vhost-vdpa: protect concurrent access to vhost device iotlb

Protect vhost device iotlb by vhost_dev->mutex. Otherwise,
it might cause corruption of the list and interval tree in
struct vhost_iotlb if userspace sends the VHOST_IOTLB_MSG_V2
message concurrently.

Fixes: 4c8cf318("vhost: introduce vDPA-based backend")
Cc: stable@vger.kernel.org
Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://lore.kernel.org/r/20210412095512.178-1-xieyongji@bytedance.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c
index e0a27e3362935651067c87f7afc1099d54978924..bfa4c6ef554e58e98b5737690181e9ce228627a5 100644 (file)
--- a/drivers/vhost/vdpa.c
+++ b/drivers/vhost/vdpa.c
@@ -745,9 +745,11 @@ static int vhost_vdpa_process_iotlb_msg(struct vhost_dev *dev,
        const struct vdpa_config_ops *ops = vdpa->config;
        int r = 0;
 
+       mutex_lock(&dev->mutex);
+
        r = vhost_dev_check_owner(dev);
        if (r)
-               return r;
+               goto unlock;
 
        switch (msg->type) {
        case VHOST_IOTLB_UPDATE:
@@ -768,6 +770,8 @@ static int vhost_vdpa_process_iotlb_msg(struct vhost_dev *dev,
                r = -EINVAL;
                break;
        }
+unlock:
+       mutex_unlock(&dev->mutex);
 
        return r;
 }