vhost: fix error handling in RESET_OWNER ioctl

RESET_OWNER ioctl would leave the fd in a bad state if
memory allocation failed: device is stopped
but owner is not reset. Make state changes
after allocating memory, such that a failed
ioctl has no effect.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index e34e195b9cf63d3291aaf2b9b5c9bbdad393b2df..a3645bd163d8ed0de10af23dbb72d30aab516fd3 100644 (file)
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -967,14 +967,20 @@ static long vhost_net_reset_owner(struct vhost_net *n)
        struct socket *tx_sock = NULL;
        struct socket *rx_sock = NULL;
        long err;
+       struct vhost_memory *memory;
 
        mutex_lock(&n->dev.mutex);
        err = vhost_dev_check_owner(&n->dev);
        if (err)
                goto done;
+       memory = vhost_dev_reset_owner_prepare();
+       if (!memory) {
+               err = -ENOMEM;
+               goto done;
+       }
        vhost_net_stop(n, &tx_sock, &rx_sock);
        vhost_net_flush(n);
-       err = vhost_dev_reset_owner(&n->dev);
+       vhost_dev_reset_owner(&n->dev, memory);
        vhost_net_vq_reset(n);
 done:
        mutex_unlock(&n->dev.mutex);

diff --git a/drivers/vhost/test.c b/drivers/vhost/test.c
index 91d6f060aade3d4fafdfe0b0bf9bcae45b62b0ac..be65414d5bb142cc80462d6d089f36f31059a17e 100644 (file)
--- a/drivers/vhost/test.c
+++ b/drivers/vhost/test.c
@@ -219,13 +219,20 @@ static long vhost_test_reset_owner(struct vhost_test *n)
 {
        void *priv = NULL;
        long err;
+       struct vhost_memory *memory;
+
        mutex_lock(&n->dev.mutex);
        err = vhost_dev_check_owner(&n->dev);
        if (err)
                goto done;
+       memory = vhost_dev_reset_owner_prepare();
+       if (!memory) {
+               err = -ENOMEM;
+               goto done;
+       }
        vhost_test_stop(n, &priv);
        vhost_test_flush(n);
-       err = vhost_dev_reset_owner(&n->dev);
+       vhost_dev_reset_owner(&n->dev, memory);
 done:
        mutex_unlock(&n->dev.mutex);
        return err;

diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index 6dcd81c8743278f68998b7b7e7836666a9d62902..749b5ab5bfbbd1f280b31cc341d9aae5cc64eef4 100644 (file)
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -386,21 +386,19 @@ err_mm:
        return err;
 }
 
-/* Caller should have device mutex */
-long vhost_dev_reset_owner(struct vhost_dev *dev)
+struct vhost_memory *vhost_dev_reset_owner_prepare(void)
 {
-       struct vhost_memory *memory;
-
-       /* Restore memory to default empty mapping. */
-       memory = kmalloc(offsetof(struct vhost_memory, regions), GFP_KERNEL);
-       if (!memory)
-               return -ENOMEM;
+       return kmalloc(offsetof(struct vhost_memory, regions), GFP_KERNEL);
+}
 
+/* Caller should have device mutex */
+void vhost_dev_reset_owner(struct vhost_dev *dev, struct vhost_memory *memory)
+{
        vhost_dev_cleanup(dev, true);
 
+       /* Restore memory to default empty mapping. */
        memory->nregions = 0;
        RCU_INIT_POINTER(dev->memory, memory);
-       return 0;
 }
 
 void vhost_dev_stop(struct vhost_dev *dev)

diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h
index 1627eec0ca25400d34e0c0f8a40e77a2f2a9a74c..b58f4ae82cb8e1e912f83c88eeec1e82eb950d5d 100644 (file)
--- a/drivers/vhost/vhost.h
+++ b/drivers/vhost/vhost.h
@@ -136,7 +136,8 @@ struct vhost_dev {
 
 long vhost_dev_init(struct vhost_dev *, struct vhost_virtqueue **vqs, int nvqs);
 long vhost_dev_check_owner(struct vhost_dev *);
-long vhost_dev_reset_owner(struct vhost_dev *);
+struct vhost_memory *vhost_dev_reset_owner_prepare(void);
+void vhost_dev_reset_owner(struct vhost_dev *, struct vhost_memory *);
 void vhost_dev_cleanup(struct vhost_dev *, bool locked);
 void vhost_dev_stop(struct vhost_dev *);
 long vhost_dev_ioctl(struct vhost_dev *, unsigned int ioctl, void __user *argp);