When set_memory_decrypted() fails, pages may be left fully or partially decrypted. before free the pages to return pool, it should be encrypted via set_memory_encrypted(), or else this could lead to functional or security issues, if encrypting the pages fails, leak the pages Fixes: 6a1cac56f41f ("x86/kvm: Use __bss_decrypted attribute in shared variables") Signed-off-by: Li RongQing <lirongqing@xxxxxxxxx> --- arch/x86/kernel/kvmclock.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/kvmclock.c b/arch/x86/kernel/kvmclock.c index 5b2c152..5e9f9d2 100644 --- a/arch/x86/kernel/kvmclock.c +++ b/arch/x86/kernel/kvmclock.c @@ -228,7 +228,8 @@ static void __init kvmclock_init_mem(void) r = set_memory_decrypted((unsigned long) hvclock_mem, 1UL << order); if (r) { - __free_pages(p, order); + if (!set_memory_encrypted((unsigned long)hvclock_mem, 1UL << order)) + __free_pages(p, order); hvclock_mem = NULL; pr_warn("kvmclock: set_memory_decrypted() failed. Disabling\n"); return; -- 2.9.4