Il 19/08/2014 13:14, zhanghailiang ha scritto:
> The third parameter of kvm_iommu_put_pages is wrong,
> It should be 'gfn-slot->base_gfn'
This fixes a crash, doesn't it? Please mention it in the commit
message, because we have to assign a CVE for this kind of issue. It
will be CVE-2014-3601.
I have learnt about this crash last week from Michael Tsirkin, whose
patch also had the following hunk:
diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c
index 0df7d4b34dfe..1e458a7d96f1 100644
--- a/virt/kvm/iommu.c
+++ b/virt/kvm/iommu.c
@@ -123,6 +123,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct
kvm_memory_slot *slot)
if (r) {
printk(KERN_ERR "kvm_iommu_map_address:"
"iommu failed to map pfn=%llx\n", pfn);
+ kvm_unpin_pages(kvm, pfn, page_size);
goto unmap_pages;
}
So I'm going to apply his instead.
Thanks for the report,
Paolo
> Signed-off-by: zhanghailiang <zhang.zhanghailiang@xxxxxxxxxx>
> ---
> virt/kvm/iommu.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c
> index 0df7d4b..c02f9a3 100644
> --- a/virt/kvm/iommu.c
> +++ b/virt/kvm/iommu.c
> @@ -134,7 +134,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
> return 0;
>
> unmap_pages:
> - kvm_iommu_put_pages(kvm, slot->base_gfn, gfn);
> + kvm_iommu_put_pages(kvm, slot->base_gfn, gfn - slot->base_gfn);
> return r;
> }
>
>
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
