This is a note to let you know that I've just added the patch titled KVM: x86: Cancel pvclock_gtod_work on module removal to the 4.19-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: kvm-x86-cancel-pvclock_gtod_work-on-module-removal.patch and it can be found in the queue-4.19 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 594b27e677b35f9734b1969d175ebc6146741109 Mon Sep 17 00:00:00 2001 From: Thomas Gleixner <tglx@xxxxxxxxxxxxx> Date: Wed, 5 May 2021 23:48:17 +0200 Subject: KVM: x86: Cancel pvclock_gtod_work on module removal From: Thomas Gleixner <tglx@xxxxxxxxxxxxx> commit 594b27e677b35f9734b1969d175ebc6146741109 upstream. Nothing prevents the following: pvclock_gtod_notify() queue_work(system_long_wq, &pvclock_gtod_work); ... remove_module(kvm); ... work_queue_run() pvclock_gtod_work() <- UAF Ditto for any other operation on that workqueue list head which touches pvclock_gtod_work after module removal. Cancel the work in kvm_arch_exit() to prevent that. Fixes: 16e8d74d2da9 ("KVM: x86: notifier for clocksource changes") Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx> Message-Id: <87czu4onry.ffs@xxxxxxxxxxxxxxxxxxxxxxx> Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- arch/x86/kvm/x86.c | 1 + 1 file changed, 1 insertion(+) --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -6911,6 +6911,7 @@ void kvm_arch_exit(void) cpuhp_remove_state_nocalls(CPUHP_AP_X86_KVM_CLK_ONLINE); #ifdef CONFIG_X86_64 pvclock_gtod_unregister_notifier(&pvclock_gtod_notifier); + cancel_work_sync(&pvclock_gtod_work); #endif kvm_x86_ops = NULL; kvm_mmu_module_exit(); Patches currently in stable-queue which might be from tglx@xxxxxxxxxxxxx are queue-4.19/posix-timers-preserve-return-value-in-clock_adjtime32.patch queue-4.19/revert-337f13046ff0-futex-allow-futex_clock_realtime-with-futex_wait-op.patch queue-4.19/genirq-matrix-prevent-allocation-counter-corruption.patch queue-4.19/x86-cpu-initialize-msr_tsc_aux-if-rdtscp-or-rdpid-is-supported.patch queue-4.19/kvm-x86-cancel-pvclock_gtod_work-on-module-removal.patch