KVM: Protect vcpu->pid dereference via debugfs with RCU

sean-jc · sean-jc · commit 76021e96d781 · 2023-05-26T11:23:50.000-07:00
Wrap the vcpu->pid dereference in the debugfs hook vcpu_get_pid() with proper RCU read (un)lock. Unlike the code in kvm_vcpu_ioctl(), vcpu_get_pid() is not a simple access; the pid pointer is passed to pid_nr() and fully dereferenced if the pointer is non-NULL. Failure to acquire RCU could result in use-after-free of the old pid if a different task invokes KVM_RUN and puts the last reference to the old vcpu->pid between vcpu_get_pid() reading the pointer and dereferencing it in pid_nr(). Fixes: e36de87 ("KVM: debugfs: expose pid of vcpu threads") Link: https://lore.kernel.org/r/20230211010719.982919-1-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc@google.com>
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
@@ -3870,7 +3870,10 @@ static int create_vcpu_fd(struct kvm_vcpu *vcpu)
 static int vcpu_get_pid(void *data, u64 *val)
 {
 	struct kvm_vcpu *vcpu = data;
-	*val = pid_nr(rcu_access_pointer(vcpu->pid));
+
+	rcu_read_lock();
+	*val = pid_nr(rcu_dereference(vcpu->pid));
+	rcu_read_unlock();
 	return 0;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -3870,7 +3870,10 @@ static int create_vcpu_fd(struct kvm_vcpu *vcpu)`
`3870`	`3870`	`static int vcpu_get_pid(void data, u64 val)`
`3871`	`3871`	`{`
`3872`	`3872`	`struct kvm_vcpu *vcpu = data;`
`3873`		`- *val = pid_nr(rcu_access_pointer(vcpu->pid));`
	`3873`	`+`
	`3874`	`+ rcu_read_lock();`
	`3875`	`+ *val = pid_nr(rcu_dereference(vcpu->pid));`
	`3876`	`+ rcu_read_unlock();`
`3874`	`3877`	`return 0;`
`3875`	`3878`	`}`
`3876`	`3879`