git.baikalelectronics.ru Git - kernel.git/commit

author	Paolo Bonzini <pbonzini@redhat.com>
	Wed, 6 Apr 2022 17:13:42 +0000 (13:13 -0400)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 13 Apr 2022 18:59:26 +0000 (20:59 +0200)
commit	030aa342d5749f3bc75a097647be78e4b412abe2
tree	782366ed006a28a148f33190e405f2ec446f70a8	tree \| snapshot
parent	62677438531c480bcacb36d847da20f80fe8b3ad	commit \| diff

KVM: avoid NULL pointer dereference in kvm_dirty_ring_push

commit f02d7565cc0ac1f48275f90907a5526485283038 upstream.

kvm_vcpu_release() will call kvm_dirty_ring_free(), freeing
ring->dirty_gfns and setting it to NULL. Afterwards, it calls
kvm_arch_vcpu_destroy().

However, if closing the file descriptor races with KVM_RUN in such away
that vcpu->arch.st.preempted == 0, the following call stack leads to a
NULL pointer dereference in kvm_dirty_run_push():

mark_page_dirty_in_slot+0x192/0x270 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3171
kvm_steal_time_set_preempted arch/x86/kvm/x86.c:4600 [inline]
kvm_arch_vcpu_put+0x34e/0x5b0 arch/x86/kvm/x86.c:4618
vcpu_put+0x1b/0x70 arch/x86/kvm/../../../virt/kvm/kvm_main.c:211
vmx_free_vcpu+0xcb/0x130 arch/x86/kvm/vmx/vmx.c:6985
kvm_arch_vcpu_destroy+0x76/0x290 arch/x86/kvm/x86.c:11219
kvm_vcpu_destroy arch/x86/kvm/../../../virt/kvm/kvm_main.c:441 [inline]

The fix is to release the dirty page ring after kvm_arch_vcpu_destroy
has run.

Reported-by: Qiuhao Li <qiuhao@sysec.org>
Reported-by: Gaoning Pan <pgn@zju.edu.cn>
Reported-by: Yongkang Jia <kangel@zju.edu.cn>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>