CVE-2025-22083

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint<br /> <br /> If vhost_scsi_set_endpoint is called multiple times without a<br /> vhost_scsi_clear_endpoint between them, we can hit multiple bugs<br /> found by Haoran Zhang:<br /> <br /> 1. Use-after-free when no tpgs are found:<br /> <br /> This fixes a use after free that occurs when vhost_scsi_set_endpoint is<br /> called more than once and calls after the first call do not find any<br /> tpgs to add to the vs_tpg. When vhost_scsi_set_endpoint first finds<br /> tpgs to add to the vs_tpg array match=true, so we will do:<br /> <br /> vhost_vq_set_backend(vq, vs_tpg);<br /> ...<br /> <br /> kfree(vs-&gt;vs_tpg);<br /> vs-&gt;vs_tpg = vs_tpg;<br /> <br /> If vhost_scsi_set_endpoint is called again and no tpgs are found<br /> match=false so we skip the vhost_vq_set_backend call leaving the<br /> pointer to the vs_tpg we then free via:<br /> <br /> kfree(vs-&gt;vs_tpg);<br /> vs-&gt;vs_tpg = vs_tpg;<br /> <br /> If a scsi request is then sent we do:<br /> <br /> vhost_scsi_handle_vq -&gt; vhost_scsi_get_req -&gt; vhost_vq_get_backend<br /> <br /> which sees the vs_tpg we just did a kfree on.<br /> <br /> 2. Tpg dir removal hang:<br /> <br /> This patch fixes an issue where we cannot remove a LIO/target layer<br /> tpg (and structs above it like the target) dir due to the refcount<br /> dropping to -1.<br /> <br /> The problem is that if vhost_scsi_set_endpoint detects a tpg is already<br /> in the vs-&gt;vs_tpg array or if the tpg has been removed so<br /> target_depend_item fails, the undepend goto handler will do<br /> target_undepend_item on all tpgs in the vs_tpg array dropping their<br /> refcount to 0. At this time vs_tpg contains both the tpgs we have added<br /> in the current vhost_scsi_set_endpoint call as well as tpgs we added in<br /> previous calls which are also in vs-&gt;vs_tpg.<br /> <br /> Later, when vhost_scsi_clear_endpoint runs it will do<br /> target_undepend_item on all the tpgs in the vs-&gt;vs_tpg which will drop<br /> their refcount to -1. Userspace will then not be able to remove the tpg<br /> and will hang when it tries to do rmdir on the tpg dir.<br /> <br /> 3. Tpg leak:<br /> <br /> This fixes a bug where we can leak tpgs and cause them to be<br /> un-removable because the target name is overwritten when<br /> vhost_scsi_set_endpoint is called multiple times but with different<br /> target names.<br /> <br /> The bug occurs if a user has called VHOST_SCSI_SET_ENDPOINT and setup<br /> a vhost-scsi device to target/tpg mapping, then calls<br /> VHOST_SCSI_SET_ENDPOINT again with a new target name that has tpgs we<br /> haven&amp;#39;t seen before (target1 has tpg1 but target2 has tpg2). When this<br /> happens we don&amp;#39;t teardown the old target tpg mapping and just overwrite<br /> the target name and the vs-&gt;vs_tpg array. Later when we do<br /> vhost_scsi_clear_endpoint, we are passed in either target1 or target2&amp;#39;s<br /> name and we will only match that target&amp;#39;s tpgs when we loop over the<br /> vs-&gt;vs_tpg. We will then return from the function without doing<br /> target_undepend_item on the tpgs.<br /> <br /> Because of all these bugs, it looks like being able to call<br /> vhost_scsi_set_endpoint multiple times was never supported. The major<br /> user, QEMU, already has checks to prevent this use case. So to fix the<br /> issues, this patch prevents vhost_scsi_set_endpoint from being called<br /> if it&amp;#39;s already successfully added tpgs. To add, remove or change the<br /> tpg config or target name, you must do a vhost_scsi_clear_endpoint<br /> first.