3 files changed, 36 insertions, 13 deletions
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 72ab71fdf053..4b4da5b86ff9 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -127,7 +127,10 @@ static void handle_tx(struct vhost_net *net)
        size_t len, total_len = 0;
        int err, wmem;
        size_t hdr_size;
-        struct socket *sock = rcu_dereference(vq->private_data);
+        struct socket *sock;
+        sock = rcu_dereference_check(vq->private_data,
+                                     lockdep_is_held(&vq->mutex));
        if (!sock)
                return;
@@ -582,7 +585,10 @@ static void vhost_net_disable_vq(struct vhost_net *n,
 static void vhost_net_enable_vq(struct vhost_net *n,
                                struct vhost_virtqueue *vq)
 {
-        struct socket *sock = vq->private_data;
+        struct socket *sock;
+        sock = rcu_dereference_protected(vq->private_data,
+                                         lockdep_is_held(&vq->mutex));
        if (!sock)
                return;
        if (vq == n->vqs + VHOST_NET_VQ_TX) {
@@ -598,7 +604,8 @@ static struct socket *vhost_net_stop_vq(struct vhost_net *n,
        struct socket *sock;
        mutex_lock(&vq->mutex);
-        sock = vq->private_data;
+        sock = rcu_dereference_protected(vq->private_data,
+                                         lockdep_is_held(&vq->mutex));
        vhost_net_disable_vq(n, vq);
        rcu_assign_pointer(vq->private_data, NULL);
        mutex_unlock(&vq->mutex);
@@ -736,7 +743,8 @@ static long vhost_net_set_backend(struct vhost_net *n, unsigned index, int fd)
        }
        /* start polling new socket */
-        oldsock = vq->private_data;
+        oldsock = rcu_dereference_protected(vq->private_data,
+                                            lockdep_is_held(&vq->mutex));
        if (sock != oldsock) {
                vhost_net_disable_vq(n, vq);
                rcu_assign_pointer(vq->private_data, sock);
@@ -869,6 +877,7 @@ static const struct file_operations vhost_net_fops = {
        .compat_ioctl   = vhost_net_compat_ioctl,
 #endif
        .open           = vhost_net_open,
+        .llseek         = noop_llseek,
 };
 static struct miscdevice vhost_net_misc = {
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index b6f149572d1a..94701ff3a23a 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -366,7 +366,7 @@ long vhost_dev_reset_owner(struct vhost_dev *dev)
        vhost_dev_cleanup(dev);
        memory->nregions = 0;
-        dev->memory = memory;
+        RCU_INIT_POINTER(dev->memory, memory);
        return 0;
 }
@@ -399,8 +399,9 @@ void vhost_dev_cleanup(struct vhost_dev *dev)
                fput(dev->log_file);
        dev->log_file = NULL;
        /* No one will access memory at this point */
-        kfree(dev->memory);
+        kfree(rcu_dereference_protected(dev->memory,
-        dev->memory = NULL;
+                                        lockdep_is_held(&dev->mutex)));
+        RCU_INIT_POINTER(dev->memory, NULL);
        if (dev->mm)
                mmput(dev->mm);
        dev->mm = NULL;
@@ -487,14 +488,22 @@ static int vq_access_ok(unsigned int num,
 /* Caller should have device mutex but not vq mutex */
 int vhost_log_access_ok(struct vhost_dev *dev)
 {
-        return memory_access_ok(dev, dev->memory, 1);
+        struct vhost_memory *mp;
+        mp = rcu_dereference_protected(dev->memory,
+                                       lockdep_is_held(&dev->mutex));
+        return memory_access_ok(dev, mp, 1);
 }
 /* Verify access for write logging. */
 /* Caller should have vq mutex and device mutex */
 static int vq_log_access_ok(struct vhost_virtqueue *vq, void __user *log_base)
 {
-        return vq_memory_access_ok(log_base, vq->dev->memory,
+        struct vhost_memory *mp;
+        mp = rcu_dereference_protected(vq->dev->memory,
+                                       lockdep_is_held(&vq->mutex));
+        return vq_memory_access_ok(log_base, mp,
                            vhost_has_feature(vq->dev, VHOST_F_LOG_ALL)) &&
                (!vq->log_used || log_access_ok(log_base, vq->log_addr,
                                        sizeof *vq->used +
@@ -534,7 +543,8 @@ static long vhost_set_memory(struct vhost_dev *d, struct vhost_memory __user *m)
                kfree(newmem);
                return -EFAULT;
        }
-        oldmem = d->memory;
+        oldmem = rcu_dereference_protected(d->memory,
+                                           lockdep_is_held(&d->mutex));
        rcu_assign_pointer(d->memory, newmem);
        synchronize_rcu();
        kfree(oldmem);
diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h
index edc892989992..073d06ae091f 100644
--- a/drivers/vhost/vhost.h
+++ b/drivers/vhost/vhost.h
@@ -104,7 +104,7 @@ struct vhost_virtqueue {
         * vhost_work execution acts instead of rcu_read_lock() and the end of
         * vhost_work execution acts instead of rcu_read_lock().
         * Writers use virtqueue mutex. */
-        void *private_data;
+        void __rcu *private_data;
        /* Log write descriptors */
        void __user *log_base;
        struct vhost_log *log;
@@ -114,7 +114,7 @@ struct vhost_dev {
        /* Readers use RCU to access memory table pointer
         * log base pointer and features.
         * Writers use mutex below.*/
-        struct vhost_memory *memory;
+        struct vhost_memory __rcu *memory;
        struct mm_struct *mm;
        struct mutex mutex;
        unsigned acked_features;
@@ -171,7 +171,11 @@ enum {
 static inline int vhost_has_feature(struct vhost_dev *dev, int bit)
 {
-        unsigned acked_features = rcu_dereference(dev->acked_features);
+        unsigned acked_features;
+        acked_features =
+                rcu_dereference_index_check(dev->acked_features,
+                                            lockdep_is_held(&dev->mutex));
        return acked_features & (1 << bit);
 }