vhost: reset metadata cache when initializing new IOTLB

We need to reset metadata cache during new IOTLB initialization,
otherwise the stale pointers to previous IOTLB may be still accessed
which will lead a use after free.

Reported-by: syzbot+c51e6736a1bf614b3272@syzkaller.appspotmail.com
Fixes: f88949138058 ("vhost: introduce O(1) vq metadata cache")
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 6 insertions, 3 deletions

diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index a502f1af4a21..ed3114556fda 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -1560,9 +1560,12 @@ int vhost_init_device_iotlb(struct vhost_dev *d, bool enabled)
         d->iotlb = niotlb;
 
         for (i = 0; i < d->nvqs; ++i) {
-                mutex_lock(&d->vqs[i]->mutex);
-                d->vqs[i]->iotlb = niotlb;
-                mutex_unlock(&d->vqs[i]->mutex);
+                struct vhost_virtqueue *vq = d->vqs[i];
+
+                mutex_lock(&vq->mutex);
+                vq->iotlb = niotlb;
+                __vhost_vq_meta_reset(vq);
+                mutex_unlock(&vq->mutex);
         }
 
         vhost_umem_clean(oiotlb);