Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp4189630pxb;
        Mon, 21 Feb 2022 14:21:58 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxDW/LbnCZV4xvKybWsz0MTzC6J/ZPfvJK1tTsx8fzQes3xZjEzAuVcVWtDgxOntY2C0h83
X-Received: by 2002:a17:906:6b8e:b0:6ce:9879:ff88 with SMTP id l14-20020a1709066b8e00b006ce9879ff88mr17384785ejr.147.1645482118420;
        Mon, 21 Feb 2022 14:21:58 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1645482118; cv=none;
        d=google.com; s=arc-20160816;
        b=N401dLqV3yyqpp6kuxo01SGo/iL4uHC6Bsp5mer3qIog2aLj4/6V4WmCT76hWEuyBK
         Oub9IZeqYH8CTUOWZtuz2l7UlEltd2k2VkXjnmN9rbxF4u/GxYXMmfM60jmK72ndUkcB
         DaIjdTCJF/2ei+sywOO1JjFqqdYakFL2O7WFyXveHwIsFnlbvz3w0ycI/H44Z13tJQwM
         muaihnrC7Q7tysq5bzSOCknRr4XFoaIS2COs+qRomml7FNpIwFsg3CfBM9cjWPa8/qJz
         Copw//Gf5PeC6+szr+Z6kOkGnKMmXxyHPb8NqOx0ukYwoK37AqxCCjPv9HF1V28FkRQ1
         In5g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=12CjzIfm9u48VcTin9bYn/mbYSt9Byr6lQhm+jL2Tdg=;
        b=EZ6xnyOw9m4pIxPu7A0AM7qTd97WApFIk1bdCBO67tXUT5JdCzv26W+13W1Rs/DB5Y
         OgdYw/G6u/wrk1Znxzfedw5yT9VpJ2xu6o9GyTT0c5RzEqFppRlwX9rjn6BKQSgCYdeA
         NMfecNSrAhrERr39qrrR/nArMbA5xnABW6BAuWUawb2qsqb7wSkErYV4Hm92WcrS8weP
         21w/HnR+2FWDvQ8z87Lw1OWddic8EbR3htmm8OenLygNYaOndd6Su3kMQXIVaqBQ5Pho
         tYZ2OLERsCOTZ7lD2vqFUtlDa9hVlyaolcZU2nHM/xMU7cQTGFS8s6sWLk+AC7etBwrL
         8wng==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=CaLFA52p;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id w24si11727461edx.283.2022.02.21.14.21.36;
        Mon, 21 Feb 2022 14:21:58 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=CaLFA52p;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1356747AbiBULtu (ORCPT <rfc822;andreykovskii@gmail.com>
        + 99 others); Mon, 21 Feb 2022 06:49:50 -0500
Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:44784 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1356738AbiBULtq (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 21 Feb 2022 06:49:46 -0500
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id 3219D1EEE9
        for <linux-kernel@vger.kernel.org>; Mon, 21 Feb 2022 03:49:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1645444162;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:
         content-transfer-encoding:content-transfer-encoding;
        bh=12CjzIfm9u48VcTin9bYn/mbYSt9Byr6lQhm+jL2Tdg=;
        b=CaLFA52pANpwtvPLFo3l6VKuyE5jb11J434odrF/Ih89gtV4xSJ0wb0kP7VyFeetRmY3bg
        PSsBVJefRvSpXAOYueh7ymA8xsJxY6mX8EwmW/h+O0qz0m2I2IjY/gpHNk+KKX8EcHvn6M
        csshzug0f/uqdL8kGlmsZ7oUDTUUHHU=
Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com
 [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-295-VQMasphEOz6sznIOg5JWWQ-1; Mon, 21 Feb 2022 06:49:21 -0500
X-MC-Unique: VQMasphEOz6sznIOg5JWWQ-1
Received: by mail-wm1-f69.google.com with SMTP id b17-20020a05600c4e1100b0037cc0d56524so7936432wmq.2
        for <linux-kernel@vger.kernel.org>; Mon, 21 Feb 2022 03:49:21 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=12CjzIfm9u48VcTin9bYn/mbYSt9Byr6lQhm+jL2Tdg=;
        b=QhsLpjYiykYiaZij76sSkMUPLJLx2RitTEBQc8ljin4jdDGdAddDxoMlfm9rqVVnAw
         xC0zbEuzrEnYaBFKQylaCROiEjLo2HEK5flMLE/6mX3+7VJ/zhmMC2eo6/lolztFQY1W
         Yv6lkpYY5xyFa1ezCiDsijX2f84K5+CAG2EmbKdlZDTeFBwvyYoX2hG0ymkdrAAxDREl
         DczvpCh2DJQTWK+xTZPWIOBislEOFXBdZlWvYfi3Y8+3alx/MEIzIOooktFdBvCx+SUW
         nu3CHWCzKK2UtcRFxR5zBKG7lXc6lBce/PUcaswoRY4xcu5lqqEGqwQOW3q4qA+wigRw
         Eueg==
X-Gm-Message-State: AOAM5327R41PP9fTPK8uqaUxzgM14C4A5TE15cp3XwaIOOJ5NOGPDTFM
        X2HMvL684wowR1YBZ+Okc5YNQPCkmCpQrc+0LbKANVvSqqz62nyTSvC+uYIh7Ygg91Sd5TH0E7s
        5k4/GeAuUJ8Usp2308nqf9kPj
X-Received: by 2002:a7b:c844:0:b0:37b:b986:7726 with SMTP id c4-20020a7bc844000000b0037bb9867726mr17401382wml.160.1645444158955;
        Mon, 21 Feb 2022 03:49:18 -0800 (PST)
X-Received: by 2002:a7b:c844:0:b0:37b:b986:7726 with SMTP id c4-20020a7bc844000000b0037bb9867726mr17401363wml.160.1645444158689;
        Mon, 21 Feb 2022 03:49:18 -0800 (PST)
Received: from step1.redhat.com (host-95-248-229-156.retail.telecomitalia.it. [95.248.229.156])
        by smtp.gmail.com with ESMTPSA id o6-20020a05600c338600b0037c322d1425sm7141176wmp.8.2022.02.21.03.49.17
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 21 Feb 2022 03:49:17 -0800 (PST)
From:   Stefano Garzarella <sgarzare@redhat.com>
To:     "Michael S. Tsirkin" <mst@redhat.com>
Cc:     linux-kernel@vger.kernel.org,
        Mike Christie <michael.christie@oracle.com>,
        Stefano Garzarella <sgarzare@redhat.com>,
        Jason Wang <jasowang@redhat.com>, netdev@vger.kernel.org,
        Asias He <asias@redhat.com>,
        virtualization@lists.linux-foundation.org,
        Stefan Hajnoczi <stefanha@redhat.com>, kvm@vger.kernel.org
Subject: [PATCH] vhost/vsock: don't check owner in vhost_vsock_stop() while releasing
Date:   Mon, 21 Feb 2022 12:49:16 +0100
Message-Id: <20220221114916.107045-1-sgarzare@redhat.com>
X-Mailer: git-send-email 2.35.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,
        SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

