From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org,
"Denis Kirjanov" <kda@linux-powerpc.org>,
"Christoffer Dall" <christoffer.dall@linaro.org>,
"Christian Borntraeger" <borntraeger@de.ibm.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Radim Krčmář" <rkrcmar@redhat.com>
Subject: [PATCH 3.16 12/16] KVM: Protect device ops->create and list_add with kvm->lock
Date: Fri, 22 Mar 2019 05:20:18 +0000 [thread overview]
Message-ID: <lsq.1553232018.764753734@decadent.org.uk> (raw)
In-Reply-To: <lsq.1553232017.771830163@decadent.org.uk>
3.16.64-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Christoffer Dall <christoffer.dall@linaro.org>
commit a28ebea2adc4a2bef5989a5a181ec238f59fbcad upstream.
KVM devices were manipulating list data structures without any form of
synchronization, and some implementations of the create operations also
suffered from a lack of synchronization.
Now when we've split the xics create operation into create and init, we
can hold the kvm->lock mutex while calling the create operation and when
manipulating the devices list.
The error path in the generic code gets slightly ugly because we have to
take the mutex again and delete the device from the list, but holding
the mutex during anon_inode_getfd or releasing/locking the mutex in the
common non-error path seemed wrong.
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
[bwh: Backported to 3.16:
- Drop change to a failure path that doesn't exist in kvm_vgic_create()
- Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/arm/kvm/arm.c
+++ b/arch/arm/kvm/arm.c
@@ -799,10 +799,13 @@ long kvm_arch_vm_ioctl(struct file *filp
switch (ioctl) {
case KVM_CREATE_IRQCHIP: {
- if (vgic_present)
- return kvm_vgic_create(kvm);
- else
+ int ret;
+ if (!vgic_present)
return -ENXIO;
+ mutex_lock(&kvm->lock);
+ ret = kvm_vgic_create(kvm);
+ mutex_unlock(&kvm->lock);
+ return ret;
}
case KVM_ARM_SET_DEVICE_ADDR: {
struct kvm_arm_device_addr dev_addr;
--- a/arch/powerpc/kvm/book3s_xics.c
+++ b/arch/powerpc/kvm/book3s_xics.c
@@ -1239,12 +1239,10 @@ static int kvmppc_xics_create(struct kvm
xics->kvm = kvm;
/* Already there ? */
- mutex_lock(&kvm->lock);
if (kvm->arch.xics)
ret = -EEXIST;
else
kvm->arch.xics = xics;
- mutex_unlock(&kvm->lock);
if (ret) {
kfree(xics);
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -1059,6 +1059,12 @@ struct kvm_device {
/* create, destroy, and name are mandatory */
struct kvm_device_ops {
const char *name;
+
+ /*
+ * create is called holding kvm->lock and any operations not suitable
+ * to do while holding the lock should be deferred to init (see
+ * below).
+ */
int (*create)(struct kvm_device *dev, u32 type);
/*
--- a/virt/kvm/arm/vgic.c
+++ b/virt/kvm/arm/vgic.c
@@ -1624,12 +1624,8 @@ int kvm_vgic_create(struct kvm *kvm)
int i, vcpu_lock_idx = -1, ret;
struct kvm_vcpu *vcpu;
- mutex_lock(&kvm->lock);
-
- if (kvm->arch.vgic.vctrl_base) {
- ret = -EEXIST;
- goto out;
- }
+ if (kvm->arch.vgic.vctrl_base)
+ return -EEXIST;
/*
* Any time a vcpu is run, vcpu_load is called which tries to grab the
@@ -1659,9 +1655,6 @@ out_unlock:
vcpu = kvm_get_vcpu(kvm, vcpu_lock_idx);
mutex_unlock(&vcpu->mutex);
}
-
-out:
- mutex_unlock(&kvm->lock);
return ret;
}
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -587,6 +587,11 @@ static void kvm_destroy_devices(struct k
{
struct list_head *node, *tmp;
+ /*
+ * We do not need to take the kvm->lock here, because nobody else
+ * has a reference to the struct kvm at this point and therefore
+ * cannot access the devices list anyhow.
