'pm-devfreq' and 'pm-tools' 2020-12-15 15:27:16 +01:00
dio
dma dmaengine dw: Revert "dmaengine: dw: Enable runtime PM" 2021-02-08 17:36:12 +05:30
dma-buf dma-buf: cma_heap: Fix memory leak in CMA heap 2021-01-10 23:08:21 +05:30
edac Merge branch 'akpm' (patches from Andrew) 2020-12-15 12:53:37 -08:00
eisa
extcon extcon: max77693: Fix modalias string 2020-12-11 17:18:10 +09:00
firewire
firmware A single EFI fix from Lukas: 2021-01-31 11:57:37 -08:00
fpga Merge 5.10-rc7 into char-misc-next 2020-12-07 10:08:14 +01:00
fsi hwmon patches for v5.11 2020-12-15 16:06:14 -08:00
gnss
gpio gpio: ep93xx: Fix single irqchip with multi gpiochips 2021-02-10 14:47:27 +01:00
gpu Merge branch 'drm-misc-fixes' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes 2021-02-12 13:38:51 +10:00
greybus
hid HID: wacom: Correct NULL dereference on AES pen proximity 2021-01-26 11:53:53 +01:00
hsi
hv x86/hyperv: Fix kexec panic/hang issues 2021-01-05 17:52:04 +00:00
hwmon hwmon: (amd_energy) fix allocation of hwmon_channel_info config 2021-01-08 07:31:03 -08:00
hwspinlock hwspinlock: sirf: Remove the redundant 'of_match_ptr' 2020-12-10 13:34:40 -06:00
hwtracing intel_th: pci: Add Alder Lake-P support 2021-01-21 18:54:43 +01:00
i2c i2c: stm32f7: fix configuration of the digital filter 2021-02-12 11:36:40 +01:00
i3c i3c/master/mipi-i3c-hci: Fix position of __maybe_unused in i3c_hci_of_match 2020-12-31 18:41:37 +01:00
ide SCSI fixes on 20210101 2021-01-01 12:58:07 -08:00
idle intel_idle: add SnowRidge C-state table 2020-12-30 18:25:34 +01:00
iio iio: sx9310: Fix semtech,avg-pos-strength setting when > 16 2021-01-14 21:01:22 +00:00
infiniband Revert "RDMA/rxe: Remove VLAN code leftovers from RXE" 2021-01-20 13:29:28 -04:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2021-02-06 14:57:23 -08:00
interconnect interconnect: imx8mq: Use icc_sync_state 2020-12-28 14:03:02 +02:00
iommu iommu/vt-d: Do not use flush-queue when caching-mode is on 2021-01-28 13:59:02 +01:00
ipack
irqchip irqchip fixes for 5.11, take #1 2021-01-12 21:23:55 +01:00
isdn misdn: dsp: select CONFIG_BITREVERSE 2021-01-05 15:50:36 -08:00
leds leds: rt8515: add V4L2_FLASH_LED_CLASS dependency 2021-02-14 18:01:41 +01:00
lightnvm lightnvm: fix memory leak when submit fails 2021-01-21 05:45:51 -07:00
macintosh macintosh/adb-iop: Send correct poll command 2020-12-07 10:48:16 +01:00
mailbox mailbox: arm_mhuv2: Add driver 2020-12-09 19:26:02 -06:00
mcb
md block-5.11-2021-01-29 2021-01-29 13:50:06 -08:00
media media: rockchip: rkisp1: extend uapi array sizes 2021-01-28 11:31:43 +01:00
memory Merge tag 'memory-controller-drv-tegra-5.11-3' of git://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux-mem-ctrl into arm/drivers 2020-12-09 00:40:02 +01:00
memstick
message SCSI misc on 20201216 2020-12-16 13:34:31 -08:00
mfd mfd: ab8500-debugfs: Remove extraneous seq_putc 2020-12-26 09:19:49 -08:00
misc misc: rtsx: init value of aspm_enabled 2021-01-22 11:04:53 +01:00
mmc mmc: sdhci-pltfm: Fix linking err for sdhci-brcmstb 2021-02-01 11:13:09 +01:00
most
mtd mtd: rawnand: omap: Use BCH private fields in the specific OOB layout 2021-01-20 23:38:00 +01:00
mux
net virtio_net: Fix fall-through warnings for Clang 2021-02-23 07:52:59 -05:00
nfc nfc: s3fwrn5: Remove unused NCI prop commands 2020-12-16 13:09:35 -08:00
ntb Big fix for IDT NTB and Intel NTB LTR management support 2020-12-27 09:22:55 -08:00
nubus
nvdimm libnvdimm/dimm: Avoid race between probe and available_slots_show() 2021-02-01 16:20:40 -08:00
nvme nvmet-tcp: fix out-of-bounds access when receiving multiple h2cdata PDUs 2021-02-03 16:57:36 +01:00
nvmem
