Received: by 2002:a05:6a10:a852:0:0:0:0 with SMTP id d18csp836975pxy; Wed, 5 May 2021 15:25:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwY9oGBOA8VkyU9raqIbZiQDWqmxGDC9NnNq/AoKRrkGELkGVqmUCnBWM3ePVC4P6PoxAIY X-Received: by 2002:a17:906:414d:: with SMTP id l13mr924530ejk.527.1620253518784; Wed, 05 May 2021 15:25:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620253518; cv=none; d=google.com; s=arc-20160816; b=YpZ8JoAdKPqkq+Nt9+kuXlzX0Dwb7QDpUA/M4wXnOzM8QZM88I3B4p1qjo89otOWck pweCKti/H4YRzEZb2Z1tYLOUCL23CPcQ7pfTfgbwGtLvumY8CSjKihEAtPoIcwKv5e1r X79qayn/2KSd956oSd/5D4KexoP5MQws+1Iuh4dPT6CtQdkNX0fjvlh9Hs8JzDAKwuRz zAUbAHjuQuJGyrG2jTIdM1bA4ELWn1tadBBfmZPwRieyLl9Xk7+yshmAPxs9HtiQGlJf 7llCQ2jCTePOmd1pU4K+6YNQdiNZknGbxYFhRAoWhbITn8BqSyUbA4ShOYDH4ae5v1x3 OwXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:subject:cc:to :dkim-signature:dkim-signature:from; bh=DwnDbRYPGOB6QSqiEY7AuTKE84++kwmlDEV1tcogAv0=; b=VVpWDrouuHF7A+HaVPMlnnVoe94wkeeOs6nOPIzUnDAd0/oG9mZdwJcow4x2368AfF ySkKq+QnA35Vp0LUMzoPhJJ9fPey0DQqwkW5or/UdHU4UK+dZFZqNSCPyHW404kLPTqs Tb0FxiGrJxVTGjF4wjjjJoi7Yag9KD84KqLN3f8uIpNvuNepUFMZ+18ETJ42IEQxpbGf HAx8h1l1RTp6gdrWapixQE1JVGFxDgdzSNMwskOsUAMF18P4vnIhdUGOpYlnmNRvAKSL EbjmCOTlgX89tl/65bVmIbBvSfEFBfxZaFnTC5sSwVvSStI7+AYnwuWkS1mlcMC4ddP9 FgJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@linutronix.de header.s=2020 header.b="IcbSGt/a"; dkim=neutral (no key) header.i=@linutronix.de header.b=DCbmaGOA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id gg8si521001ejb.649.2021.05.05.15.24.55; Wed, 05 May 2021 15:25:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@linutronix.de header.s=2020 header.b="IcbSGt/a"; dkim=neutral (no key) header.i=@linutronix.de header.b=DCbmaGOA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230376AbhEEVtU (ORCPT + 99 others); Wed, 5 May 2021 17:49:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51888 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229968AbhEEVtS (ORCPT ); Wed, 5 May 2021 17:49:18 -0400 Received: from galois.linutronix.de (Galois.linutronix.de [IPv6:2a0a:51c0:0:12e:550::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 59B5BC061574; Wed, 5 May 2021 14:48:21 -0700 (PDT) From: Thomas Gleixner DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1620251297; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type; bh=DwnDbRYPGOB6QSqiEY7AuTKE84++kwmlDEV1tcogAv0=; b=IcbSGt/aNAWDrw7qHp4Wt8BC0pn3AjDcHV/mHlqw2N2CyjBBYWo68W2MyuGT4p1O9zkz/f zbXaj21XFjY1WP1sUbezCn9QsRTJLfRG97KxkwF0kfZPgHFdnxOQGgRXEi52Bbnb1N168T WUNxiGfmhyuUkFmsJYh/sdTMSD+5+GfIOZ7BHfJrIQh0LbvxGTRThHscV+EseE1+AlHeJA 3LAv4i1pkq4MiCT0Rms7FFIzNmxpPxjplHP4NDibsWxaN4vo8Vk5mr2vQ89k1561mMj34n 7PRVnrNEk4c1Y/UGrlFkViwJ+Z3xFyKCqXqxXYRAMw3KCKE+vdF7X5gxLKabmg== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1620251297; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type; bh=DwnDbRYPGOB6QSqiEY7AuTKE84++kwmlDEV1tcogAv0=; b=DCbmaGOAWxbh7gginzBuFNGOZA2b1+9xNNptOuadeawYHzdDig1Ftb6TFP/0JRINV4+FZW bkJWphTAQQeN6NAg== To: kvm@vger.kernel.org Cc: Paolo Bonzini , Sean Christopherson , x86@kernel.org, LKML Subject: KVM: x86: Cancel pvclock_gtod_work on module removal Date: Wed, 05 May 2021 23:48:17 +0200 Message-ID: <87czu4onry.ffs@nanos.tec.linutronix.de> MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Nothing prevents the following: pvclock_gtod_notify() queue_work(system_long_wq, &pvclock_gtod_work); ... remove_module(kvm); ... work_queue_run() pvclock_gtod_work() <- UAF Ditto for any other operation on that workqueue list head which touches pvclock_gtod_work after module removal. Cancel the work in kvm_arch_exit() to prevent that. Fixes: 16e8d74d2da9 ("KVM: x86: notifier for clocksource changes") Signed-off-by: Thomas Gleixner --- Found by inspection because of: https://lkml.kernel.org/r/0000000000001d43ac05c0f5c6a0@google.com See also: https://lkml.kernel.org/r/20210505105940.190490250@infradead.org TL;DR: Scheduling work with tk_core.seq write held is a bad idea. --- arch/x86/kvm/x86.c | 1 + 1 file changed, 1 insertion(+) --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -8168,6 +8168,7 @@ void kvm_arch_exit(void) cpuhp_remove_state_nocalls(CPUHP_AP_X86_KVM_CLK_ONLINE); #ifdef CONFIG_X86_64 pvclock_gtod_unregister_notifier(&pvclock_gtod_notifier); + cancel_work_sync(&pvclock_gtod_work); #endif kvm_x86_ops.hardware_enable = NULL; kvm_mmu_module_exit();