From: Miaohe Lin linmiaohe@huawei.com
mainline inclusion from mainline-v5.6-rc4 commit d80b64ff297e40c2b6f7d7abc1b3eba70d22a068 category: bugfix bugzilla: 13690 CVE: CVE-2020-12768
-------------------------------------------------
When kmalloc memory for sd->sev_vmcbs failed, we forget to free the page held by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually the only possible outcome here.
Reviewed-by: Liran Alon liran.alon@oracle.com Reviewed-by: Vitaly Kuznetsov vkuznets@redhat.com Signed-off-by: Miaohe Lin linmiaohe@huawei.com Signed-off-by: Paolo Bonzini pbonzini@redhat.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com Reviewed-by: Jason Yan yanaijie@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- arch/x86/kvm/svm.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c index df22744..226db3dc 100644 --- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c @@ -998,33 +998,32 @@ static void svm_cpu_uninit(int cpu) static int svm_cpu_init(int cpu) { struct svm_cpu_data *sd; - int r;
sd = kzalloc(sizeof(struct svm_cpu_data), GFP_KERNEL); if (!sd) return -ENOMEM; sd->cpu = cpu; - r = -ENOMEM; sd->save_area = alloc_page(GFP_KERNEL); if (!sd->save_area) - goto err_1; + goto free_cpu_data;
if (svm_sev_enabled()) { - r = -ENOMEM; sd->sev_vmcbs = kmalloc_array(max_sev_asid + 1, sizeof(void *), GFP_KERNEL); if (!sd->sev_vmcbs) - goto err_1; + goto free_save_area; }
per_cpu(svm_data, cpu) = sd;
return 0;
-err_1: +free_save_area: + __free_page(sd->save_area); +free_cpu_data: kfree(sd); - return r; + return -ENOMEM;
}