From: Jason Wang <jasowang@redhat.com>
To: mst@redhat.com, kvm@vger.kernel.org,
virtualization@lists.linux-foundation.org,
netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org, jgg@ziepe.ca,
Jason Wang <jasowang@redhat.com>
Subject: [PATCH V3 03/10] vhost: validate MMU notifier registration
Date: Wed, 7 Aug 2019 02:54:42 -0400 [thread overview]
Message-ID: <20190807065449.23373-4-jasowang@redhat.com> (raw)
In-Reply-To: <20190807065449.23373-1-jasowang@redhat.com>
The return value of mmu_notifier_register() is not checked in
vhost_vring_set_num_addr(). This will cause an out of sync between mm
and MMU notifier thus a double free. To solve this, introduce a
boolean flag to track whether MMU notifier is registered and only do
unregistering when it was true.
Reported-and-tested-by:
syzbot+e58112d71f77113ddb7b@syzkaller.appspotmail.com
Fixes: 7f466032dc9e ("vhost: access vq metadata through kernel virtual address")
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
drivers/vhost/vhost.c | 19 +++++++++++++++----
drivers/vhost/vhost.h | 1 +
2 files changed, 16 insertions(+), 4 deletions(-)
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index 488380a581dc..17f6abea192e 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -629,6 +629,7 @@ void vhost_dev_init(struct vhost_dev *dev,
dev->iov_limit = iov_limit;
dev->weight = weight;
dev->byte_weight = byte_weight;
+ dev->has_notifier = false;
init_llist_head(&dev->work_list);
init_waitqueue_head(&dev->wait);
INIT_LIST_HEAD(&dev->read_list);
@@ -730,6 +731,7 @@ long vhost_dev_set_owner(struct vhost_dev *dev)
if (err)
goto err_mmu_notifier;
#endif
+ dev->has_notifier = true;
return 0;
@@ -959,7 +961,11 @@ void vhost_dev_cleanup(struct vhost_dev *dev)
}
if (dev->mm) {
#if VHOST_ARCH_CAN_ACCEL_UACCESS
- mmu_notifier_unregister(&dev->mmu_notifier, dev->mm);
+ if (dev->has_notifier) {
+ mmu_notifier_unregister(&dev->mmu_notifier,
+ dev->mm);
+ dev->has_notifier = false;
+ }
#endif
mmput(dev->mm);
}
@@ -2064,8 +2070,10 @@ static long vhost_vring_set_num_addr(struct vhost_dev *d,
/* Unregister MMU notifer to allow invalidation callback
* can access vq->uaddrs[] without holding a lock.
*/
- if (d->mm)
+ if (d->has_notifier) {
mmu_notifier_unregister(&d->mmu_notifier, d->mm);
+ d->has_notifier = false;
+ }
vhost_uninit_vq_maps(vq);
#endif
@@ -2085,8 +2093,11 @@ static long vhost_vring_set_num_addr(struct vhost_dev *d,
if (r == 0)
vhost_setup_vq_uaddr(vq);
- if (d->mm)
- mmu_notifier_register(&d->mmu_notifier, d->mm);
+ if (d->mm) {
+ r = mmu_notifier_register(&d->mmu_notifier, d->mm);
+ if (!r)
+ d->has_notifier = true;
+ }
#endif
mutex_unlock(&vq->mutex);
diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h
index 42a8c2a13ab1..a9a2a93857d2 100644
--- a/drivers/vhost/vhost.h
+++ b/drivers/vhost/vhost.h
@@ -214,6 +214,7 @@ struct vhost_dev {
int iov_limit;
int weight;
int byte_weight;
+ bool has_notifier;
};
bool vhost_exceeds_weight(struct vhost_virtqueue *vq, int pkts, int total_len);
--
2.18.1
next prev parent reply other threads:[~2019-08-07 6:55 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-07 6:54 [PATCH V3 00/10] Fixes for metadata accelreation Jason Wang
2019-08-07 6:54 ` [PATCH V3 01/10] vhost: disable metadata prefetch optimization Jason Wang
2019-08-07 7:05 ` Jason Wang
2019-08-07 7:05 ` Jason Wang
2019-08-07 6:54 ` Jason Wang
2019-08-07 6:54 ` [PATCH V3 02/10] vhost: don't set uaddr for invalid address Jason Wang
2019-08-07 6:54 ` Jason Wang
2019-08-07 6:54 ` [PATCH V3 03/10] vhost: validate MMU notifier registration Jason Wang
2019-08-07 6:54 ` Jason Wang [this message]
2019-08-07 6:54 ` [PATCH V3 04/10] vhost: fix vhost map leak Jason Wang
2019-08-07 6:54 ` Jason Wang
2019-08-07 6:54 ` [PATCH V3 05/10] vhost: reset invalidate_count in vhost_set_vring_num_addr() Jason Wang
2019-08-07 6:54 ` Jason Wang
2019-08-07 6:54 ` [PATCH V3 06/10] vhost: mark dirty pages during map uninit Jason Wang
2019-08-07 6:54 ` Jason Wang
2019-08-07 6:54 ` [PATCH V3 07/10] vhost: don't do synchronize_rcu() in vhost_uninit_vq_maps() Jason Wang
2019-08-07 6:54 ` Jason Wang
2019-08-07 6:54 ` [PATCH V3 08/10] vhost: do not use RCU to synchronize MMU notifier with worker Jason Wang
2019-08-07 6:54 ` Jason Wang
2019-08-07 6:54 ` [PATCH V3 09/10] vhost: correctly set dirty pages in MMU notifiers callback Jason Wang
2019-08-07 6:54 ` Jason Wang
2019-08-07 6:54 ` [PATCH V3 10/10] vhost: do not return -EAGAIN for non blocking invalidation too early Jason Wang
2019-08-07 6:54 ` Jason Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190807065449.23373-4-jasowang@redhat.com \
--to=jasowang@redhat.com \
--cc=jgg@ziepe.ca \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mst@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=virtualization@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.