[{"id":3677906,"web_url":"http://patchwork.ozlabs.org/comment/3677906/","msgid":"<8e88cfa9-f5a1-4567-9886-d135eb031430@linux.dev>","list_archive_url":null,"date":"2026-04-16T02:41:52","subject":"Re: [PATCH] backends/cryptodev-lkcf: fix use-after-free in session\n lifecycle","submitter":{"id":92260,"url":"http://patchwork.ozlabs.org/api/people/92260/","name":"zhenwei pi","email":"zhenwei.pi@linux.dev"},"content":"On 4/16/26 09:59, Gonglei wrote:\n> The cryptodev-lkcf backend had a race condition where session close\n> could free a session while tasks using that session were still pending\n> in the queue. This leads to use-after-free when the worker thread\n> later accesses the freed session pointer.\n> \n> Add reference counting (in_use) and pending_close flag to ensure:\n> - New operations are rejected when a session is closing\n> - Session close waits for all in-flight tasks to complete\n> - No use-after-free can occur\n> \n> Fixes: CVE-2026-6288\n> Fixes: 39fff6f3e8 (\"cryptodev: Add a lkcf-backend for cryptodev\")\n> Reported-by: Buzzy <buzzy0257@gmail.com>\n> Signed-off-by: Gonglei <arei.gonglei@huawei.com>\n> Tested-by: Buzzy <buzzy0257@gmail.com>\n> ---\n>   backends/cryptodev-lkcf.c | 54 +++++++++++++++++++++++++++++++++++++++\n>   1 file changed, 54 insertions(+)\n> \n> diff --git a/backends/cryptodev-lkcf.c b/backends/cryptodev-lkcf.c\n> index 40c7bd3c5a..dc39b7f5aa 100644\n> --- a/backends/cryptodev-lkcf.c\n> +++ b/backends/cryptodev-lkcf.c\n> @@ -66,6 +66,9 @@ typedef struct CryptoDevBackendLKCFSession {\n>       size_t keylen;\n>       QCryptoAkCipherKeyType keytype;\n>       QCryptoAkCipherOptions akcipher_opts;\n> +    int in_use;  /* number of tasks currently using this session */\n> +    /* session close requested, waiting for in_use to become 0 */\n> +    bool pending_close;\n>   } CryptoDevBackendLKCFSession;\n>   \n>   typedef struct CryptoDevLKCFTask CryptoDevLKCFTask;\n> @@ -428,6 +431,18 @@ out:\n>       if (key_id >= 0) {\n>           keyctl_unlink(key_id, KCTL_KEY_RING);\n>       }\n> +\n> +    /*\n> +     * Decrement session in_use counter and signal if session is pending close.\n> +     * This allows close_session to proceed after all tasks complete.\n> +     */\n> +    qemu_mutex_lock(&task->lkcf->mutex);\n> +    task->sess->in_use--;\n> +    if (task->sess->pending_close && task->sess->in_use == 0) {\n> +        qemu_cond_broadcast(&task->lkcf->cond);\n> +    }\n> +    qemu_mutex_unlock(&task->lkcf->mutex);\n> +\n>       task->status = status;\n>   \n>       qemu_mutex_lock(&task->lkcf->rsp_mutex);\n> @@ -500,7 +515,24 @@ static int cryptodev_lkcf_operation(\n>       task->lkcf = lkcf;\n>       task->status = -VIRTIO_CRYPTO_ERR;\n>   \n> +    /*\n> +     * Increment session in_use counter before adding task to queue.\n> +     * This prevents the session from being freed while a task is pending.\n> +     */\n>       qemu_mutex_lock(&lkcf->mutex);\n> +    sess->in_use++;\n> +\n> +    /*\n> +     * Check if session is pending close - if so, reject this operation\n> +     * to avoid potential use-after-free.\n> +     */\n> +    if (sess->pending_close) {\n> +        sess->in_use--;\n> +        qemu_mutex_unlock(&lkcf->mutex);\n> +        error_report(\"Session %\" PRIu64 \" is closing\", op_info->session_id);\n> +        g_free(task);\n> +        return -VIRTIO_CRYPTO_INVSESS;\n> +    }\n\nWhat about moving this block before 'task = g_new0(CryptoDevLKCFTask, \n1);'? This will simplify this error handling?\n\nqemu_mutex_lock(&lkcf->mutex);\nsess = lkcf->sess[op_info->session_id];\nif (sess->pending_close) {\n     qemu_mutex_unlock(&lkcf->mutex);\n     error_report(\"Session %\" PRIu64 \" is closing\", op_info->session_id);\n     return -VIRTIO_CRYPTO_INVSESS;\n}\n\nsess->in_use++;\nqemu_mutex_unlock(&lkcf->mutex);\n\ntask = g_new0(CryptoDevLKCFTask, 1);\n...