Message ID | 20181212100819.21295-4-jasowang@redhat.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | Fix various issue of vhost | expand |
On Wed, Dec 12, 2018 at 06:08:18PM +0800, Jason Wang wrote: > This reverts commit 78139c94dc8c96a478e67dab3bee84dc6eccb5fd. We don't > protect device IOTLB with vq mutex, which will lead e.g use after free > for device IOTLB entries. And since we've switched to use > mutex_trylock() in previous patch, it's safe to revert it without > having deadlock. > > Fixes: commit 78139c94dc8c ("net: vhost: lock the vqs one by one") > Cc: Tonghao Zhang <xiangxia.m.yue@gmail.com> > Signed-off-by: Jason Wang <jasowang@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> I'd try to put this in 4.20 if we can and it's needed for -stable I think. Also looks like we should allow iotlb entries per vq to improve locking. What do you think? > --- > drivers/vhost/vhost.c | 21 +++++++++++++++++---- > 1 file changed, 17 insertions(+), 4 deletions(-) > > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > index 5915f240275a..55e5aa662ad5 100644 > --- a/drivers/vhost/vhost.c > +++ b/drivers/vhost/vhost.c > @@ -295,11 +295,8 @@ static void vhost_vq_meta_reset(struct vhost_dev *d) > { > int i; > > - for (i = 0; i < d->nvqs; ++i) { > - mutex_lock(&d->vqs[i]->mutex); > + for (i = 0; i < d->nvqs; ++i) > __vhost_vq_meta_reset(d->vqs[i]); > - mutex_unlock(&d->vqs[i]->mutex); > - } > } > > static void vhost_vq_reset(struct vhost_dev *dev, > @@ -895,6 +892,20 @@ static inline void __user *__vhost_get_user(struct vhost_virtqueue *vq, > #define vhost_get_used(vq, x, ptr) \ > vhost_get_user(vq, x, ptr, VHOST_ADDR_USED) > > +static void vhost_dev_lock_vqs(struct vhost_dev *d) > +{ > + int i = 0; > + for (i = 0; i < d->nvqs; ++i) > + mutex_lock_nested(&d->vqs[i]->mutex, i); > +} > + > +static void vhost_dev_unlock_vqs(struct vhost_dev *d) > +{ > + int i = 0; > + for (i = 0; i < d->nvqs; ++i) > + mutex_unlock(&d->vqs[i]->mutex); > +} > + > static int vhost_new_umem_range(struct vhost_umem *umem, > u64 start, u64 size, u64 end, > u64 userspace_addr, int perm) > @@ -976,6 +987,7 @@ static int vhost_process_iotlb_msg(struct vhost_dev *dev, > int ret = 0; > > mutex_lock(&dev->mutex); > + vhost_dev_lock_vqs(dev); > switch (msg->type) { > case VHOST_IOTLB_UPDATE: > if (!dev->iotlb) { > @@ -1009,6 +1021,7 @@ static int vhost_process_iotlb_msg(struct vhost_dev *dev, > break; > } > > + vhost_dev_unlock_vqs(dev); > mutex_unlock(&dev->mutex); > > return ret; > -- > 2.17.1
On 2018/12/12 下午10:24, Michael S. Tsirkin wrote: > On Wed, Dec 12, 2018 at 06:08:18PM +0800, Jason Wang wrote: >> This reverts commit 78139c94dc8c96a478e67dab3bee84dc6eccb5fd. We don't >> protect device IOTLB with vq mutex, which will lead e.g use after free >> for device IOTLB entries. And since we've switched to use >> mutex_trylock() in previous patch, it's safe to revert it without >> having deadlock. >> >> Fixes: commit 78139c94dc8c ("net: vhost: lock the vqs one by one") >> Cc: Tonghao Zhang<xiangxia.m.yue@gmail.com> >> Signed-off-by: Jason Wang<jasowang@redhat.com> > Acked-by: Michael S. Tsirkin<mst@redhat.com> > > I'd try to put this in 4.20 if we can > and it's needed for -stable I think. > > Also looks like we should allow iotlb entries per vq > to improve locking. What do you think? > Yes, we can do it for -next. Thanks
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 5915f240275a..55e5aa662ad5 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -295,11 +295,8 @@ static void vhost_vq_meta_reset(struct vhost_dev *d) { int i; - for (i = 0; i < d->nvqs; ++i) { - mutex_lock(&d->vqs[i]->mutex); + for (i = 0; i < d->nvqs; ++i) __vhost_vq_meta_reset(d->vqs[i]); - mutex_unlock(&d->vqs[i]->mutex); - } } static void vhost_vq_reset(struct vhost_dev *dev, @@ -895,6 +892,20 @@ static inline void __user *__vhost_get_user(struct vhost_virtqueue *vq, #define vhost_get_used(vq, x, ptr) \ vhost_get_user(vq, x, ptr, VHOST_ADDR_USED) +static void vhost_dev_lock_vqs(struct vhost_dev *d) +{ + int i = 0; + for (i = 0; i < d->nvqs; ++i) + mutex_lock_nested(&d->vqs[i]->mutex, i); +} + +static void vhost_dev_unlock_vqs(struct vhost_dev *d) +{ + int i = 0; + for (i = 0; i < d->nvqs; ++i) + mutex_unlock(&d->vqs[i]->mutex); +} + static int vhost_new_umem_range(struct vhost_umem *umem, u64 start, u64 size, u64 end, u64 userspace_addr, int perm) @@ -976,6 +987,7 @@ static int vhost_process_iotlb_msg(struct vhost_dev *dev, int ret = 0; mutex_lock(&dev->mutex); + vhost_dev_lock_vqs(dev); switch (msg->type) { case VHOST_IOTLB_UPDATE: if (!dev->iotlb) { @@ -1009,6 +1021,7 @@ static int vhost_process_iotlb_msg(struct vhost_dev *dev, break; } + vhost_dev_unlock_vqs(dev); mutex_unlock(&dev->mutex); return ret;
This reverts commit 78139c94dc8c96a478e67dab3bee84dc6eccb5fd. We don't protect device IOTLB with vq mutex, which will lead e.g use after free for device IOTLB entries. And since we've switched to use mutex_trylock() in previous patch, it's safe to revert it without having deadlock. Fixes: commit 78139c94dc8c ("net: vhost: lock the vqs one by one") Cc: Tonghao Zhang <xiangxia.m.yue@gmail.com> Signed-off-by: Jason Wang <jasowang@redhat.com> --- drivers/vhost/vhost.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-)