search for: vhost_vring_set_num_addr

On Tue, Jul 23, 2019 at 03:57:14AM -0400, Jason Wang wrote: > The return value of mmu_notifier_register() is not checked in > vhost_vring_set_num_addr(). This will cause an out of sync between mm > and MMU notifier thus a double free. To solve this, introduce a > boolean flag to track whether MMU notifier is registered and only do > unregistering when it was true. > > Reported-and-tested-by: > syzbot+e58112d71f77113ddb7b at syz...

Hi all: This series try to fix several issues introduced by meta data accelreation series. Please review. Jason Wang (6): vhost: don't set uaddr for invalid address vhost: validate MMU notifier registration vhost: fix vhost map leak vhost: reset invalidate_count in vhost_set_vring_num_addr() vhost: mark dirty pages during map uninit vhost: don't do synchronize_rcu() in

The return value of mmu_notifier_register() is not checked in vhost_vring_set_num_addr(). This will cause an out of sync between mm and MMU notifier thus a double free. To solve this, introduce a boolean flag to track whether MMU notifier is registered and only do unregistering when it was true. Reported-and-tested-by: syzbot+e58112d71f77113ddb7b at syzkaller.appspotmail.com Fixes:...

...--- > drivers/vhost/vhost.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > index 03666b702498..89c9f08b5146 100644 > --- a/drivers/vhost/vhost.c > +++ b/drivers/vhost/vhost.c > @@ -2074,6 +2074,10 @@ static long vhost_vring_set_num_addr(struct vhost_dev *d, > d->has_notifier = false; > } > > + /* reset invalidate_count in case we are in the middle of > + * invalidate_start() and invalidate_end(). > + */ > + vq->invalidate_count = 0; I think that the code is ok but the comments are not very clea...

...Wang <jasowang at redhat.com> > drivers/vhost/vhost.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > index 2a3154976277..2a7217c33668 100644 > +++ b/drivers/vhost/vhost.c > @@ -2073,6 +2073,10 @@ static long vhost_vring_set_num_addr(struct vhost_dev *d, > d->has_notifier = false; > } > > + /* reset invalidate_count in case we are in the middle of > + * invalidate_start() and invalidate_end(). > + */ > + vq->invalidate_count = 0; > vhost_uninit_vq_maps(vq); > #endif >

...Wang <jasowang at redhat.com> > drivers/vhost/vhost.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > index 2a3154976277..2a7217c33668 100644 > +++ b/drivers/vhost/vhost.c > @@ -2073,6 +2073,10 @@ static long vhost_vring_set_num_addr(struct vhost_dev *d, > d->has_notifier = false; > } > > + /* reset invalidate_count in case we are in the middle of > + * invalidate_start() and invalidate_end(). > + */ > + vq->invalidate_count = 0; > vhost_uninit_vq_maps(vq); > #endif >

...ap __rcu *map; @@ -1846,7 +1846,7 @@ int vq_meta_prefetch(struct vhost_virtqueue *vq) unsigned int num = vq->num; if (!vq->iotlb) { -#if VHOST_ARCH_CAN_ACCEL_UACCESS +#ifdef VHOST_ARCH_CAN_ACCEL_UACCESS vhost_vq_map_prefetch(vq); #endif return 1; @@ -2061,7 +2061,7 @@ static long vhost_vring_set_num_addr(struct vhost_dev *d, mutex_lock(&vq->mutex); -#if VHOST_ARCH_CAN_ACCEL_UACCESS +#ifdef VHOST_ARCH_CAN_ACCEL_UACCESS /* Unregister MMU notifer to allow invalidation callback * can access vq->uaddrs[] without holding a lock. */ @@ -2082,7 +2082,7 @@ static long vhost_vring_set...

...ap __rcu *map; @@ -1846,7 +1846,7 @@ int vq_meta_prefetch(struct vhost_virtqueue *vq) unsigned int num = vq->num; if (!vq->iotlb) { -#if VHOST_ARCH_CAN_ACCEL_UACCESS +#ifdef VHOST_ARCH_CAN_ACCEL_UACCESS vhost_vq_map_prefetch(vq); #endif return 1; @@ -2061,7 +2061,7 @@ static long vhost_vring_set_num_addr(struct vhost_dev *d, mutex_lock(&vq->mutex); -#if VHOST_ARCH_CAN_ACCEL_UACCESS +#ifdef VHOST_ARCH_CAN_ACCEL_UACCESS /* Unregister MMU notifer to allow invalidation callback * can access vq->uaddrs[] without holding a lock. */ @@ -2082,7 +2082,7 @@ static long vhost_vring_set...

