Commit 63959e33 authored Apr 09, 2024 by ZhangPeng Committed by Peng Zhang Apr 09, 2024

KVM: arm64: vgic-its: use vgic_get_irq_kref() before vgic_put_irq()

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I9F8AD



--------------------------------

Commit 1a8251a1 ("KVM: arm64: vgic-its: Avoid potential UAF in LPI
translation cache") fixes the UAF problem of the general path, but does
not fix the UAF problem of multiple LPI translation caches.
Fix UAF issue with vgic_get_irq_kref() in multiple LPI translation cache
path before vgic_put_irq().

Fixes: 1a8251a1 ("KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache")
Suggested-by: Jia Qingtong <jiaqingtong@huawei.com>
Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>

parent 05607873

arch/arm64/kvm/vgic/vgic-its.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -642,6 +642,9 @@ static struct vgic_irq vgic_its_check_cache(struct kvm kvm, phys_addr_t db,

		raw_spin_lock_irqsave(&dist->lpi_translation_cache[cacheid].lpi_cache_lock, flags);
		irq = __vgic_its_check_cache(dist, db, devid, eventid, cacheid);
		if (irq)
		vgic_get_irq_kref(irq);

		raw_spin_unlock_irqrestore(&dist->lpi_translation_cache[cacheid].lpi_cache_lock, flags);
		#else
		raw_spin_lock_irqsave(&dist->lpi_list_lock, flags);