Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964970AbdCWRbR (ORCPT ); Thu, 23 Mar 2017 13:31:17 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:57167 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S933717AbdCWRbM (ORCPT ); Thu, 23 Mar 2017 13:31:12 -0400 Date: Thu, 23 Mar 2017 18:31:02 +0100 From: Cornelia Huck To: David Hildenbrand Cc: kvm@vger.kernel.org, Paolo Bonzini , rkrcmar@redhat.com, Dmitry Vyukov , Marcelo Tosatti , stable@vger.kernel.org, LKML Subject: Re: [PATCH v2] KVM: kvm_io_bus_unregister_dev() should never fail In-Reply-To: <20170323172419.21435-1-david@redhat.com> References: <20170323172419.21435-1-david@redhat.com> Organization: IBM Deutschland Research & Development GmbH Vorsitzende des Aufsichtsrats: Martina Koederitz =?UTF-8?B?R2VzY2jDpGZ0c2bDvGhydW5nOg==?= Dirk Wittkopp Sitz der Gesellschaft: =?UTF-8?B?QsO2Ymxpbmdlbg==?= Registergericht: Amtsgericht Stuttgart, HRB 243294 X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.23; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-TM-AS-GCONF: 00 x-cbid: 17032317-0016-0000-0000-00000462D48D X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17032317-0017-0000-0000-000026F09BA1 Message-Id: <20170323183102.5f0f66e4.cornelia.huck@de.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-03-23_15:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=2 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703230151 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1477 Lines: 39 On Thu, 23 Mar 2017 18:24:19 +0100 David Hildenbrand wrote: > No caller currently checks the return value of > kvm_io_bus_unregister_dev(). This is evil, as all callers silently go on > freeing their device. A stale reference will remain in the io_bus, > getting at least used again, when the iobus gets teared down on > kvm_destroy_vm() - leading to use after free errors. > > There is nothing the callers could do, except retrying over and over > again. > > So let's simply remove the bus altogether, print an error and make > sure no one can access this broken bus again (returning -ENOMEM on any > attempt to access it). > > Fixes: e93f8a0f821e ("KVM: convert io_bus to SRCU") > Cc: stable@vger.kernel.org # 3.4+ > Reported-by: Dmitry Vyukov > Signed-off-by: David Hildenbrand > --- > > Based on kvm/queue, where we just got 2a108a4e7c1 ("KVM: x86: clear bus > pointer when destroyed"), which added a check we need here. > > v1 -> v2: > - added a check in kvm_destroy_vm() > - added a check in virt/kvm/eventfd.c > > Using 'git grep -C 4 "kvm->buses"' should help to find all users. The other > user in virt/kvm/eventfd.c should be fine. > > --- > include/linux/kvm_host.h | 4 ++-- > virt/kvm/eventfd.c | 3 ++- > virt/kvm/kvm_main.c | 42 +++++++++++++++++++++++++----------------- > 3 files changed, 29 insertions(+), 20 deletions(-) Reviewed-by: Cornelia Huck