On Thu, Mar 30, 2017 at 10:58:06AM +0200, gregkh@xxxxxxxxxxxxxxxxxxx wrote:
>
> The patch below does not apply to the 4.9-stable tree.
> If someone wants it applied there, or to any other stable or longterm
> tree, then please email the backport, including the original git commit
> id to <stable@xxxxxxxxxxxxxxx>.
>
> thanks,
>
> greg k-h
Sorry, wrong patch, this one works just fine, it's the other 4.9 kvm
patch that breaks the build.
greg k-h
> ------------------ original commit in Linus's tree ------------------
>
> >From 2beb6dad2e8f95d710159d5befb390e4f62ab5cf Mon Sep 17 00:00:00 2001
> From: Paolo Bonzini <pbonzini@xxxxxxxxxx>
> Date: Mon, 27 Mar 2017 17:53:50 +0200
> Subject: [PATCH] KVM: x86: cleanup the page tracking SRCU instance
>
> SRCU uses a delayed work item. Skip cleaning it up, and
> the result is use-after-free in the work item callbacks.
>
> Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
> Suggested-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 0eb05bf290cfe8610d9680b49abef37febd1c38a
> Reviewed-by: Xiao Guangrong <xiaoguangrong.eric@xxxxxxxxx>
> Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
>
> diff --git a/arch/x86/include/asm/kvm_page_track.h b/arch/x86/include/asm/kvm_page_track.h
> index d74747b031ec..c4eda791f877 100644
> --- a/arch/x86/include/asm/kvm_page_track.h
> +++ b/arch/x86/include/asm/kvm_page_track.h
> @@ -46,6 +46,7 @@ struct kvm_page_track_notifier_node {
> };
>
> void kvm_page_track_init(struct kvm *kvm);
> +void kvm_page_track_cleanup(struct kvm *kvm);
>
> void kvm_page_track_free_memslot(struct kvm_memory_slot *free,
> struct kvm_memory_slot *dont);
> diff --git a/arch/x86/kvm/page_track.c b/arch/x86/kvm/page_track.c
> index 37942e419c32..60168cdd0546 100644
> --- a/arch/x86/kvm/page_track.c
> +++ b/arch/x86/kvm/page_track.c
> @@ -160,6 +160,14 @@ bool kvm_page_track_is_active(struct kvm_vcpu *vcpu, gfn_t gfn,
> return !!ACCESS_ONCE(slot->arch.gfn_track[mode][index]);
> }
>
> +void kvm_page_track_cleanup(struct kvm *kvm)
> +{
> + struct kvm_page_track_notifier_head *head;
> +
> + head = &kvm->arch.track_notifier_head;
> + cleanup_srcu_struct(&head->track_srcu);
> +}
> +
> void kvm_page_track_init(struct kvm *kvm)
> {
> struct kvm_page_track_notifier_head *head;
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index 64697fe475c3..ccbd45ecd41a 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -8158,6 +8158,7 @@ void kvm_arch_destroy_vm(struct kvm *kvm)
> kvm_free_vcpus(kvm);
> kvfree(rcu_dereference_check(kvm->arch.apic_map, 1));
> kvm_mmu_uninit_vm(kvm);
> + kvm_page_track_cleanup(kvm);
> }
>
> void kvm_arch_free_memslot(struct kvm *kvm, struct kvm_memory_slot *free,