Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S941018AbcJXOQB (ORCPT ); Mon, 24 Oct 2016 10:16:01 -0400 Received: from mx1.redhat.com ([209.132.183.28]:56790 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S936517AbcJXOP7 (ORCPT ); Mon, 24 Oct 2016 10:15:59 -0400 Subject: Re: [PATCH] KVM: x86: fix wbinvd_dirty_mask use-after-free To: Ido Yariv , =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= References: <1477067997-17845-1-git-send-email-ido@wizery.com> Cc: Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , x86@kernel.org, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org From: Paolo Bonzini Message-ID: <5488ed61-ac8b-c067-3508-d6832367e4ea@redhat.com> Date: Mon, 24 Oct 2016 16:15:51 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: <1477067997-17845-1-git-send-email-ido@wizery.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Mon, 24 Oct 2016 14:15:58 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1161 Lines: 41 On 21/10/2016 18:39, Ido Yariv wrote: > vcpu->arch.wbinvd_dirty_mask may still be used after freeing it, > corrupting memory. For example, the following call trace may set a bit > in an already freed cpu mask: > kvm_arch_vcpu_load > vcpu_load > vmx_free_vcpu_nested > vmx_free_vcpu > kvm_arch_vcpu_free > > Fix this by deferring freeing of wbinvd_dirty_mask. > > Cc: stable@vger.kernel.org > Signed-off-by: Ido Yariv > --- > arch/x86/kvm/x86.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c > index 6c633de..9ec8c1d 100644 > --- a/arch/x86/kvm/x86.c > +++ b/arch/x86/kvm/x86.c > @@ -7410,10 +7410,12 @@ void kvm_put_guest_fpu(struct kvm_vcpu *vcpu) > > void kvm_arch_vcpu_free(struct kvm_vcpu *vcpu) > { > + void *wbinvd_dirty_mask = vcpu->arch.wbinvd_dirty_mask; > + > kvmclock_reset(vcpu); > > - free_cpumask_var(vcpu->arch.wbinvd_dirty_mask); > kvm_x86_ops->vcpu_free(vcpu); > + free_cpumask_var(wbinvd_dirty_mask); > } > > struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, > Reviewed-by: Paolo Bonzini