Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp1229192ybx; Thu, 7 Nov 2019 09:04:39 -0800 (PST) X-Google-Smtp-Source: APXvYqxHQmLPzEQp0YtxElsIdd5jll1Kd0OFNr+iAfb0VeEbYwJHNQ/FKXP1N87yiAyayrjob2yC X-Received: by 2002:a17:906:7691:: with SMTP id o17mr4029202ejm.323.1573146279136; Thu, 07 Nov 2019 09:04:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573146279; cv=none; d=google.com; s=arc-20160816; b=PCPtQ2mKag/WzXCdc9Zw4ZC51E1NPBISQ/RTtPLgkyG1vMLOLFgSm0GzJiaMABArQb 7AekKo0NZr2aImVf6BV4PhJF29dBjc4nKmr57fA0QOFtNqeDW+OTsMBffiLJ8ufDfUcB B3vNWrID3owjSWMmnkmB3KdlVc4yCrgHjD9z4WewrW/MQsyIMEGErm4JCOG98Y/wAN+n 6PjFwFX6hdLAeSXkA6qs7wuIfaeUAH2pVyQDrhW8Q/sjT5AEni6A2KHGfVASE0txd9uI aAyaTFIz2I06TMM9CvBdCTvIIseUy7gR61wpWslWO0+E8ZUYaZUtZXEZizP/hyrOL/mO COnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=Ofc3pEDuK43h623Pp/4GwwUuj9knz21esmtXH7egh2k=; b=eIUKnhotrJP3w9EBxbSKcBLE319x3GMwe+CRq2AeYWj22ZEAi+ZseKT9vG+kCGwqdF 8xSsd7nC/ucix5Ir+4udt6218yoV1gP9BYokEcqRPj4CXrLEU5qyR+vxlfVpQoi2tlMi OPP7B3LBRPr0CrEEIp/1Ghexzf3OW+63b+DMaQANk2gpJZ+d5br+S2HC7yQv77klr5oz JpSMlOJMVn6yj9lqj6MqpxrPFIcodgJp5pzmREEZaIUf3qBu2ZztbxagCHHHaGW3uPHO hxkBoHmvGxcmdUnoVU5XpidDqAY0HMfz9KznsIxInwf4rYabkuQuvx/8z3rlUjx8pL/t z9UA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z2si1828920edd.140.2019.11.07.09.04.14; Thu, 07 Nov 2019 09:04:39 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730330AbfKGRD1 (ORCPT + 99 others); Thu, 7 Nov 2019 12:03:27 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:46612 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727606AbfKGRD1 (ORCPT ); Thu, 7 Nov 2019 12:03:27 -0500 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id xA7GsG0T144728; Thu, 7 Nov 2019 12:03:12 -0500 Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com [169.63.214.131]) by mx0a-001b2d01.pphosted.com with ESMTP id 2w4nfans6p-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 07 Nov 2019 12:03:10 -0500 Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1]) by ppma01dal.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xA7H1Yvb030675; Thu, 7 Nov 2019 17:03:04 GMT Received: from b01cxnp22035.gho.pok.ibm.com (b01cxnp22035.gho.pok.ibm.com [9.57.198.25]) by ppma01dal.us.ibm.com with ESMTP id 2w41ujmptj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 07 Nov 2019 17:03:04 +0000 Received: from b01ledav005.gho.pok.ibm.com (b01ledav005.gho.pok.ibm.com [9.57.199.110]) by b01cxnp22035.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xA7H34CT52167014 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 7 Nov 2019 17:03:04 GMT Received: from b01ledav005.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EAADCAE064; Thu, 7 Nov 2019 17:03:03 +0000 (GMT) Received: from b01ledav005.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D78E8AE060; Thu, 7 Nov 2019 17:03:02 +0000 (GMT) Received: from LeoBras.br.ibm.com (unknown [9.18.235.40]) by b01ledav005.gho.pok.ibm.com (Postfix) with ESMTP; Thu, 7 Nov 2019 17:03:02 +0000 (GMT) From: Leonardo Bras To: kvm-ppc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org Cc: Leonardo Bras , Paul Mackerras , Benjamin Herrenschmidt , Michael Ellerman Subject: [PATCH v2 1/4] powerpc/kvm/book3s: Fixes possible 'use after release' of kvm Date: Thu, 7 Nov 2019 14:02:55 -0300 Message-Id: <20191107170258.36379-2-leonardo@linux.ibm.com> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191107170258.36379-1-leonardo@linux.ibm.com> References: <20191107170258.36379-1-leonardo@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-11-07_05:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=2 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=887 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1910280000 definitions=main-1911070159 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Fixes a possible 'use after free' of kvm variable in kvm_vm_ioctl_create_spapr_tce, where it does a mutex_unlock(&kvm->lock) after a kvm_put_kvm(kvm). Signed-off-by: Leonardo Bras --- arch/powerpc/kvm/book3s_64_vio.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/arch/powerpc/kvm/book3s_64_vio.c b/arch/powerpc/kvm/book3s_64_vio.c index 5834db0a54c6..a402ead833b6 100644 --- a/arch/powerpc/kvm/book3s_64_vio.c +++ b/arch/powerpc/kvm/book3s_64_vio.c @@ -316,14 +316,13 @@ long kvm_vm_ioctl_create_spapr_tce(struct kvm *kvm, if (ret >= 0) list_add_rcu(&stt->list, &kvm->arch.spapr_tce_tables); - else - kvm_put_kvm(kvm); mutex_unlock(&kvm->lock); if (ret >= 0) return ret; + kvm_put_kvm(kvm); kfree(stt); fail_acct: account_locked_vm(current->mm, kvmppc_stt_pages(npages), false); -- 2.23.0