Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp4505550ybc; Tue, 26 Nov 2019 09:58:22 -0800 (PST) X-Google-Smtp-Source: APXvYqz0mrWUyjTZpBKOpq23O1E+RCpH9Rikx0CWV1N5RUukItmgpqYAekzYovykUYo8SbdamXI3 X-Received: by 2002:a50:ac14:: with SMTP id v20mr26927486edc.291.1574791102856; Tue, 26 Nov 2019 09:58:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574791102; cv=none; d=google.com; s=arc-20160816; b=bWmb9o4yvWS/ZnPa/AH7a44qme8pIYVZtE5BYDCOfUbF0IzG2NL8LqBmzMbsktAGYa I1MZbMk5ae9DUFCM8M6+bJdwurSl1le9l3obnLSyqbTuEwYlKrzXcmDq9aj1UTZ6SqNd e97n2JTjc5In1oZR6oj5VScjuDipzBc+0Ly7jVBgpDeVzTWLjCyxEAcD5/MfQazlhmPi hKAFnaE6PfTHKO+bvrsDQpoGHDicbHlKG9HbhXAd5TmAePbDzA6v38BKB4dQls9Yydtn TYf6yGIf6UsgmA19fDo0VLeOJvIbhTp7ysGJCJwFQzlbZ4Ese1NR3EfkJ9f4NubNbZE7 BotA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=eqjJMkqnEhAKW1BE1y9vcq8ToK2oawJ+/VvsUXSLx5g=; b=PGBnPiyLwOZxFcu4IFVzDwVH0xFLf3Zn158svQJuTFh8n6yO/F08xAIlleolFjCyeU E6KqsVJ2mzPXEf9kSlE0Di9bZsVmz8mC5mkpzXpvLbuvACfAwstsXZDi/ajDGIcboboY 0MvrVpD6pACgDFE4CCOHAg7Q8DcxFKbgTXHokInbTfJP+Jl6ACq283DzSXgwibFlCf9l EH5fpmvfp7AGtE4uy1Rm+sZs8Y+bakj7qn2Ey9wte13G/wqKOrUANVgY5h1bCoaVUZ9b 3g2tjS/Fbyl169NGRTXVriEt70SPJl8grCoYmYlBhLU/9u4z9sZ0LCwn04S5u6sj6c4R BSPw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 25si7504022ejw.44.2019.11.26.09.57.59; Tue, 26 Nov 2019 09:58:22 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727022AbfKZRwn (ORCPT + 99 others); Tue, 26 Nov 2019 12:52:43 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:4936 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726005AbfKZRwn (ORCPT ); Tue, 26 Nov 2019 12:52:43 -0500 Received: from pps.filterd (m0098417.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xAQHnISc145507; Tue, 26 Nov 2019 12:52:24 -0500 Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wh4yrb92v-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 26 Nov 2019 12:52:24 -0500 Received: from m0098417.ppops.net (m0098417.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id xAQHnNLg145900; Tue, 26 Nov 2019 12:52:24 -0500 Received: from ppma03dal.us.ibm.com (b.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.11]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wh4yrb92c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 26 Nov 2019 12:52:23 -0500 Received: from pps.filterd (ppma03dal.us.ibm.com [127.0.0.1]) by ppma03dal.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xAQHpCNQ029315; Tue, 26 Nov 2019 17:52:23 GMT Received: from b03cxnp08027.gho.boulder.ibm.com (b03cxnp08027.gho.boulder.ibm.com [9.17.130.19]) by ppma03dal.us.ibm.com with ESMTP id 2wevd6mk8s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 26 Nov 2019 17:52:23 +0000 Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp08027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xAQHqLow36438320 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 26 Nov 2019 17:52:21 GMT Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C22A0C6055; Tue, 26 Nov 2019 17:52:21 +0000 (GMT) Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8E9B2C6059; Tue, 26 Nov 2019 17:52:19 +0000 (GMT) Received: from LeoBras.aus.stglabs.ibm.com (unknown [9.18.235.137]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 26 Nov 2019 17:52:19 +0000 (GMT) From: Leonardo Bras To: Sean Christopherson , kvm-ppc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: Leonardo Bras , Paul Mackerras , Benjamin Herrenschmidt , Michael Ellerman , Paolo Bonzini , =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= Subject: [PATCH 1/1] powerpc/kvm/book3s: Fixes possible 'use after release' of kvm Date: Tue, 26 Nov 2019 14:52:12 -0300 Message-Id: <20191126175212.377171-1-leonardo@linux.ibm.com> X-Mailer: git-send-email 2.23.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572 definitions=2019-11-26_05:2019-11-26,2019-11-26 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 suspectscore=2 adultscore=0 mlxlogscore=999 impostorscore=0 clxscore=1015 priorityscore=1501 lowpriorityscore=0 bulkscore=0 malwarescore=0 spamscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1911260149 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Fixes a possible 'use after free' of kvm variable. It does use mutex_unlock(&kvm->lock) after possible freeing a variable with kvm_put_kvm(kvm). Signed-off-by: Leonardo Bras --- arch/powerpc/kvm/book3s_64_vio.c | 3 +-- virt/kvm/kvm_main.c | 8 ++++---- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/arch/powerpc/kvm/book3s_64_vio.c b/arch/powerpc/kvm/book3s_64_vio.c index 5834db0a54c6..a402ead833b6 100644 --- a/arch/powerpc/kvm/book3s_64_vio.c +++ b/arch/powerpc/kvm/book3s_64_vio.c @@ -316,14 +316,13 @@ long kvm_vm_ioctl_create_spapr_tce(struct kvm *kvm, if (ret >= 0) list_add_rcu(&stt->list, &kvm->arch.spapr_tce_tables); - else - kvm_put_kvm(kvm); mutex_unlock(&kvm->lock); if (ret >= 0) return ret; + kvm_put_kvm(kvm); kfree(stt); fail_acct: account_locked_vm(current->mm, kvmppc_stt_pages(npages), false); diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 13efc291b1c7..f37089b60d09 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -2744,10 +2744,8 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id) /* Now it's all set up, let userspace reach it */ kvm_get_kvm(kvm); r = create_vcpu_fd(vcpu); - if (r < 0) { - kvm_put_kvm(kvm); + if (r < 0) goto unlock_vcpu_destroy; - } kvm->vcpus[atomic_read(&kvm->online_vcpus)] = vcpu; @@ -2771,6 +2769,8 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id) mutex_lock(&kvm->lock); kvm->created_vcpus--; mutex_unlock(&kvm->lock); + if (r < 0) + kvm_put_kvm(kvm); return r; } @@ -3183,10 +3183,10 @@ static int kvm_ioctl_create_device(struct kvm *kvm, kvm_get_kvm(kvm); ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC); if (ret < 0) { - kvm_put_kvm(kvm); mutex_lock(&kvm->lock); list_del(&dev->vm_node); mutex_unlock(&kvm->lock); + kvm_put_kvm(kvm); ops->destroy(dev); return ret; } -- 2.23.0