vhost: reset metadata cache when initializing new IOTLB

We need to reset metadata cache during new IOTLB initialization, otherwise the stale pointers to previous IOTLB may be still accessed which will lead a use after free. Reported-by: syzbot+c51e6736a1bf614b3272@syzkaller.appspotmail.com Fixes: f8894913 ("vhost: introduce O(1) vq metadata cache") Signed-off-by: N Jason Wang <jasowang@redhat.com> Signed-off-by: N David S. Miller <davem@davemloft.net>

vhost: reset metadata cache when initializing new IOTLB
We need to reset metadata cache during new IOTLB initialization, otherwise the stale pointers to previous IOTLB may be still accessed which will lead a use after free. Reported-by: syzbot+c51e6736a1bf614b3272@syzkaller.appspotmail.com Fixes: f8894913 ("vhost: introduce O(1) vq metadata cache") Signed-off-by: N Jason Wang <jasowang@redhat.com> Signed-off-by: N David S. Miller <davem@davemloft.net>
b13f9c63 · Jason Wang · David S. Miller · 0dcb8225 · b13f9c63
隐藏空白更改
内联并排

Showing with 6 addition and 3 deletion

drivers/vhost/vhost.c drivers/vhost/vhost.c +6 -3

未找到文件。
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -1560,9 +1560,12 @@ int vhost_init_device_iotlb(struct vhost_dev *d, bool enabled)
 	d->iotlb = niotlb;

 	for (i = 0; i < d->nvqs; ++i) {
-		mutex_lock(&d->vqs[i]->mutex);
-		d->vqs[i]->iotlb = niotlb;
-		mutex_unlock(&d->vqs[i]->mutex);
+		struct vhost_virtqueue *vq = d->vqs[i];
+
+		mutex_lock(&vq->mutex);
+		vq->iotlb = niotlb;
+		__vhost_vq_meta_reset(vq);
+		mutex_unlock(&vq->mutex);
 	}

 	vhost_umem_clean(oiotlb);