Hi all: This series try to fix several issues introduced by meta data accelreation series. Please review. Changes from V2: - use seqlck helper to synchronize MMU notifier with vhost worker Changes from V1: - try not use RCU to syncrhonize MMU notifier with vhost worker - set dirty pages after no readers - return -EAGAIN only when we find the range is overlapped with metadata Jason Wang (9):

Hi all: This series try to fix several issues introduced by meta data accelreation series. Please review. Changes from V4: - switch to use spinlock synchronize MMU notifier with accessors Changes from V3: - remove the unnecessary patch Changes from V2: - use seqlck helper to synchronize MMU notifier with vhost worker Changes from V1: - try not use RCU to syncrhonize MMU notifier with vhost

Hi all: This series try to fix several issues introduced by meta data accelreation series. Please review. Changes from V4: - switch to use spinlock synchronize MMU notifier with accessors Changes from V3: - remove the unnecessary patch Changes from V2: - use seqlck helper to synchronize MMU notifier with vhost worker Changes from V1: - try not use RCU to syncrhonize MMU notifier with vhost

Hi all: This series try to fix several issues introduced by meta data accelreation series. Please review. Changes from V3: - remove the unnecessary patch Changes from V2: - use seqlck helper to synchronize MMU notifier with vhost worker Changes from V1: - try not use RCU to syncrhonize MMU notifier with vhost worker - set dirty pages after no readers - return -EAGAIN only when we find the

Hi all: This series try to fix several issues introduced by meta data accelreation series. Please review. Changes from V3: - remove the unnecessary patch Changes from V2: - use seqlck helper to synchronize MMU notifier with vhost worker Changes from V1: - try not use RCU to syncrhonize MMU notifier with vhost worker - set dirty pages after no readers - return -EAGAIN only when we find the

...eta_prefetch(struct vhost_virtqueue *vq) > unsigned int num = vq->num; > > if (!vq->iotlb) { > -#if VHOST_ARCH_CAN_ACCEL_UACCESS > +#ifdef VHOST_ARCH_CAN_ACCEL_UACCESS > vhost_vq_map_prefetch(vq); > #endif > return 1; > @@ -2061,7 +2061,7 @@ static long vhost_vring_set_num_addr(struct vhost_dev *d, > > mutex_lock(&vq->mutex); > > -#if VHOST_ARCH_CAN_ACCEL_UACCESS > +#ifdef VHOST_ARCH_CAN_ACCEL_UACCESS > /* Unregister MMU notifer to allow invalidation callback > * can access vq->uaddrs[] without holding a lock. > */ > @@ -...

...son Wang <jasowang at redhat.com> --- drivers/vhost/vhost.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 03666b702498..89c9f08b5146 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -2074,6 +2074,10 @@ static long vhost_vring_set_num_addr(struct vhost_dev *d, d->has_notifier = false; } + /* reset invalidate_count in case we are in the middle of + * invalidate_start() and invalidate_end(). + */ + vq->invalidate_count = 0; vhost_uninit_vq_maps(vq); #endif -- 2.18.1

...son Wang <jasowang at redhat.com> --- drivers/vhost/vhost.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 2a3154976277..2a7217c33668 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -2073,6 +2073,10 @@ static long vhost_vring_set_num_addr(struct vhost_dev *d, d->has_notifier = false; } + /* reset invalidate_count in case we are in the middle of + * invalidate_start() and invalidate_end(). + */ + vq->invalidate_count = 0; vhost_uninit_vq_maps(vq); #endif -- 2.18.1

...com> >> drivers/vhost/vhost.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c >> index 2a3154976277..2a7217c33668 100644 >> +++ b/drivers/vhost/vhost.c >> @@ -2073,6 +2073,10 @@ static long vhost_vring_set_num_addr(struct vhost_dev *d, >> d->has_notifier = false; >> } >> >> + /* reset invalidate_count in case we are in the middle of >> + * invalidate_start() and invalidate_end(). >> + */ >> + vq->invalidate_count = 0; >> vhost_uninit_vq_maps...

...t; - vhost_vq_map_prefetch(vq); > -#endif > + if (!vq->iotlb) > return 1; > - } > > return iotlb_access_ok(vq, VHOST_ACCESS_RO, (u64)(uintptr_t)vq->desc, > vhost_get_desc_size(vq, num), VHOST_ADDR_DESC) && > @@ -2060,16 +1568,6 @@ static long vhost_vring_set_num_addr(struct vhost_dev *d, > > mutex_lock(&vq->mutex); > > -#if VHOST_ARCH_CAN_ACCEL_UACCESS > - /* Unregister MMU notifer to allow invalidation callback > - * can access vq->uaddrs[] without holding a lock. > - */ > - if (d->mm) > - mmu_notifier_unregiste...

...1577 | eventfp = f.fd == -1 ? NULL : eventfd_fget(f.fd); | ^ cc1: some warnings being treated as errors vim +1577 drivers/vhost/vhost.c feebcaeac79ad8 Jason Wang 2019-05-24 1493 feebcaeac79ad8 Jason Wang 2019-05-24 1494 static long vhost_vring_set_num_addr(struct vhost_dev *d, feebcaeac79ad8 Jason Wang 2019-05-24 1495 struct vhost_virtqueue *vq, feebcaeac79ad8 Jason Wang 2019-05-24 1496 unsigned int ioctl, feebcaeac79ad8 Jason Wang 2019-05-24 1497 void __user *argp) feebcaeac79ad8 Jason Wang...

Hi all: This series try to fix several issues introduced by meta data accelreation series. Please review. Changes from V1: - Try not use RCU to syncrhonize MMU notifier with vhost worker - set dirty pages after no readers - return -EAGAIN only when we find the range is overlapped with metadata Jason Wang (9): vhost: don't set uaddr for invalid address vhost: validate MMU notifier