tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'kvm-s390-master-4.15-3' of git://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux

KVM: s390: another fix for cmma migration

This fixes races and potential use after free in the
cmma migration code.

Radim Krčmář bda646dd 0c5b9b5d

options
unified split
Changed files
+11 -7
arch
s390
kvm
kvm-s390.c
+11 -7
arch/s390/kvm/kvm-s390.c
··· 769 769 770 770 /* 771 771 * Must be called with kvm->srcu held to avoid races on memslots, and with 772 - * kvm->lock to avoid races with ourselves and kvm_s390_vm_stop_migration. 772 + * kvm->slots_lock to avoid races with ourselves and kvm_s390_vm_stop_migration. 773 773 */ 774 774 static int kvm_s390_vm_start_migration(struct kvm *kvm) 775 775 { ··· 825 825 } 826 826 827 827 /* 828 - * Must be called with kvm->lock to avoid races with ourselves and 828 + * Must be called with kvm->slots_lock to avoid races with ourselves and 829 829 * kvm_s390_vm_start_migration. 830 830 */ 831 831 static int kvm_s390_vm_stop_migration(struct kvm *kvm) ··· 840 840 841 841 if (kvm->arch.use_cmma) { 842 842 kvm_s390_sync_request_broadcast(kvm, KVM_REQ_STOP_MIGRATION); 843 + /* We have to wait for the essa emulation to finish */ 844 + synchronize_srcu(&kvm->srcu); 843 845 vfree(mgs->pgste_bitmap); 844 846 } 845 847 kfree(mgs); ··· 851 849 static int kvm_s390_vm_set_migration(struct kvm *kvm, 852 850 struct kvm_device_attr *attr) 853 851 { 854 - int idx, res = -ENXIO; 852 + int res = -ENXIO; 855 853 856 - mutex_lock(&kvm->lock); 854 + mutex_lock(&kvm->slots_lock); 857 855 switch (attr->attr) { 858 856 case KVM_S390_VM_MIGRATION_START: 859 - idx = srcu_read_lock(&kvm->srcu); 860 857 res = kvm_s390_vm_start_migration(kvm); 861 - srcu_read_unlock(&kvm->srcu, idx); 862 858 break; 863 859 case KVM_S390_VM_MIGRATION_STOP: 864 860 res = kvm_s390_vm_stop_migration(kvm); ··· 864 864 default: 865 865 break; 866 866 } 867 - mutex_unlock(&kvm->lock); 867 + mutex_unlock(&kvm->slots_lock); 868 868 869 869 return res; 870 870 } ··· 1754 1754 r = -EFAULT; 1755 1755 if (copy_from_user(&args, argp, sizeof(args))) 1756 1756 break; 1757 + mutex_lock(&kvm->slots_lock); 1757 1758 r = kvm_s390_get_cmma_bits(kvm, &args); 1759 + mutex_unlock(&kvm->slots_lock); 1758 1760 if (!r) { 1759 1761 r = copy_to_user(argp, &args, sizeof(args)); 1760 1762 if (r) ··· 1770 1768 r = -EFAULT; 1771 1769 if (copy_from_user(&args, argp, sizeof(args))) 1772 1770 break; 1771 + mutex_lock(&kvm->slots_lock); 1773 1772 r = kvm_s390_set_cmma_bits(kvm, &args); 1773 + mutex_unlock(&kvm->slots_lock); 1774 1774 break; 1775 1775 } 1776 1776 default: