MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-08-21 16:31:14 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
v6.1.146
linux-yocto/drivers
History
Dongli Zhang 59614c5acf vhost-scsi: protect vq->log_used with vq->mutex 
commit f591cf9fce upstream.

The vhost-scsi completion path may access vq->log_base when vq->log_used is
already set to false.

    vhost-thread                       QEMU-thread

vhost_scsi_complete_cmd_work()
-> vhost_add_used()
   -> vhost_add_used_n()
      if (unlikely(vq->log_used))
                                      QEMU disables vq->log_used
                                      via VHOST_SET_VRING_ADDR.
                                      mutex_lock(&vq->mutex);
                                      vq->log_used = false now!
                                      mutex_unlock(&vq->mutex);

				      QEMU gfree(vq->log_base)
        log_used()
        -> log_write(vq->log_base)

Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be
reclaimed via gfree(). As a result, this causes invalid memory writes to
QEMU userspace.

The control queue path has the same issue.

Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Message-Id: <20250403063028.16045-2-dongli.zhang@oracle.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
[ resoloved conflicts in drivers/vhost/scsi.c
  bacause vhost_scsi_complete_cmd_work() has been refactored. ]
Signed-off-by: Xinyu Zheng <zhengxinyu6@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-07-17 18:32:15 +02:00
..
accessibility
acpi Revert "ACPI: battery: negate current when discharging" 2025-07-17 18:32:08 +02:00
amba
android
ata ata: pata_cs5536: fix build on 32-bit UML 2025-07-10 15:59:50 +02:00
atm atm: idt77252: Add missing dma_map_error() 2025-07-17 18:32:13 +02:00
auxdisplay auxdisplay: charlcd: Partially revert "Move hwidth and bwidth to struct hd44780_common" 2025-06-04 14:40:07 +02:00
base x86/bugs: Add a Transient Scheduler Attacks mitigation 2025-07-10 15:59:54 +02:00
bcma
block nbd: fix uaf in nbd_genl_connect() error path 2025-07-17 18:32:11 +02:00
bluetooth Bluetooth: hci_qca: move the SoC type check to the right place 2025-06-27 11:07:05 +01:00
bus Revert "bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first" 2025-06-27 11:07:36 +01:00
cdrom
char ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() 2025-07-17 18:32:07 +02:00
clk clk: rockchip: rk3036: mark ddrphy as critical 2025-06-27 11:07:34 +01:00
clocksource clocksource: mips-gic-timer: Enable counter when CPUs start 2025-06-04 14:40:12 +02:00
comedi comedi: jr3_pci: Fix synchronous deletion of timer 2025-05-02 07:47:08 +02:00
connector
counter counter: interrupt-cnt: Protect enable/disable OPs with mutex 2025-06-27 11:07:16 +01:00
cpufreq Revert "cpufreq: tegra186: Share policy per cluster" 2025-06-27 11:07:40 +01:00
cpuidle cpuidle: menu: Avoid discarding useful information 2025-06-04 14:40:11 +02:00
crypto crypto: marvell/cesa - Do not chain submitted requests 2025-06-27 11:07:25 +01:00
cxl cxl/region: Fix region creation for greater than x2 switches 2024-12-27 13:52:53 +01:00
dax dax: delete a stale directory pmem 2024-12-14 19:53:41 +01:00
dca
devfreq
dio
dma dmaengine: xilinx_dma: Set dma_device directions 2025-07-06 10:57:54 +02:00
dma-buf dma-buf: fix timeout handling in dma_resv_wait_timeout v2 2025-07-10 15:59:53 +02:00
edac EDAC/altera: Use correct write width with the INTTEST register 2025-06-27 11:07:29 +01:00
eisa
