On Thu, 23 Mar 2017 18:24:19 +0100 David Hildenbrand <david@xxxxxxxxxx> wrote: > No caller currently checks the return value of > kvm_io_bus_unregister_dev(). This is evil, as all callers silently go on > freeing their device. A stale reference will remain in the io_bus, > getting at least used again, when the iobus gets teared down on > kvm_destroy_vm() - leading to use after free errors. > > There is nothing the callers could do, except retrying over and over > again. > > So let's simply remove the bus altogether, print an error and make > sure no one can access this broken bus again (returning -ENOMEM on any > attempt to access it). > > Fixes: e93f8a0f821e ("KVM: convert io_bus to SRCU") > Cc: stable@xxxxxxxxxxxxxxx # 3.4+ > Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx> > Signed-off-by: David Hildenbrand <david@xxxxxxxxxx> > --- > > Based on kvm/queue, where we just got 2a108a4e7c1 ("KVM: x86: clear bus > pointer when destroyed"), which added a check we need here. > > v1 -> v2: > - added a check in kvm_destroy_vm() > - added a check in virt/kvm/eventfd.c > > Using 'git grep -C 4 "kvm->buses"' should help to find all users. The other > user in virt/kvm/eventfd.c should be fine. > > --- > include/linux/kvm_host.h | 4 ++-- > virt/kvm/eventfd.c | 3 ++- > virt/kvm/kvm_main.c | 42 +++++++++++++++++++++++++----------------- > 3 files changed, 29 insertions(+), 20 deletions(-) Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>