SRCU uses a delayed work item. Skip cleaning it up, and
the result is use-after-free in the work item callbacks.
Reported-by: Dmitry Vyukov <[email protected]>
Suggested-by: Dmitry Vyukov <[email protected]>
Cc: [email protected]
Fixes: 0eb05bf290cfe8610d9680b49abef37febd1c38a
Signed-off-by: Paolo Bonzini <[email protected]>
---
arch/x86/include/asm/kvm_page_track.h | 1 +
arch/x86/kvm/page_track.c | 8 ++++++++
arch/x86/kvm/x86.c | 1 +
3 files changed, 10 insertions(+)
diff --git a/arch/x86/include/asm/kvm_page_track.h b/arch/x86/include/asm/kvm_page_track.h
index d74747b031ec..c4eda791f877 100644
--- a/arch/x86/include/asm/kvm_page_track.h
+++ b/arch/x86/include/asm/kvm_page_track.h
@@ -46,6 +46,7 @@ struct kvm_page_track_notifier_node {
};
void kvm_page_track_init(struct kvm *kvm);
+void kvm_page_track_cleanup(struct kvm *kvm);
void kvm_page_track_free_memslot(struct kvm_memory_slot *free,
struct kvm_memory_slot *dont);
diff --git a/arch/x86/kvm/page_track.c b/arch/x86/kvm/page_track.c
index 37942e419c32..60168cdd0546 100644
--- a/arch/x86/kvm/page_track.c
+++ b/arch/x86/kvm/page_track.c
@@ -160,6 +160,14 @@ bool kvm_page_track_is_active(struct kvm_vcpu *vcpu, gfn_t gfn,
return !!ACCESS_ONCE(slot->arch.gfn_track[mode][index]);
}
+void kvm_page_track_cleanup(struct kvm *kvm)
+{
+ struct kvm_page_track_notifier_head *head;
+
+ head = &kvm->arch.track_notifier_head;
+ cleanup_srcu_struct(&head->track_srcu);
+}
+
void kvm_page_track_init(struct kvm *kvm)
{
struct kvm_page_track_notifier_head *head;
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 64697fe475c3..f2379673912a 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -8070,6 +8070,7 @@ void kvm_arch_sync_events(struct kvm *kvm)
cancel_delayed_work_sync(&kvm->arch.kvmclock_update_work);
kvm_free_all_assigned_devices(kvm);
kvm_free_pit(kvm);
+ kvm_page_track_cleanup(kvm);
}
int __x86_set_memory_region(struct kvm *kvm, int id, gpa_t gpa, u32 size)
--
1.8.3.1
On 28/03/2017 5:40 PM, Paolo Bonzini wrote:
> void kvm_page_track_init(struct kvm *kvm)
> {
> struct kvm_page_track_notifier_head *head;
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index 64697fe475c3..f2379673912a 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -8070,6 +8070,7 @@ void kvm_arch_sync_events(struct kvm *kvm)
> cancel_delayed_work_sync(&kvm->arch.kvmclock_update_work);
> kvm_free_all_assigned_devices(kvm);
> kvm_free_pit(kvm);
> + kvm_page_track_cleanup(kvm);
> }
Moving it to kvm_arch_destroy_vm() is better as the init
function is called in kvm_arch_init_vm().
Otherwise it looks great to me:
Reviewed-by: Xiao Guangrong <[email protected]>
Thanks for the fix.
On 28/03/2017 13:25, Xiao Guangrong wrote:
>
>
> On 28/03/2017 5:40 PM, Paolo Bonzini wrote:
>
>> void kvm_page_track_init(struct kvm *kvm)
>> {
>> struct kvm_page_track_notifier_head *head;
>> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
>> index 64697fe475c3..f2379673912a 100644
>> --- a/arch/x86/kvm/x86.c
>> +++ b/arch/x86/kvm/x86.c
>> @@ -8070,6 +8070,7 @@ void kvm_arch_sync_events(struct kvm *kvm)
>> cancel_delayed_work_sync(&kvm->arch.kvmclock_update_work);
>> kvm_free_all_assigned_devices(kvm);
>> kvm_free_pit(kvm);
>> + kvm_page_track_cleanup(kvm);
>> }
>
> Moving it to kvm_arch_destroy_vm() is better as the init
> function is called in kvm_arch_init_vm().
That's fine too, thanks!.
Paolo
> Otherwise it looks great to me:
> Reviewed-by: Xiao Guangrong <[email protected]>
>
> Thanks for the fix.