!10654 KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group() (2630e077) · Commits · EulixOS / Software / Kernel

arch/powerpc/kvm/book3s_64_vio.c

+13 −5

Original line number	Diff line number	Diff line
		@@ -117,14 +117,16 @@ extern long kvm_spapr_tce_attach_iommu_group(struct kvm *kvm, int tablefd,
		}
		rcu_read_unlock();

		if (!found) {
		fdput(f);

		if (!found)
		return -EINVAL;
		}

		table_group = iommu_group_get_iommudata(grp);
		if (WARN_ON(!table_group))
		if (WARN_ON(!table_group)) {
		fdput(f);
		return -EFAULT;
		}

		for (i = 0; i < IOMMU_TABLE_GROUP_MAX_TABLES; ++i) {
		struct iommu_table *tbltmp = table_group->tables[i];
		@@ -145,8 +147,10 @@ extern long kvm_spapr_tce_attach_iommu_group(struct kvm *kvm, int tablefd,
		break;
		}
		}
		if (!tbl)
		if (!tbl) {
		fdput(f);
		return -EINVAL;
		}

		rcu_read_lock();
		list_for_each_entry_rcu(stit, &stt->iommu_tables, next) {
		@@ -157,6 +161,7 @@ extern long kvm_spapr_tce_attach_iommu_group(struct kvm *kvm, int tablefd,
		/* stit is being destroyed */
		iommu_tce_table_put(tbl);
		rcu_read_unlock();
		fdput(f);
		return -ENOTTY;
		}
		/*
		@@ -164,6 +169,7 @@ extern long kvm_spapr_tce_attach_iommu_group(struct kvm *kvm, int tablefd,
		* its KVM reference counter and can return.
		*/
		rcu_read_unlock();
		fdput(f);
		return 0;
		}
		rcu_read_unlock();
		@@ -171,6 +177,7 @@ extern long kvm_spapr_tce_attach_iommu_group(struct kvm *kvm, int tablefd,
		stit = kzalloc(sizeof(*stit), GFP_KERNEL);
		if (!stit) {
		iommu_tce_table_put(tbl);
		fdput(f);
		return -ENOMEM;
		}

		@@ -179,6 +186,7 @@ extern long kvm_spapr_tce_attach_iommu_group(struct kvm *kvm, int tablefd,

		list_add_rcu(&stit->next, &stt->iommu_tables);

		fdput(f);
		return 0;
		}