You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The vhost-scsi completion path may access vq->log_base when vq->log_used is
already set to false.
vhost-thread QEMU-thread
vhost_scsi_complete_cmd_work()
-> vhost_add_used()
-> vhost_add_used_n()
if (unlikely(vq->log_used))
QEMU disables vq->log_used
via VHOST_SET_VRING_ADDR.
mutex_lock(&vq->mutex);
vq->log_used = false now!
mutex_unlock(&vq->mutex);
QEMU gfree(vq->log_base)
log_used()
-> log_write(vq->log_base)
Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be
reclaimed via gfree(). As a result, this causes invalid memory writes to
QEMU userspace.
The control queue path has the same issue.
Signed-off-by: Dongli Zhang <[email protected]>
Acked-by: Jason Wang <[email protected]>
Reviewed-by: Mike Christie <[email protected]>
Message-Id: <[email protected]>
Signed-off-by: Michael S. Tsirkin <[email protected]>
(cherry picked from commit f591cf9fce724e5075cc67488c43c6e39e8cbe27)
Orabug: 37980690
Conflicts:
- commit 48ae70d ("vhost_scsi: make SCSI cmd completion per vq")
is not merged in UEK7 so vhost_scsi_complete_cmd_work handles all queues
instead of specific ones.
Signed-off-by: Mike Christie <[email protected]>
Reviewed-by: Dongli Zhang <[email protected]>
Signed-off-by: Brian Maly <[email protected]>
0 commit comments