of of/device: Update dma_range_map only when dev has valid dma-ranges 2021-01-27 14:00:14 -06:00
opp opp: Call the missing clk_put() on error 2020-12-28 10:56:22 +05:30
oprofile
parisc
parport
pci Revert "PCI/ASPM: Save/restore L1SS Capability for suspend/resume" 2021-01-27 10:12:43 -06:00
pcmcia Merge branch 'pcmcia-next' of git://git.kernel.org/pub/scm/linux/kernel/git/brodo/linux 2020-12-19 12:50:10 -08:00
perf Revert "arm64: Enable perf events based hard lockup detector" 2021-01-13 15:08:41 +00:00
phy phy: mediatek: allow compile-testing the dsi phy 2021-01-04 13:00:54 +05:30
pinctrl pinctrl: qcom: Don't clear pending interrupts when enabling 2021-01-18 16:07:08 +01:00
platform platform/x86: dell-wmi-sysman: fix a NULL pointer dereference 2021-01-31 22:05:35 +01:00
pnp
power power: supply: Fix a typo in warning message 2020-12-13 01:00:10 +01:00
powercap Merge branches 'pm-sleep', 'pm-acpi', 'pm-domains' and 'powercap' 2020-12-15 15:26:14 +01:00
pps
ps3 powerpc/ps3: use dma_mapping_error() 2020-12-15 22:50:12 +11:00
ptp ptp: ptp_ines: prevent build when HAS_IOMEM is not set 2021-01-06 16:17:23 -08:00
pwm pwm: Changes for v5.11-rc1 2020-12-19 11:51:32 -08:00
rapidio rapidio: remove unused rio_get_asm() and rio_get_device() 2020-12-15 22:46:18 -08:00
ras
regulator regulator: Fix lockdep warning resolving supplies 2021-01-22 14:03:07 +00:00
remoteproc ARM: SoC drivers for v5.11 2020-12-16 16:38:41 -08:00
reset ARM: SoC drivers for v5.11 2020-12-16 16:38:41 -08:00
rpmsg
rtc rtc: mc146818: Dont test for bit 0-5 in Register D 2021-02-02 20:35:02 +01:00
s390 - Fix max number of VCPUs reported via ultravisor information sysfs interface. 2021-01-30 11:48:57 -08:00
sbus
scsi scsi: scsi_debug: Fix a memory leak 2021-02-08 21:51:25 -05:00
sfi
sh sh/intc: Restore devm_ioremap() alignment 2021-01-06 19:55:29 -05:00
siox siox: Make remove callback return void 2020-12-10 16:17:15 +01:00
slimbus slimbus: qcom: fix potential NULL dereference in qcom_slim_prg_slew() 2020-12-10 16:23:56 +01:00
soc ARM: SoC fixes for v5.11, part 3 2021-02-03 09:50:59 -08:00
soundwire soundwire: intel: fix another unused-function warning 2020-12-05 13:11:54 +05:30
spi spidev: Add cisco device compatible 2021-01-25 12:53:48 +00:00
spmi spmi: Add driver shutdown support 2020-12-10 10:45:36 +01:00
ssb
staging staging: rtl8723bs: Move wiphy setup to after reading the regulatory settings from the chip 2021-02-01 19:26:10 +01:00
target SCSI fixes on 20210130 2021-01-30 17:42:42 -08:00
tc
tee tee: optee: replace might_sleep with cond_resched 2021-01-21 10:36:48 +01:00
thermal - Add Alder Lake support ACPI ids (Srinivas Pandruvada) 2020-12-18 12:19:37 -08:00
thunderbolt thunderbolt: Fix possible NULL pointer dereference in tb_acpi_add_link() 2021-01-28 15:30:57 +03:00
tty tty: avoid using vfs_iocb_iter_write() for redirected console writes 2021-01-29 13:12:17 -08:00
uio uio: uio_hv_generic: use devm_kzalloc() for private data alloc 2020-12-09 19:59:00 +01:00
usb usb: dwc2: Fix endpoint direction check in ep_from_windex 2021-02-05 10:28:38 +01:00
vdpa vdpa_sim: Skip typecasting from void* 2021-03-14 04:37:36 -04:00
vfio ARM: 2020-12-20 10:44:05 -08:00
vhost vhost-vdpa: fix use-after-free of v->config_ctx 2021-03-14 18:10:07 -04:00
video UAPI Changes: 2020-12-18 12:38:28 -08:00
virt
virtio virtio: remove export for virtio_config_{enable, disable} 2021-03-14 04:37:35 -04:00
visorbus
vlynq
vme vme: switch from 'pci_' to 'dma_' API 2020-12-09 19:44:34 +01:00
w1
watchdog linux-watchdog 5.11-rc1 tag 2020-12-23 15:01:49 -08:00
xen xen: branch for v5.11-rc8 2021-02-12 11:12:58 -08:00
zorro
Kconfig
Makefile asm-generic: cross-architecture timer cleanup 2020-12-16 00:07:17 -08:00