| From foo@baz Sat Aug 18 11:41:41 CEST 2018 |
| From: Jason Wang <jasowang@redhat.com> |
| Date: Wed, 8 Aug 2018 11:43:04 +0800 |
| Subject: vhost: reset metadata cache when initializing new IOTLB |
| |
| From: Jason Wang <jasowang@redhat.com> |
| |
| [ Upstream commit b13f9c6364373a1b9f71e9846dc4fb199296f926 ] |
| |
| We need to reset metadata cache during new IOTLB initialization, |
| otherwise the stale pointers to previous IOTLB may be still accessed |
| which will lead a use after free. |
| |
| Reported-by: syzbot+c51e6736a1bf614b3272@syzkaller.appspotmail.com |
| Fixes: f88949138058 ("vhost: introduce O(1) vq metadata cache") |
| Signed-off-by: Jason Wang <jasowang@redhat.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/vhost/vhost.c | 9 ++++++--- |
| 1 file changed, 6 insertions(+), 3 deletions(-) |
| |
| --- a/drivers/vhost/vhost.c |
| +++ b/drivers/vhost/vhost.c |
| @@ -1556,9 +1556,12 @@ int vhost_init_device_iotlb(struct vhost |
| d->iotlb = niotlb; |
| |
| for (i = 0; i < d->nvqs; ++i) { |
| - mutex_lock(&d->vqs[i]->mutex); |
| - d->vqs[i]->iotlb = niotlb; |
| - mutex_unlock(&d->vqs[i]->mutex); |
| + struct vhost_virtqueue *vq = d->vqs[i]; |
| + |
| + mutex_lock(&vq->mutex); |
| + vq->iotlb = niotlb; |
| + __vhost_vq_meta_reset(vq); |
| + mutex_unlock(&vq->mutex); |
| } |
| |
| vhost_umem_clean(oiotlb); |
