Fix use-after-free in virtiofs request worker thread#40792
Open
OneBlue wants to merge 6 commits into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses a potential use-after-free in the VirtioFS request handling path by moving request processing to an overlapped I/O model that can accept connections and process requests within a single worker thread. It also refactors shared accept logic to return an accepted socket directly, and adds a regression-style test to stress multiple VirtioFS-backed DrvFs mounts.
Changes:
- Refactor VirtioFS request worker to use
io::MultiHandleWaitwith overlapped accept/read/write handles instead of spawning a thread per request. - Change
socket::CancellableAcceptto returnstd::optional<wil::unique_socket>and introduce a reusableio::AcceptHandleimplementation. - Add a DrvFs test that mounts many VirtioFS shares in a loop to validate stability.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| test/windows/DrvFsTests.cpp | Adds a stress test that mounts many VirtioFS DrvFs shares and validates access/options. |
| src/windows/wslrelay/main.cpp | Updates to new CancellableAccept return type (optional accepted socket). |
| src/windows/wslrelay/localhost.cpp | Updates accept loop to new CancellableAccept return type and moves socket out of optional. |
| src/windows/service/exe/WslCoreVm.h | Adds ProcessVirtioFsRequest helper declaration for the new VirtioFS worker flow. |
| src/windows/service/exe/WslCoreVm.cpp | Reworks VirtioFS worker to single-threaded overlapped accept/read/write and factors request processing into ProcessVirtioFsRequest. |
| src/windows/common/socket.hpp | Updates CancellableAccept signature to return an optional accepted socket. |
| src/windows/common/socket.cpp | Implements new CancellableAccept using io::AcceptHandle and returns the accepted socket via std::optional. |
| src/windows/common/hvsocket.cpp | Delegates HvSocket CancellableAccept to the updated generic socket accept helper. |
| src/windows/common/HandleIO.h | Replaces SingleAcceptHandle with reusable AcceptHandle that can accept once or repeatedly and owns the accepted socket. |
| src/windows/common/HandleIO.cpp | Implements AcceptHandle (socket creation, accept completion, accept-context update, cancellation handling). |
Comment on lines
+29
to
40
| std::optional<wil::unique_socket> wsl::windows::common::socket::CancellableAccept( | ||
| _In_ SOCKET ListenSocket, _In_ DWORD Timeout, _In_opt_ HANDLE ExitHandle, _In_ const std::source_location& Location) | ||
| { | ||
| io::MultiHandleWait io; | ||
|
|
||
| bool accepted = false; | ||
| std::optional<wil::unique_socket> accepted; | ||
|
|
||
| io.AddHandle(std::make_unique<io::SingleAcceptHandle>(ListenSocket, Socket, [&]() { accepted = true; }), io::MultiHandleWait::CancelOnCompleted); | ||
| io.AddHandle( | ||
| std::make_unique<io::AcceptHandle>( | ||
| ListenSocket, true, [&accepted](wil::unique_socket&& socket) { accepted = std::move(socket); }), | ||
| io::MultiHandleWait::CancelOnCompleted); | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary of the Pull Request
This change solves a potential use-after-free caused by the lack of synchronization with threads that are spawned to handle virtiofs requests from the guest.
To solve this, this change moves that method to use overlapped IO and handle both the accepts() and the requests with a single thread
PR Checklist
Detailed Description of the Pull Request / Additional comments
Validation Steps Performed