Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2223749/?format=api
{ "id": 2223749, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2223749/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260416061933.1982-1-arei.gonglei@huawei.com/", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/1.1/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "" }, "msgid": "<20260416061933.1982-1-arei.gonglei@huawei.com>", "date": "2026-04-16T06:19:32", "name": "[v2] backends/cryptodev-lkcf: fix use-after-free in session lifecycle", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "c6de36f800a27354bd01ace644ddefb8db2bc4d1", "submitter": { "id": 35948, "url": "http://patchwork.ozlabs.org/api/1.1/people/35948/?format=api", "name": "Gonglei", "email": "arei.gonglei@huawei.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260416061933.1982-1-arei.gonglei@huawei.com/mbox/", "series": [ { "id": 500081, "url": "http://patchwork.ozlabs.org/api/1.1/series/500081/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=500081", "date": "2026-04-16T06:19:32", "name": "[v2] backends/cryptodev-lkcf: fix use-after-free in session lifecycle", "version": 2, "mbox": "http://patchwork.ozlabs.org/series/500081/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2223749/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2223749/checks/", "tags": {}, "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=huawei.com header.i=@huawei.com header.a=rsa-sha256\n header.s=dkim header.b=UoXm3Xw7;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fx7D20Mp2z1yDF\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 16 Apr 2026 16:20:18 +1000 (AEST)", "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wDG4s-00050F-CK; Thu, 16 Apr 2026 02:19:50 -0400", "from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <arei.gonglei@huawei.com>)\n id 1wDG4p-0004zB-A0; Thu, 16 Apr 2026 02:19:47 -0400", "from canpmsgout02.his.huawei.com ([113.46.200.217])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <arei.gonglei@huawei.com>)\n id 1wDG4l-0006KQ-7j; Thu, 16 Apr 2026 02:19:47 -0400", "from mail.maildlp.com (unknown [172.19.162.144])\n by canpmsgout02.his.huawei.com (SkyGuard) with ESMTPS id 4fx73j3lL9zcb29;\n Thu, 16 Apr 2026 14:13:05 +0800 (CST)", "from dggpemf200006.china.huawei.com (unknown [7.185.36.61])\n by mail.maildlp.com (Postfix) with ESMTPS id 36BD840572;\n Thu, 16 Apr 2026 14:19:37 +0800 (CST)", "from DESKTOP-EH3TE8S.china.huawei.com (10.174.54.174) by\n dggpemf200006.china.huawei.com (7.185.36.61) with Microsoft SMTP Server\n (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id\n 15.2.1544.11; Thu, 16 Apr 2026 14:19:36 +0800" ], "dkim-signature": "v=1; a=rsa-sha256; d=huawei.com; s=dkim;\n c=relaxed/relaxed; q=dns/txt; h=From;\n bh=CKeG4NKoud2Y+L57h2y/FZ1rl6p4OfPbPkWHjnAj/TY=;\n b=UoXm3Xw7ir5Hvd/Yid5/aVvvmbMPWK40acQkZSgkTewp+r60Q2nLoFXdRWt4111j+PVoS6nxI\n eCm6mzC397PGnZHoyxI9OjfWC6ngyr0AXuI1/PHvCBnVkuI29stEacNAy5GDesnavVXVNdBectZ\n mJyuSbiaS/DWBYZDlcF3CwY=", "From": "Gonglei <arei.gonglei@huawei.com>", "To": "<arei.gonglei@huawei.com>, <qemu-devel@nongnu.org>,\n <zhenwei.pi@linux.dev>, <berrange@redhat.com>, <qemu-security@nongnu.org>", "CC": "<mcascell@redhat.com>, Buzzy <buzzy0257@gmail.com>", "Subject": "[PATCH v2] backends/cryptodev-lkcf: fix use-after-free in session\n lifecycle", "Date": "Thu, 16 Apr 2026 14:19:32 +0800", "Message-ID": "<20260416061933.1982-1-arei.gonglei@huawei.com>", "X-Mailer": "git-send-email 2.52.0.windows.1", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "Content-Type": "text/plain", "X-Originating-IP": "[10.174.54.174]", "X-ClientProxiedBy": "kwepems200002.china.huawei.com (7.221.188.68) To\n dggpemf200006.china.huawei.com (7.185.36.61)", "Received-SPF": "pass client-ip=113.46.200.217;\n envelope-from=arei.gonglei@huawei.com; helo=canpmsgout02.his.huawei.com", "X-Spam_score_int": "-20", "X-Spam_score": "-2.1", "X-Spam_bar": "--", "X-Spam_report": "(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,\n SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no", "X-Spam_action": "no action", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "qemu development <qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org" }, "content": "The cryptodev-lkcf backend had a race condition where session close\ncould free a session while tasks using that session were still pending\nin the queue. This leads to use-after-free when the worker thread\nlater accesses the freed session pointer.