extcon
firewire
firmware firmware: arm_scmi: Ensure that the message-id supports fastchannel 2025-07-06 10:58:04 +02:00
fpga fpga: altera-cvp: Increase credit timeout 2025-06-04 14:40:10 +02:00
fsi
gnss
gpio gpio: pca953x: fix IRQ storm on system wake up 2025-06-04 14:40:01 +02:00
gpu drm/tegra: nvdec: Fix dma_alloc_coherent error check 2025-07-17 18:32:11 +02:00
greybus
hid HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras 2025-07-17 18:32:14 +02:00
hsi HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition 2025-04-25 10:43:47 +02:00
hte
hv Drivers: hv: vmbus: Add utility function for querying ring size 2025-07-06 10:57:58 +02:00
hwmon hwmon: (pmbus/max34440) Fix support for max34451 2025-07-06 10:57:54 +02:00
hwspinlock
hwtracing coresight: Only check bottom two claim bits 2025-07-06 10:57:55 +02:00
i2c i2c/designware: Fix an initialization issue 2025-07-10 15:59:53 +02:00
i3c i3c: master: svc: Fix implicit fallthrough in svc_i3c_master_ibi_work() 2025-06-04 14:40:22 +02:00
idle cpuidle, intel_idle: Fix CPUIDLE_FLAG_IBRS 2025-03-13 12:53:11 +01:00
iio iio: adc: ad_sigma_delta: Fix use of uninitialized status_pos 2025-07-06 10:57:55 +02:00
infiniband RDMA/mlx5: Fix CC counters query for MPV 2025-07-10 15:59:46 +02:00
input Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID 2025-07-17 18:32:15 +02:00
interconnect
iommu iommu/amd: Ensure GA log notifier callbacks finish running before module unload 2025-06-27 11:07:34 +01:00
ipack
irqchip irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() 2025-05-09 09:41:45 +02:00
isdn
leds leds: multicolor: Fix intensity setting while SW blinking 2025-07-06 10:57:54 +02:00
macintosh
mailbox mailbox: Not protect module_put with spin_lock_irqsave 2025-07-06 10:57:54 +02:00
mcb mcb: fix a double free bug in chameleon_parse_gdd() 2025-05-02 07:46:57 +02:00
md raid10: cleanup memleak at raid10_make_request 2025-07-17 18:32:11 +02:00
media media: uvcvideo: Rollback non processed entities on error 2025-07-06 10:58:03 +02:00
memory memory: omap-gpmc: drop no compatible check 2025-04-10 14:33:39 +02:00
memstick memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove 2025-04-07 10:05:46 +02:00
message scsi: fusion: Remove unused variable 'rc' 2024-12-14 19:53:40 +01:00
mfd mfd: max14577: Fix wakeup source leaks on device unbind 2025-07-06 10:57:54 +02:00
misc VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify 2025-06-27 11:07:25 +01:00
mmc mtk-sd: reset host->mrq on prepare_data() error 2025-07-10 15:59:45 +02:00
most
mtd mtd: spinand: fix memory leak of ECC engine conf 2025-07-10 15:59:51 +02:00
mux
net net: usb: qmi_wwan: add SIMCom 8230C composition 2025-07-17 18:32:14 +02:00
nfc
ntb ntb_hw_amd: Add NTB PCI ID for new gen CPU 2025-05-02 07:47:04 +02:00
nubus
nvdimm libnvdimm/labels: Fix divide error in nd_label_data_init() 2025-06-04 14:40:04 +02:00
nvme nvme: always punt polled uring_cmd end_io work to task_work 2025-07-06 10:58:04 +02:00
nvmem nvmem: core: improve range check for nvmem_cell_write() 2025-02-21 13:49:50 +01:00
of of: module: add buffer overflow check in of_modalias() 2025-05-02 07:47:08 +02:00
opp OPP: OF: Fix an OF node leak in _opp_add_static_v2() 2025-02-21 13:49:02 +01:00
parisc
parport parport_pc: add support for ASIX AX99100 2025-02-21 13:50:11 +01:00
pci PCI: apple: Set only available ports up 2025-07-06 10:57:58 +02:00
pcmcia
peci
perf perf/arm-cmn: Initialise cmn->cpu earlier 2025-06-04 14:40:25 +02:00
phy phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug 2025-06-27 11:07:16 +01:00
pinctrl pinctrl: qcom: msm: mark certain pins as invalid for interrupts 2025-07-17 18:32:08 +02:00
platform platform/x86: ideapad-laptop: use usleep_range() for EC polling 2025-07-17 18:32:04 +02:00
pnp
power power: supply: bq27xxx: Retrieve again when busy 2025-06-27 11:07:32 +01:00
powercap powercap: call put_device() on an error path in powercap_register_control_type() 2025-03-28 21:58:50 +01:00
pps pps: Fix a use-after-free 2025-02-21 13:49:55 +01:00
ps3
ptp ptp: allow reading of currently dialed frequency to succeed on free-running clocks 2025-06-27 11:07:39 +01:00
pwm pwm: mediatek: Ensure to disable clocks in error path 2025-07-17 18:32:09 +02:00
rapidio drivers/rapidio/rio_cm.c: prevent possible heap overwrite 2025-06-27 11:07:36 +01:00
ras
regulator regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods 2025-07-10 15:59:44 +02:00
remoteproc remoteproc: core: Release rproc->clean_table after rproc_attach() fails 2025-06-27 11:07:31 +01:00
reset
rpmsg rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send() 2025-06-27 11:07:15 +01:00
rtc rtc: cmos: use spin_lock_irqsave in cmos_interrupt 2025-07-10 15:59:43 +02:00
s390 s390/pkey: Prevent overflow in size calculation for memdup_user() 2025-07-06 10:57:59 +02:00
sbus
scsi scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() 2025-07-10 15:59:46 +02:00
sh sh: clk: Fix clk_enable() to return 0 on NULL clk 2024-12-27 13:52:58 +01:00
siox
slimbus slimbus: messaging: Free transaction ID in delayed interrupt scenario 2025-03-13 12:53:22 +01:00
soc soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() 2025-06-27 11:07:14 +01:00
soundwire soundwire: slave: fix an OF node reference leak in soundwire slave device 2025-04-10 14:33:35 +02:00
spi spi: spi-fsl-dspi: Clear completion counter before initiating transfer 2025-07-10 15:59:47 +02:00
spmi
ssb
staging staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() 2025-07-06 10:58:01 +02:00
target scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() 2025-07-10 15:59:50 +02:00
tc
tee tee: Prevent size calculation wraparound on 32-bit kernels 2025-06-27 11:07:36 +01:00
thermal thermal/drivers/qoriq: Power down TMU on system suspend 2025-06-04 14:40:03 +02:00
thunderbolt thunderbolt: Do not double dequeue a configuration request 2025-06-27 11:07:06 +01:00
tty vt: add missing notification when switching back to text mode 2025-07-17 18:32:14 +02:00
ufs scsi: ufs: core: Fix spelling of a sysfs attribute name 2025-07-10 15:59:46 +02:00
uio uio_hv_generic: Align ring size to system page 2025-07-06 10:57:58 +02:00
usb usb: dwc3: Abort suspend on soft disconnect failure 2025-07-17 18:32:11 +02:00
vdpa vdpa/mlx5: Fix oversized null mkey longer than 32bit 2025-04-25 10:43:40 +02:00
vfio vfio/type1: Fix error unwind in migration dirty bitmap allocation 2025-06-27 11:07:11 +01:00
vhost vhost-scsi: protect vq->log_used with vq->mutex 2025-07-17 18:32:15 +02:00
video fbdev: hyperv_fb: Convert comma to semicolon 2025-07-06 10:58:03 +02:00
virt drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl 2025-03-13 12:53:23 +01:00
virtio virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN 2025-06-04 14:40:01 +02:00
vlynq
w1
watchdog watchdog: da9052_wdt: respect TWDMIN 2025-06-27 11:07:35 +01:00
xen xenbus: Allow PVH dom0 a non-local xenstore 2025-06-04 14:40:18 +02:00
zorro
Kconfig
Makefile