From: ZhangPeng zhangpeng362@huawei.com
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9F8AD
--------------------------------
Commit 1a8251a1520f ("KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache") fixes the UAF problem of the general path, but does not fix the UAF problem of multiple LPI translation caches. Fix UAF issue with vgic_get_irq_kref() in multiple LPI translation cache path before vgic_put_irq().
Fixes: 1a8251a1520f ("KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache") Suggested-by: Jia Qingtong jiaqingtong@huawei.com Signed-off-by: ZhangPeng zhangpeng362@huawei.com --- arch/arm64/kvm/vgic/vgic-its.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/arch/arm64/kvm/vgic/vgic-its.c b/arch/arm64/kvm/vgic/vgic-its.c index d095bab1eeae..a22649011233 100644 --- a/arch/arm64/kvm/vgic/vgic-its.c +++ b/arch/arm64/kvm/vgic/vgic-its.c @@ -642,6 +642,9 @@ static struct vgic_irq *vgic_its_check_cache(struct kvm *kvm, phys_addr_t db,
raw_spin_lock_irqsave(&dist->lpi_translation_cache[cacheid].lpi_cache_lock, flags); irq = __vgic_its_check_cache(dist, db, devid, eventid, cacheid); + if (irq) + vgic_get_irq_kref(irq); + raw_spin_unlock_irqrestore(&dist->lpi_translation_cache[cacheid].lpi_cache_lock, flags); #else raw_spin_lock_irqsave(&dist->lpi_list_lock, flags);