\n\nAdd reference counting (in_use) and pending_close flag to ensure:\n- New operations are rejected when a session is closing\n- Session close waits for all in-flight tasks to complete\n- No use-after-free can occur\n\nFixes: CVE-2026-6288\nFixes: 39fff6f3e8 (\"cryptodev: Add a lkcf-backend for cryptodev\")\nReported-by: Buzzy <buzzy0257@gmail.com>\nSigned-off-by: Gonglei <arei.gonglei@huawei.com>\nTested-by: Buzzy <buzzy0257@gmail.com>\n---\nChanges:\n\nv2: \n * moved sess->pending_close checking before @task allocated\n in cryptodev_lkcf_operation().\n\n---\n backends/cryptodev-lkcf.c | 59 ++++++++++++++++++++++++++++++++++++++-\n 1 file changed, 58 insertions(+), 1 deletion(-)", "diff": "diff --git a/backends/cryptodev-lkcf.c b/backends/cryptodev-lkcf.c\nindex 40c7bd3c5a..3a93c81372 100644\n--- a/backends/cryptodev-lkcf.c\n+++ b/backends/cryptodev-lkcf.c\n@@ -66,6 +66,9 @@ typedef struct CryptoDevBackendLKCFSession {\n size_t keylen;\n QCryptoAkCipherKeyType keytype;\n QCryptoAkCipherOptions akcipher_opts;\n+ int in_use; /* number of tasks currently using this session */\n+ /* session close requested, waiting for in_use to become 0 */\n+ bool pending_close;\n } CryptoDevBackendLKCFSession;\n \n typedef struct CryptoDevLKCFTask CryptoDevLKCFTask;\n@@ -428,6 +431,18 @@ out:\n if (key_id >= 0) {\n keyctl_unlink(key_id, KCTL_KEY_RING);\n }\n+\n+ /*\n+ * Decrement session in_use counter and signal if session is pending close.\n+ * This allows close_session to proceed after all tasks complete.\n+ */\n+ qemu_mutex_lock(&task->lkcf->mutex);\n+ task->sess->in_use--;\n+ if (task->sess->pending_close && task->sess->in_use == 0) {\n+ qemu_cond_broadcast(&task->lkcf->cond);\n+ }\n+ qemu_mutex_unlock(&task->lkcf->mutex);\n+\n task->status = status;\n \n qemu_mutex_lock(&task->lkcf->rsp_mutex);\n@@ -486,12 +501,32 @@ static int cryptodev_lkcf_operation(\n return -VIRTIO_CRYPTO_INVSESS;\n }\n \n- sess = lkcf->sess[op_info->session_id];\n if (algtype != QCRYPTODEV_BACKEND_ALGO_TYPE_ASYM) {\n error_report(\"algtype not supported: %u\", algtype);\n return -VIRTIO_CRYPTO_NOTSUPP;\n }\n \n+ /*\n+ * Check if session is pending close and increment in_use counter\n+ * atomically under the mutex. This prevents the session from being\n+ * freed while a task is pending.\n+ */\n+ qemu_mutex_lock(&lkcf->mutex);\n+ sess = lkcf->sess[op_info->session_id];\n+ if (!sess) {\n+ qemu_mutex_unlock(&lkcf->mutex);\n+ error_report(\"Cannot find a valid session id: %\" PRIu64 \"\",\n+ op_info->session_id);\n+ return -VIRTIO_CRYPTO_INVSESS;\n+ }\n+ if (sess->pending_close) {\n+ qemu_mutex_unlock(&lkcf->mutex);\n+ error_report(\"Session %\" PRIu64 \" is closing\", op_info->session_id);\n+ return -VIRTIO_CRYPTO_INVSESS;\n+ }\n+ sess->in_use++;\n+ qemu_mutex_unlock(&lkcf->mutex);\n+\n task = g_new0(CryptoDevLKCFTask, 1);\n task->op_info = op_info;\n task->cb = op_info->cb;\n@@ -606,8 +641,30 @@ static int cryptodev_lkcf_close_session(CryptoDevBackend *backend,\n CryptoDevBackendLKCFSession *session;\n \n assert(session_id < MAX_SESSIONS && lkcf->sess[session_id]);\n+\n+ qemu_mutex_lock(&lkcf->mutex);\n session = lkcf->sess[session_id];\n+\n+ /*\n+ * Mark session as pending close. New operations using this session\n+ * will be rejected. We hold the mutex until in_use becomes 0 to\n+ * prevent race conditions.\n+ */\n+ session->pending_close = true;\n+\n+ /*\n+ * Wait for all in-flight tasks using this session to complete.\n+ * The worker thread decrements in_use after task execution.\n+ */\n+ while (session->in_use > 0) {\n+ qemu_cond_wait(&lkcf->cond, &lkcf->mutex);\n+ }\n+\n+ /*\n+ * Now safe to remove session and free resources.\n+ */\n lkcf->sess[session_id] = NULL;\n+ qemu_mutex_unlock(&lkcf->mutex);\n \n g_free(session->key);\n g_free(session);\n", "prefixes": [ "v2" ] }