vhost_vsock_stop() calls vhost_dev_check_owner() to check the device
ownership. It expects current->mm to be valid.

vhost_vsock_stop() is also called by vhost_vsock_dev_release() when
the user has not done close(), so when we are in do_exit(). In this
case current->mm is invalid and we're releasing the device, so we
should clean it anyway.

Let's check the owner only when vhost_vsock_stop() is called
by an ioctl.

Fixes: 433fc58e6bf2 ("VSOCK: Introduce vhost_vsock.ko")
Cc: stable@vger.kernel.org
Reported-by: syzbot+1e3ea63db39f2b4440e0@syzkaller.appspotmail.com
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
---
 drivers/vhost/vsock.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
index d6ca1c7ad513..f00d2dfd72b7 100644
--- a/drivers/vhost/vsock.c
+++ b/drivers/vhost/vsock.c
@@ -629,16 +629,18 @@ static int vhost_vsock_start(struct vhost_vsock *vsock)
 	return ret;
 }
 
-static int vhost_vsock_stop(struct vhost_vsock *vsock)
+static int vhost_vsock_stop(struct vhost_vsock *vsock, bool check_owner)
 {
 	size_t i;
 	int ret;
 
 	mutex_lock(&vsock->dev.mutex);
 
-	ret = vhost_dev_check_owner(&vsock->dev);
-	if (ret)
-		goto err;
+	if (check_owner) {
+		ret = vhost_dev_check_owner(&vsock->dev);
+		if (ret)
+			goto err;
+	}
 
 	for (i = 0; i < ARRAY_SIZE(vsock->vqs); i++) {
 		struct vhost_virtqueue *vq = &vsock->vqs[i];
@@ -753,7 +755,7 @@ static int vhost_vsock_dev_release(struct inode *inode, struct file *file)
 	 * inefficient.  Room for improvement here. */
 	vsock_for_each_connected_socket(vhost_vsock_reset_orphans);
 
-	vhost_vsock_stop(vsock);
+	vhost_vsock_stop(vsock, false);
 	vhost_vsock_flush(vsock);
 	vhost_dev_stop(&vsock->dev);
 
@@ -868,7 +870,7 @@ static long vhost_vsock_dev_ioctl(struct file *f, unsigned int ioctl,
 		if (start)
 			return vhost_vsock_start(vsock);
 		else
-			return vhost_vsock_stop(vsock);
+			return vhost_vsock_stop(vsock, true);
 	case VHOST_GET_FEATURES:
 		features = VHOST_VSOCK_FEATURES;
 		if (copy_to_user(argp, &features, sizeof(features)))
-- 
2.35.1