\n\n>       QSIMPLEQ_INSERT_TAIL(&lkcf->requests, task, queue);\n>       qemu_mutex_unlock(&lkcf->mutex);\n>       qemu_cond_signal(&lkcf->cond);\n> @@ -606,8 +638,30 @@ static int cryptodev_lkcf_close_session(CryptoDevBackend *backend,\n>       CryptoDevBackendLKCFSession *session;\n>   \n>       assert(session_id < MAX_SESSIONS && lkcf->sess[session_id]);\n> +\n> +    qemu_mutex_lock(&lkcf->mutex);\n>       session = lkcf->sess[session_id];\n> +\n> +    /*\n> +     * Mark session as pending close. New operations using this session\n> +     * will be rejected. We hold the mutex until in_use becomes 0 to\n> +     * prevent race conditions.\n> +     */\n> +    session->pending_close = true;\n> +\n> +    /*\n> +     * Wait for all in-flight tasks using this session to complete.\n> +     * The worker thread decrements in_use after task execution.\n> +     */\n> +    while (session->in_use > 0) {\n> +        qemu_cond_wait(&lkcf->cond, &lkcf->mutex);\n> +    }\n> +\n> +    /*\n> +     * Now safe to remove session and free resources.\n> +     */\n>       lkcf->sess[session_id] = NULL;\n> +    qemu_mutex_unlock(&lkcf->mutex);\n>   \n>       g_free(session->key);\n>       g_free(session);","headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=linux.dev header.i=@linux.dev header.a=rsa-sha256\n header.s=key1 header.b=IK+k08jz;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fx2PF62nTz1yCv\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 16 Apr 2026 12:42:56 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wDCgV-0005kU-OS; Wed, 15 Apr 2026 22:42:27 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <zhenwei.pi@linux.dev>)\n id 1wDCgT-0005kD-AU\n for qemu-devel@nongnu.org; Wed, 15 Apr 2026 22:42:25 -0400","from out-170.mta1.migadu.com ([95.215.58.170])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <zhenwei.pi@linux.dev>)\n id 1wDCgR-000427-8B\n for qemu-devel@nongnu.org; Wed, 15 Apr 2026 22:42:25 -0400"],"Message-ID":"<8e88cfa9-f5a1-4567-9886-d135eb031430@linux.dev>","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1;\n t=1776307331;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:content-type:content-type:\n content-transfer-encoding:content-transfer-encoding:\n in-reply-to:in-reply-to:references:references;\n bh=W+SiiAWLLVPpzzN82TUNWPLyd0H30MpGaFlIo2z6QdE=;\n b=IK+k08jzlxz3In6WFoRRf8WZEMe0N8mUdBgDD/PU6JMCX5Szlj5QBzPsLEtnkSzuuvbRk8\n 8Bbk30M7xGD3RBqz+g0POWbqIDAiWfe/2vOZKaZSfOXaCjn9EGk0jH/9MlTFcla/sDsVur\n WXcN8EGSJi1YAvhP/QNQ3NSTjZYTb28=","Date":"Thu, 16 Apr 2026 10:41:52 +0800","MIME-Version":"1.0","Subject":"Re: [PATCH] backends/cryptodev-lkcf: fix use-after-free in session\n lifecycle","To":"Gonglei <arei.gonglei@huawei.com>, qemu-devel@nongnu.org,\n berrange@redhat.com, qemu-security@nongnu.org","Cc":"mcascell@redhat.com, Buzzy <buzzy0257@gmail.com>","References":"<20260416015947.1426-1-arei.gonglei@huawei.com>","Content-Language":"en-US","X-Report-Abuse":"Please report any abuse attempt to abuse@migadu.com and\n include these headers.","From":"zhenwei pi <zhenwei.pi@linux.dev>","In-Reply-To":"<20260416015947.1426-1-arei.gonglei@huawei.com>","Content-Type":"text/plain; charset=UTF-8; format=flowed","Content-Transfer-Encoding":"7bit","X-Migadu-Flow":"FLOW_OUT","Received-SPF":"pass client-ip=95.215.58.170;\n envelope-from=zhenwei.pi@linux.dev;\n helo=out-170.mta1.migadu.com","X-Spam_score_int":"-27","X-Spam_score":"-2.8","X-Spam_bar":"--","X-Spam_report":"(-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=0.001,\n RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,\n SPF_HELO_PASS=-0.001,\n SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development <qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<https://lists.nongnu.org/archive/html/qemu-devel>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"}}]