[{"id":3677954,"web_url":"http://patchwork.ozlabs.org/comment/3677954/","msgid":"<6128bece-0ce1-4e46-a4c6-9208dd211ee9@linux.dev>","list_archive_url":null,"date":"2026-04-16T06:25:45","subject":"Re: [PATCH v2] backends/cryptodev-lkcf: fix use-after-free in session\n lifecycle","submitter":{"id":92260,"url":"http://patchwork.ozlabs.org/api/people/92260/","name":"zhenwei pi","email":"zhenwei.pi@linux.dev"},"content":"Reviewed-by: zhenwei pi <zhenwei.pi@linux.dev>\n\nOn 4/16/26 14:19, Gonglei wrote:\n> The cryptodev-lkcf backend had a race condition where session close\n> could free a session while tasks using that session were still pending\n> in the queue. This leads to use-after-free when the worker thread\n> later accesses the freed session pointer.\n> \n> Add reference counting (in_use) and pending_close flag to ensure:\n> - New operations are rejected when a session is closing\n> - Session close waits for all in-flight tasks to complete\n> - No use-after-free can occur\n> \n> Fixes: CVE-2026-6288\n> Fixes: 39fff6f3e8 (\"cryptodev: Add a lkcf-backend for cryptodev\")\n> Reported-by: Buzzy <buzzy0257@gmail.com>\n> Signed-off-by: Gonglei <arei.gonglei@huawei.com>\n> Tested-by: Buzzy <buzzy0257@gmail.com>\n> ---\n> Changes:\n> \n> v2:\n>   * moved sess->pending_close checking before @task allocated\n>     in cryptodev_lkcf_operation().\n> \n> ---\n>   backends/cryptodev-lkcf.c | 59 ++++++++++++++++++++++++++++++++++++++-\n>   1 file changed, 58 insertions(+), 1 deletion(-)\n> \n> diff --git a/backends/cryptodev-lkcf.c b/backends/cryptodev-lkcf.c\n> index 40c7bd3c5a..3a93c81372 100644\n> --- a/backends/cryptodev-lkcf.c\n> +++ b/backends/cryptodev-lkcf.c\n> @@ -66,6 +66,9 @@ typedef struct CryptoDevBackendLKCFSession {\n>       size_t keylen;\n>       QCryptoAkCipherKeyType keytype;\n>       QCryptoAkCipherOptions akcipher_opts;\n> +    int in_use;  /* number of tasks currently using this session */\n> +    /* session close requested, waiting for in_use to become 0 */\n> +    bool pending_close;\n>   } CryptoDevBackendLKCFSession;\n>   \n>   typedef struct CryptoDevLKCFTask CryptoDevLKCFTask;\n> @@ -428,6 +431,18 @@ out:\n>       if (key_id >= 0) {\n>           keyctl_unlink(key_id, KCTL_KEY_RING);\n>       }\n> +\n> +    /*\n> +     * Decrement session in_use counter and signal if session is pending close.\n> +     * This allows close_session to proceed after all tasks complete.\n> +     */\n> +    qemu_mutex_lock(&task->lkcf->mutex);\n> +    task->sess->in_use--;\n> +    if (task->sess->pending_close && task->sess->in_use == 0) {\n> +        qemu_cond_broadcast(&task->lkcf->cond);\n> +    }\n> +    qemu_mutex_unlock(&task->lkcf->mutex);\n> +\n>       task->status = status;\n>   \n>       qemu_mutex_lock(&task->lkcf->rsp_mutex);\n> @@ -486,12 +501,32 @@ static int cryptodev_lkcf_operation(\n>           return -VIRTIO_CRYPTO_INVSESS;\n>       }\n>   \n> -    sess = lkcf->sess[op_info->session_id];\n>       if (algtype != QCRYPTODEV_BACKEND_ALGO_TYPE_ASYM) {\n>           error_report(\"algtype not supported: %u\", algtype);\n>           return -VIRTIO_CRYPTO_NOTSUPP;\n>       }\n>   \n> +    /*\n> +     * Check if session is pending close and increment in_use counter\n> +     * atomically under the mutex. This prevents the session from being\n> +     * freed while a task is pending.