On Wed, Aug 27, 2025, Sebastian Andrzej Siewior wrote: > On 2025-08-27 12:41:04 [-0700], Sean Christopherson wrote: > > Michael, > > Sean, > > would the bellow work by chance? It is a quick shot but it looks > symmetrical…
Gah, sorry, I flagged your earlier mail and then forgot to circle back to it (for whatever reason, I didn't entirely grok what you were suggesting). > diff --git a/kernel/vhost_task.c b/kernel/vhost_task.c > index bc738fa90c1d6..27107dcc1cbfe 100644 > --- a/kernel/vhost_task.c > +++ b/kernel/vhost_task.c > @@ -100,6 +100,7 @@ void vhost_task_stop(struct vhost_task *vtsk) > * freeing it below. > */ > wait_for_completion(&vtsk->exited); > + put_task_struct(vtsk->task); > kfree(vtsk); > } > EXPORT_SYMBOL_GPL(vhost_task_stop); > @@ -148,7 +149,7 @@ struct vhost_task *vhost_task_create(bool (*fn)(void *), > return ERR_CAST(tsk); > } > > - vtsk->task = tsk; > + vtsk->task = get_task_struct(tsk); > return vtsk; > } > EXPORT_SYMBOL_GPL(vhost_task_create); Nice! This fixes things too. Either solution works for me. Or maybe do both? Attempting to wake a task that vhost_task knows has exited (is exiting?) is a bit gross, but even with that hardening, guarding against UAF is very nice to have too. Tested-by: Sean Christopherson <sea...@google.com>