+ */
list_for_each_safe(node, tmp, &kvm->devices) {
struct kvm_device *dev =
list_entry(node, struct kvm_device, vm_node);
@@ -2322,11 +2327,15 @@ static int kvm_ioctl_create_device(struc
dev->ops = ops;
dev->kvm = kvm;
+ mutex_lock(&kvm->lock);
ret = ops->create(dev, cd->type);
if (ret < 0) {
+ mutex_unlock(&kvm->lock);
kfree(dev);
return ret;
}
+ list_add(&dev->vm_node, &kvm->devices);
+ mutex_unlock(&kvm->lock);
if (ops->init)
ops->init(dev);
@@ -2334,10 +2343,12 @@ static int kvm_ioctl_create_device(struc
ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC);
if (ret < 0) {
ops->destroy(dev);
+ mutex_lock(&kvm->lock);
+ list_del(&dev->vm_node);
+ mutex_unlock(&kvm->lock);
return ret;
}
- list_add(&dev->vm_node, &kvm->devices);
kvm_get_kvm(kvm);
cd->fd = ret;
return 0;
next prev parent reply other threads:[~2019-03-22 5:23 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-22 5:20 [PATCH 3.16 00/16] 3.16.64-rc1 review Ben Hutchings
2019-03-22 5:20 ` [PATCH 3.16 08/16] HID: debug: fix error handling in hid_debug_events_read() Ben Hutchings
2019-03-22 5:20 ` [PATCH 3.16 07/16] can: gw: ensure DLC boundaries after CAN frame modification Ben Hutchings
2019-03-22 5:20 ` [PATCH 3.16 09/16] HID: debug: improve hid_debug_event() Ben Hutchings
2019-03-22 5:20 ` [PATCH 3.16 05/16] USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data Ben Hutchings
2019-03-22 5:20 ` [PATCH 3.16 15/16] KVM: nVMX: unconditionally cancel preemption timer in free_nested (CVE-2019-7221) Ben Hutchings
2019-03-22 5:20 ` [PATCH 3.16 02/16] mm: cma: fix incorrect type conversion for size during dma allocation Ben Hutchings
2019-03-22 5:20 ` [PATCH 3.16 14/16] kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974) Ben Hutchings
2019-03-22 5:20 ` [PATCH 3.16 11/16] KVM: PPC: Move xics_debugfs_init out of create Ben Hutchings
2019-03-22 5:20 ` [PATCH 3.16 01/16] xfs: don't BUG() on mixed direct and mapped I/O Ben Hutchings
2019-03-22 5:20 ` [PATCH 3.16 13/16] KVM: use after free in kvm_ioctl_create_device() Ben Hutchings
2019-03-22 5:20 ` Ben Hutchings [this message]
2019-03-22 5:20 ` [PATCH 3.16 06/16] net/appletalk: fix minor pointer leak to userspace in SIOCFINDIPDDPRT Ben Hutchings
2019-03-22 5:20 ` [PATCH 3.16 10/16] HID: debug: fix the ring buffer implementation Ben Hutchings
2019-03-22 5:20 ` [PATCH 3.16 03/16] swiotlb: clean up reporting Ben Hutchings
2019-03-22 5:20 ` [PATCH 3.16 04/16] sunrpc: use-after-free in svc_process_common() Ben Hutchings
2019-03-22 5:20 ` [PATCH 3.16 16/16] KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222) Ben Hutchings
2019-03-22 13:44 ` [PATCH 3.16 00/16] 3.16.64-rc1 review Guenter Roeck
2019-03-23 4:43 ` Guenter Roeck
2019-03-24 23:25 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1553232018.764753734@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=borntraeger@de.ibm.com \
--cc=christoffer.dall@linaro.org \
--cc=kda@linux-powerpc.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=rkrcmar@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.