\n> +     */\n> +    qemu_mutex_lock(&lkcf->mutex);\n> +    sess = lkcf->sess[op_info->session_id];\n> +    if (!sess) {\n> +        qemu_mutex_unlock(&lkcf->mutex);\n> +        error_report(\"Cannot find a valid session id: %\" PRIu64 \"\",\n> +                     op_info->session_id);\n> +        return -VIRTIO_CRYPTO_INVSESS;\n> +    }\n> +    if (sess->pending_close) {\n> +        qemu_mutex_unlock(&lkcf->mutex);\n> +        error_report(\"Session %\" PRIu64 \" is closing\", op_info->session_id);\n> +        return -VIRTIO_CRYPTO_INVSESS;\n> +    }\n> +    sess->in_use++;\n> +    qemu_mutex_unlock(&lkcf->mutex);\n> +\n>       task = g_new0(CryptoDevLKCFTask, 1);\n>       task->op_info = op_info;\n>       task->cb = op_info->cb;\n> @@ -606,8 +641,30 @@ static int cryptodev_lkcf_close_session(CryptoDevBackend *backend,\n>       CryptoDevBackendLKCFSession *session;\n>   \n>       assert(session_id < MAX_SESSIONS && lkcf->sess[session_id]);\n> +\n> +    qemu_mutex_lock(&lkcf->mutex);\n>       session = lkcf->sess[session_id];\n> +\n> +    /*\n> +     * Mark session as pending close. New operations using this session\n> +     * will be rejected. We hold the mutex until in_use becomes 0 to\n> +     * prevent race conditions.\n> +     */\n> +    session->pending_close = true;\n> +\n> +    /*\n> +     * Wait for all in-flight tasks using this session to complete.\n> +     * The worker thread decrements in_use after task execution.\n> +     */\n> +    while (session->in_use > 0) {\n> +        qemu_cond_wait(&lkcf->cond, &lkcf->mutex);\n> +    }\n> +\n> +    /*\n> +     * Now safe to remove session and free resources.\n> +     */\n>       lkcf->sess[session_id] = NULL;\n> +    qemu_mutex_unlock(&lkcf->mutex);\n>   \n>       g_free(session->key);\n>       g_free(session);","headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=linux.dev header.i=@linux.dev header.a=rsa-sha256\n header.s=key1 header.b=Bpbbln/M;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fx7Mr5Qjcz1yCv\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 16 Apr 2026 16:27:03 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wDGBL-0006Fd-IY; Thu, 16 Apr 2026 02:26:31 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <zhenwei.pi@linux.dev>)\n id 1wDGB3-0006D8-IT\n for qemu-devel@nongnu.org; Thu, 16 Apr 2026 02:26:15 -0400","from out-181.mta0.migadu.com ([2001:41d0:1004:224b::b5])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <zhenwei.pi@linux.dev>)\n id 1wDGAz-0001ru-Pg\n for qemu-devel@nongnu.org; Thu, 16 Apr 2026 02:26:12 -0400"],"Message-ID":"<6128bece-0ce1-4e46-a4c6-9208dd211ee9@linux.dev>","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1;\n t=1776320756;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:content-type:content-type:\n content-transfer-encoding:content-transfer-encoding:\n in-reply-to:in-reply-to:references:references;\n bh=VDBlTDVbkaq1xZqdxX9TNPaKB8jEiL6o5xDCbb2JOvo=;\n b=Bpbbln/MIzZkHhouEksQJpqD+8S64R85Fh3X8mGz6oKvuXd0sXwwtyJq3pv0DYFO/aI1fd\n p2PIHv2NDwBzZH0qTbbok67uALXEDJszdmoae/0PMGZxtEVp1IogOHCl8CFS9cjyZcxmXG\n 4tH3jpBvVNxpOUHmho3628ihs/Sb3u4=","Date":"Thu, 16 Apr 2026 14:25:45 +0800","MIME-Version":"1.0","Subject":"Re: [PATCH v2] backends/cryptodev-lkcf: fix use-after-free in session\n lifecycle","To":"Gonglei <arei.gonglei@huawei.com>, qemu-devel@nongnu.org,\n berrange@redhat.com, qemu-security@nongnu.org","Cc":"mcascell@redhat.com, Buzzy <buzzy0257@gmail.com>","References":"<20260416061933.1982-1-arei.gonglei@huawei.com>","Content-Language":"en-US","X-Report-Abuse":"Please report any abuse attempt to abuse@migadu.com and\n include these headers.","From":"zhenwei pi <zhenwei.pi@linux.dev>","In-Reply-To":"<20260416061933.1982-1-arei.gonglei@huawei.com>","Content-Type":"text/plain; charset=UTF-8; format=flowed","Content-Transfer-Encoding":"7bit","X-Migadu-Flow":"FLOW_OUT","Received-SPF":"pass client-ip=2001:41d0:1004:224b::b5;\n envelope-from=zhenwei.pi@linux.dev; helo=out-181.mta0.migadu.com","X-Spam_score_int":"-20","X-Spam_score":"-2.1","X-Spam_bar":"--","X-Spam_report":"(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n SPF_HELO_PASS=-0.001,\n SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development <qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<https://lists.nongnu.org/archive/html/qemu-devel>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"}}]