Revert "KVM: Prevent module exit until all VMs are freed"
Revert KVM's misguided attempt to "fix" a use-after-module-unload bug that was actually due to failure to flush a workqueue, not a lack of module refcounting. Pinning the KVM module until kvm_vm_destroy() doesn't prevent use-after-free due to the module being unloaded, as userspace can invoke delete_module() the instant the last reference to KVM is put, i.e. can cause all KVM code to be unmapped while KVM is actively executing said code. Generally speaking, the many instances of module_put(THIS_MODULE) notwithstanding, outside of a few special paths, a module can never safely put the last reference to itself without creating deadlock, i.e. something external to the module *must* put the last reference. In other words, having VMs grab a reference to the KVM module is futile, pointless, and as evidenced by the now-reverted commit70375c2d8f
("Revert "KVM: set owner of cpu and vm file operations""), actively dangerous. This reverts commit405294f29f
and commit5f6de5cbeb
. Fixes:405294f29f
("KVM: Unconditionally get a ref to /dev/kvm module when creating a VM") Fixes:5f6de5cbeb
("KVM: Prevent module exit until all VMs are freed") Link: https://lore.kernel.org/r/20231018204624.1905300-4-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc@google.com>
This commit is contained in:
parent
087e15206d
commit
ea61294bef
@ -115,8 +115,6 @@ EXPORT_SYMBOL_GPL(kvm_debugfs_dir);
|
||||
|
||||
static const struct file_operations stat_fops_per_vm;
|
||||
|
||||
static struct file_operations kvm_chardev_ops;
|
||||
|
||||
static long kvm_vcpu_ioctl(struct file *file, unsigned int ioctl,
|
||||
unsigned long arg);
|
||||
#ifdef CONFIG_KVM_COMPAT
|
||||
@ -1157,9 +1155,6 @@ static struct kvm *kvm_create_vm(unsigned long type, const char *fdname)
|
||||
if (!kvm)
|
||||
return ERR_PTR(-ENOMEM);
|
||||
|
||||
/* KVM is pinned via open("/dev/kvm"), the fd passed to this ioctl(). */
|
||||
__module_get(kvm_chardev_ops.owner);
|
||||
|
||||
KVM_MMU_LOCK_INIT(kvm);
|
||||
mmgrab(current->mm);
|
||||
kvm->mm = current->mm;
|
||||
@ -1279,7 +1274,6 @@ out_err_no_irq_srcu:
|
||||
out_err_no_srcu:
|
||||
kvm_arch_free_vm(kvm);
|
||||
mmdrop(current->mm);
|
||||
module_put(kvm_chardev_ops.owner);
|
||||
return ERR_PTR(r);
|
||||
}
|
||||
|
||||
@ -1348,7 +1342,6 @@ static void kvm_destroy_vm(struct kvm *kvm)
|
||||
preempt_notifier_dec();
|
||||
hardware_disable_all();
|
||||
mmdrop(mm);
|
||||
module_put(kvm_chardev_ops.owner);
|
||||
}
|
||||
|
||||
void kvm_get_kvm(struct kvm *kvm)
|
||||
|
Loading…
Reference in New Issue
Block a user