diff options
author | Jason Wang <jasowang@redhat.com> | 2018-08-08 05:43:04 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2018-08-08 18:44:39 +0200 |
commit | b13f9c6364373a1b9f71e9846dc4fb199296f926 (patch) | |
tree | 904d5ecac4a32d9ed7408547200fcbf3a7fe1e30 | |
parent | llc: use refcount_inc_not_zero() for llc_sap_find() (diff) | |
download | linux-b13f9c6364373a1b9f71e9846dc4fb199296f926.tar.xz linux-b13f9c6364373a1b9f71e9846dc4fb199296f926.zip |
vhost: reset metadata cache when initializing new IOTLB
We need to reset metadata cache during new IOTLB initialization,
otherwise the stale pointers to previous IOTLB may be still accessed
which will lead a use after free.
Reported-by: syzbot+c51e6736a1bf614b3272@syzkaller.appspotmail.com
Fixes: f88949138058 ("vhost: introduce O(1) vq metadata cache")
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | drivers/vhost/vhost.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index a502f1af4a21..ed3114556fda 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -1560,9 +1560,12 @@ int vhost_init_device_iotlb(struct vhost_dev *d, bool enabled) d->iotlb = niotlb; for (i = 0; i < d->nvqs; ++i) { - mutex_lock(&d->vqs[i]->mutex); - d->vqs[i]->iotlb = niotlb; - mutex_unlock(&d->vqs[i]->mutex); + struct vhost_virtqueue *vq = d->vqs[i]; + + mutex_lock(&vq->mutex); + vq->iotlb = niotlb; + __vhost_vq_meta_reset(vq); + mutex_unlock(&vq->mutex); } vhost_umem_clean(oiotlb); |