From patchwork Sat Feb 11 01:07:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 55665 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp1278779wrn; Fri, 10 Feb 2023 17:48:10 -0800 (PST) X-Google-Smtp-Source: AK7set9TZw/I96KEJB7H7ZbBHogutdbd/2AaWi3uhDvan2BLUm771FmcSwwV8XZnMjBBBw4D4up6 X-Received: by 2002:a50:ab56:0:b0:4ab:4a90:c086 with SMTP id t22-20020a50ab56000000b004ab4a90c086mr3650349edc.18.1676080090301; Fri, 10 Feb 2023 17:48:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676080090; cv=none; d=google.com; s=arc-20160816; b=sT4GI1erzj645mz5us6WRbQ0ef7e/n2coGzsf+RDAZePnXKJuLQtcOaRcaK0lcqiYy hC+nfv5/eHVa7RIQn7RsrT1xLD1vvu/sqPBSSzlaaW3fQVJnBc38EFG731a2XC5/AoyS tQMFn10OCTDg7yGGRUf99hFqJkdT4wssk+41z4GYVdFie8/8n2QJve7R4G3lEm0D0VML Cp0CFNW8Udck84F/VcZOlUogkXSF46tlR7ERRyQ6UAz6sOxhFp1GvqS/XvSh9OGdYrcS H3iN57M5M2961pLqskJ/FZPVgxfYltXqlr6MNxS2IYbPiy/zupM2q0fblMr9t6p2OF3p C2AQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:mime-version:date :reply-to:dkim-signature; bh=+7bVeIY1PbqOirWdgJRd29ZTEGdTbk1KiTUdqiq2xys=; b=YgcdUpaKdhIw7cY8I5/j50PNm4fOnCIVPd/B+C+Aj8eW7FGCQjSCEh8aqFCcYCwDru RgSCDPT9Fj++5Nsk5Xj6U2cbnbolqb8nwAjyFQtKt0+oCCH6zJYa6ccL+32JyVANHrbR 0s9jp/byBaJ0nm17JKKnvCroaafM9JPWJJ8ADqceX3+ORnMG4C+pPFhiaT/QlG84Mr/3 xWdYn5EvFIzR3YESBObKD/LblsOITzFSZ4rJ0gaaWU+2MBN98DrL9IeJIavkHuaBf0ZO cxNEDD44w6CCLMb9uUQMY024VJpYvQI5muKeO5zWi7UtTTm0uG03Qd5fNInyHgjhGrPA XH1A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=NbsW7bgm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e3-20020a056402104300b004acb5db1ff3si826413edu.576.2023.02.10.17.47.47; Fri, 10 Feb 2023 17:48:10 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=NbsW7bgm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229861AbjBKBHY (ORCPT + 99 others); Fri, 10 Feb 2023 20:07:24 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43822 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229845AbjBKBHW (ORCPT ); Fri, 10 Feb 2023 20:07:22 -0500 Received: from mail-pf1-x449.google.com (mail-pf1-x449.google.com [IPv6:2607:f8b0:4864:20::449]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EF42C6A30D for ; Fri, 10 Feb 2023 17:07:21 -0800 (PST) Received: by mail-pf1-x449.google.com with SMTP id j14-20020aa7928e000000b00593bca77b0dso3389952pfa.9 for ; Fri, 10 Feb 2023 17:07:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:message-id:mime-version:date:reply-to:from:to:cc :subject:date:message-id:reply-to; bh=+7bVeIY1PbqOirWdgJRd29ZTEGdTbk1KiTUdqiq2xys=; b=NbsW7bgmb9w0c8Z3wplH9CxbF5d465YV9a6YZEeC+gL458CwvYjti1VMnaWP7Z2PFD E3/PdrXz/tTnfsoFefOwwVxzT36bcbhU7oebgg5APoEThEgu/6cZk95YA4wfdWBk65Ow W179TfNdJJpecVUeDQV5MAeQQjjyjhcAnWTzxX1V+jxChyb0I7jzq5fAr0ypHWmMTqLi Ha2dEtfLO4MeqORSEr5rqXDMpQq5wkd+PQAgHBvO7JLIHTPlrzeNBPVMxa77XP5iH9S3 k+VctLEs1L9ncxca78xCABQM5jbL6I8WKIHSUxK8u3ykjZsj0lssnecu/SEqKpOQHsy9 /vOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:message-id:mime-version:date:reply-to :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=+7bVeIY1PbqOirWdgJRd29ZTEGdTbk1KiTUdqiq2xys=; b=DPdyZonhdMnL6ybjtfY8mm3+tCCQtQ8vYL3CRvOtAFZTeSFzWc0APeT+GaMSjG9SUF GWt1t85aBCqhhJdcIGW+9VfGpYsYJpEq9Dki7jdX7ZMndAoXm3NntAQCFCMLDFrgN1Cj keGRRckPWkWKobyPhuRFpKsoczT82DD2Sw7FTAF0H3qeKz8PLXWesvu6+lEg0vCFS2KP /oVP4khksEOgibNL+2O02yxGxsXg9cGRSLZxasFpIjVWZsfAoESSPyXeZ/8hxkWFQO64 cUObbh2cvynZFOZwYTcl9kSXN5kZeXQqM/4yBRieROM9OYOqFgVdDFv133X2Pn60YVcL P+7Q== X-Gm-Message-State: AO0yUKWpN0dfER1VP6r47GPT3xioxvH/wdtXquXMpFPcAkbkVLYioU/4 m+bqr08oTTF9s8UN39ZpLP2u18qfbt8= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a17:90a:e281:b0:230:3649:a362 with SMTP id d1-20020a17090ae28100b002303649a362mr2681970pjz.131.1676077641450; Fri, 10 Feb 2023 17:07:21 -0800 (PST) Reply-To: Sean Christopherson Date: Sat, 11 Feb 2023 01:07:19 +0000 Mime-Version: 1.0 X-Mailer: git-send-email 2.39.1.581.gbfd45094c4-goog Message-ID: <20230211010719.982919-1-seanjc@google.com> Subject: [PATCH] KVM: Protect vcpu->pid dereference via debugfs with RCU From: Sean Christopherson To: Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Sean Christopherson X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757497357005496366?= X-GMAIL-MSGID: =?utf-8?q?1757497357005496366?= Wrap the vcpu->pid dereference in the debugfs hook vcpu_get_pid() with proper RCU read (un)lock. Unlike the code in kvm_vcpu_ioctl(), vcpu_get_pid() is not a simple access; the pid pointer is passed to pid_nr() and fully dereferenced if the pointer is non-NULL. Failure to acquire RCU could result in use-after-free of the old pid if a different task invokes KVM_RUN and puts the last reference to the old vcpu->pid between vcpu_get_pid() reading the pointer and dereferencing it in pid_nr(). Fixes: e36de87d34a7 ("KVM: debugfs: expose pid of vcpu threads") Signed-off-by: Sean Christopherson --- virt/kvm/kvm_main.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) base-commit: 7cb79f433e75b05d1635aefaa851cfcd1cb7dc4f diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index d255964ec331..b7b72c8fb492 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -3867,7 +3867,10 @@ static int create_vcpu_fd(struct kvm_vcpu *vcpu) static int vcpu_get_pid(void *data, u64 *val) { struct kvm_vcpu *vcpu = (struct kvm_vcpu *) data; - *val = pid_nr(rcu_access_pointer(vcpu->pid)); + + rcu_read_lock(); + *val = pid_nr(rcu_dereference(vcpu->pid)); + rcu_read_unlock(); return 0; }