Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2223724/?format=api
{ "id": 2223724, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2223724/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260416015947.1426-1-arei.gonglei@huawei.com/", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/1.1/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "" }, "msgid": "<20260416015947.1426-1-arei.gonglei@huawei.com>", "date": "2026-04-16T01:59:47", "name": "backends/cryptodev-lkcf: fix use-after-free in session lifecycle", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "d8f396e5e3d59b064aa3215ad0fe6cb0e4224b38", "submitter": { "id": 35948, "url": "http://patchwork.ozlabs.org/api/1.1/people/35948/?format=api", "name": "Gonglei", "email": "arei.gonglei@huawei.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260416015947.1426-1-arei.gonglei@huawei.com/mbox/", "series": [ { "id": 500067, "url": "http://patchwork.ozlabs.org/api/1.1/series/500067/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=500067", "date": "2026-04-16T01:59:47", "name": "backends/cryptodev-lkcf: fix use-after-free in session lifecycle", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/500067/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2223724/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2223724/checks/", "tags": {}, "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=huawei.com header.i=@huawei.com header.a=rsa-sha256\n header.s=dkim header.b=JpqIWW8G;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fx1T55D0mz1yG9\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 16 Apr 2026 12:01:12 +1000 (AEST)", "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wDC1h-0008WQ-MD; Wed, 15 Apr 2026 22:00:17 -0400", "from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <arei.gonglei@huawei.com>)\n id 1wDC1e-0008U2-HU; Wed, 15 Apr 2026 22:00:15 -0400", "from canpmsgout03.his.huawei.com ([113.46.200.218])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <arei.gonglei@huawei.com>)\n id 1wDC1Z-0003Ii-Hg; Wed, 15 Apr 2026 22:00:14 -0400", "from mail.maildlp.com (unknown [172.19.163.104])\n by canpmsgout03.his.huawei.com (SkyGuard) with ESMTPS id 4fx1JN3nk0zpSyr;\n Thu, 16 Apr 2026 09:53:40 +0800 (CST)", "from dggpemf200006.china.huawei.com (unknown [7.185.36.61])\n by mail.maildlp.com (Postfix) with ESMTPS id 3C3544048F;\n Thu, 16 Apr 2026 09:59:54 +0800 (CST)", "from DESKTOP-EH3TE8S.china.huawei.com (10.174.54.174) by\n dggpemf200006.china.huawei.com (7.185.36.61) with Microsoft SMTP Server\n (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id\n 15.2.1544.11; Thu, 16 Apr 2026 09:59:53 +0800" ], "dkim-signature": "v=1; a=rsa-sha256; d=huawei.com; s=dkim;\n c=relaxed/relaxed; q=dns/txt; h=From;\n bh=rza+oSN5eBLCozCvNTOsuc4YStVOLtp6Nw7YnoqOESI=;\n b=JpqIWW8GOtMdKO0iVKbpdrMr8QSgzcx9x0iLe2jnPpRJM3BN4YNv6LvvwhaAYNn8KwVZdAO1J\n v8ezrP6wyqI95vzPr5kA6aWb4Po3AQUL68x0GXu/Rc4jfUsbk5979/4mKzMA90MNgIoNB5ccd08\n hwnhgS0WHdZHomDoRWt1doc=", "From": "Gonglei <arei.gonglei@huawei.com>", "To": "<arei.gonglei@huawei.com>, <qemu-devel@nongnu.org>,\n <zhenwei.pi@linux.dev>, <berrange@redhat.com>, <qemu-security@nongnu.org>", "CC": "<mcascell@redhat.com>, Buzzy <buzzy0257@gmail.com>", "Subject": "[PATCH] backends/cryptodev-lkcf: fix use-after-free in session\n lifecycle", "Date": "Thu, 16 Apr 2026 09:59:47 +0800", "Message-ID": "<20260416015947.1426-1-arei.gonglei@huawei.com>", "X-Mailer": "git-send-email 2.52.0.windows.1", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "Content-Type": "text/plain", "X-Originating-IP": "[10.174.54.174]", "X-ClientProxiedBy": "kwepems500002.china.huawei.com (7.221.188.17) To\n dggpemf200006.china.huawei.com (7.185.36.61)", "Received-SPF": "pass client-ip=113.46.200.218;\n envelope-from=arei.gonglei@huawei.com; helo=canpmsgout03.his.huawei.com", "X-Spam_score_int": "-20", "X-Spam_score": "-2.1", "X-Spam_bar": "--", "X-Spam_report": "(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,\n SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no", "X-Spam_action": "no action", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "qemu development <qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org" }, "content": "The cryptodev-lkcf backend had a race condition where session close\ncould free a session while tasks using that session were still pending\nin the queue. This leads to use-after-free when the worker thread\nlater accesses the freed session pointer.