On 27/11/2017 18:43, Mark Kanda wrote:
> On 11/23/2017 5:46 PM, Paolo Bonzini wrote:
>> On 21/11/2017 18:22, Mark Kanda wrote:
>>> - nested_free_all_saved_vmcss(vmx);
>>> + free_loaded_vmcs(&vmx->nested.vmcs02);
>>
>> Please add to free_loaded_vmcs a WARN that the passed vmcs is not
>> vmx->loaded_vmcs.
>
> Sure.
>
> However, I don't see a way to access vmx from the passed in vmcs, which
> would necessitate passing in vmx for the WARN (multiple callers) - I may
> be missing something..
free_loaded_vmcs is only ever used on VMCS02's, so you can change it to
static void vmx_nested_free_vmcs02(struct vcpu_vmx *vmx)
{
struct loaded_vmcs *loaded_vmcs = &vmx->nested.vmcs02;
/*
* Just leak the VMCS02 if the WARN triggers. Better than
* a use-after-free.
*/
if (WARN_ON(vmx->loaded_vmcs == loaded_vmcs))
return;
...
}
> I'm happy to do this, but it seems possibly excessive for the sole
> purpose of adding the WARN. Thoughts?
We've had this kind of bug in the past, so I prefer to err on the side
of safety.
Paolo
