Hi Leonardo,
Leonardo Bras <leona...@linux.ibm.com> writes:
> Fixes a possible 'use after free' of kvm variable in
> kvm_vm_ioctl_create_spapr_tce, where it does a mutex_unlock(&kvm->lock)
> after a kvm_put_kvm(kvm).
There is no potential for an actual use after free here AFAICS.
> diff --git a/arch/powerpc/kvm/book3s_64_vio.c
> b/arch/powerpc/kvm/book3s_64_vio.c
> index 5834db0a54c6..a402ead833b6 100644
> --- a/arch/powerpc/kvm/book3s_64_vio.c
> +++ b/arch/powerpc/kvm/book3s_64_vio.c
The preceeding context is:
mutex_lock(&kvm->lock);
/* Check this LIOBN hasn't been previously allocated */
ret = 0;
list_for_each_entry(siter, &kvm->arch.spapr_tce_tables, list) {
if (siter->liobn == args->liobn) {
ret = -EBUSY;
break;
}
}
kvm_get_kvm(kvm);
if (!ret)
ret = anon_inode_getfd("kvm-spapr-tce", &kvm_spapr_tce_fops,
stt, O_RDWR | O_CLOEXEC);
> @@ -316,14 +316,13 @@ long kvm_vm_ioctl_create_spapr_tce(struct kvm *kvm,
>
> if (ret >= 0)
> list_add_rcu(&stt->list, &kvm->arch.spapr_tce_tables);
> - else
> - kvm_put_kvm(kvm);
>
> mutex_unlock(&kvm->lock);
>
> if (ret >= 0)
> return ret;
>
> + kvm_put_kvm(kvm);
> kfree(stt);
> fail_acct:
> account_locked_vm(current->mm, kvmppc_stt_pages(npages), false);
If the kvm_put_kvm() you've moved actually caused the last reference to
be dropped that would mean that our caller had passed us a kvm struct
without holding a reference to it, and that would be a bug in our
caller.
Or put another way, it would mean the mutex_lock() above could already
be operating on a freed kvm struct.
The kvm_get_kvm() prior to the anon_inode_getfd() is to account for the
reference that's held by the `stt` struct, and dropped in
kvm_spapr_tce_release().
So although this patch isn't wrong, the explanation is not accurate.
cheers