\n\nAdd reference counting (in_use) and pending_close flag to ensure:\n- New operations are rejected when a session is closing\n- Session close waits for all in-flight tasks to complete\n- No use-after-free can occur\n\nFixes: CVE-2026-6288\nFixes: 39fff6f3e8 (\"cryptodev: Add a lkcf-backend for cryptodev\")\nReported-by: Buzzy <buzzy0257@gmail.com>\nSigned-off-by: Gonglei <arei.gonglei@huawei.com>\nTested-by: Buzzy <buzzy0257@gmail.com>\n---\n backends/cryptodev-lkcf.c | 54 +++++++++++++++++++++++++++++++++++++++\n 1 file changed, 54 insertions(+)", "diff": "diff --git a/backends/cryptodev-lkcf.c b/backends/cryptodev-lkcf.c\nindex 40c7bd3c5a..dc39b7f5aa 100644\n--- a/backends/cryptodev-lkcf.c\n+++ b/backends/cryptodev-lkcf.c\n@@ -66,6 +66,9 @@ typedef struct CryptoDevBackendLKCFSession {\n size_t keylen;\n QCryptoAkCipherKeyType keytype;\n QCryptoAkCipherOptions akcipher_opts;\n+ int in_use; /* number of tasks currently using this session */\n+ /* session close requested, waiting for in_use to become 0 */\n+ bool pending_close;\n } CryptoDevBackendLKCFSession;\n \n typedef struct CryptoDevLKCFTask CryptoDevLKCFTask;\n@@ -428,6 +431,18 @@ out:\n if (key_id >= 0) {\n keyctl_unlink(key_id, KCTL_KEY_RING);\n }\n+\n+ /*\n+ * Decrement session in_use counter and signal if session is pending close.\n+ * This allows close_session to proceed after all tasks complete.\n+ */\n+ qemu_mutex_lock(&task->lkcf->mutex);\n+ task->sess->in_use--;\n+ if (task->sess->pending_close && task->sess->in_use == 0) {\n+ qemu_cond_broadcast(&task->lkcf->cond);\n+ }\n+ qemu_mutex_unlock(&task->lkcf->mutex);\n+\n task->status = status;\n \n qemu_mutex_lock(&task->lkcf->rsp_mutex);\n@@ -500,7 +515,24 @@ static int cryptodev_lkcf_operation(\n task->lkcf = lkcf;\n task->status = -VIRTIO_CRYPTO_ERR;\n \n+ /*\n+ * Increment session in_use counter before adding task to queue.\n+ * This prevents the session from being freed while a task is pending.\n+ */\n qemu_mutex_lock(&lkcf->mutex);\n+ sess->in_use++;\n+\n+ /*\n+ * Check if session is pending close - if so, reject this operation\n+ * to avoid potential use-after-free.\n+ */\n+ if (sess->pending_close) {\n+ sess->in_use--;\n+ qemu_mutex_unlock(&lkcf->mutex);\n+ error_report(\"Session %\" PRIu64 \" is closing\", op_info->session_id);\n+ g_free(task);\n+ return -VIRTIO_CRYPTO_INVSESS;\n+ }\n QSIMPLEQ_INSERT_TAIL(&lkcf->requests, task, queue);\n qemu_mutex_unlock(&lkcf->mutex);\n qemu_cond_signal(&lkcf->cond);\n@@ -606,8 +638,30 @@ static int cryptodev_lkcf_close_session(CryptoDevBackend *backend,\n CryptoDevBackendLKCFSession *session;\n \n assert(session_id < MAX_SESSIONS && lkcf->sess[session_id]);\n+\n+ qemu_mutex_lock(&lkcf->mutex);\n session = lkcf->sess[session_id];\n+\n+ /*\n+ * Mark session as pending close. New operations using this session\n+ * will be rejected. We hold the mutex until in_use becomes 0 to\n+ * prevent race conditions.\n+ */\n+ session->pending_close = true;\n+\n+ /*\n+ * Wait for all in-flight tasks using this session to complete.\n+ * The worker thread decrements in_use after task execution.\n+ */\n+ while (session->in_use > 0) {\n+ qemu_cond_wait(&lkcf->cond, &lkcf->mutex);\n+ }\n+\n+ /*\n+ * Now safe to remove session and free resources.\n+ */\n lkcf->sess[session_id] = NULL;\n+ qemu_mutex_unlock(&lkcf->mutex);\n \n g_free(session->key);\n g_free(session);\n", "prefixes": [] }