There is a probability that the host machine will also restart
when the virtual machine is restarting.
Commit ad362fe07fec ("KVM: arm64: vgic-its: Avoid potential UAF
in LPI translation cache") released the reference count of an IRQ
when it shouldn't have. This led to a situation where, when the
system finally released the IRQ, it found that the structure had
already been freed, triggering a
'refcount_t: underflow; use-after-free' error.
In fact, the function "vgic_put_irq" should be called by
"vgic_its_inject_cached_translation" instead of
"vgic_its_trigger_msi".
Call trace:
its_free_ite+0x90/0xa0
vgic_its_free_device+0x3c/0xa0
vgic_its_destroy+0x4c/0xb8
kvm_put_kvm+0x214/0x358
kvm_vcpu_release+0x24/0x38
__fput+0x84/0x278
____fput+0x20/0x30
task_work_run+0xcc/0x190
do_exit+0x36c/0xa88
do_group_exit+0x4c/0xb8
__arm64_sys_exit_group+0x24/0x28
invoke_syscall+0x54/0x120
el0_svc_common.constprop.4+0x16c/0x1f0
do_el0_svc+0x34/0xb0
el0_svc+0x1c/0x28
el0_sync_handler+0x8c/0xb0
el0_sync+0x148/0x180
Fixes: ad362fe07fec ("KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Wenyao Hai <haiwenyao@xxxxxxxxxxxxx>
Signed-off-by: WangYuli <wangyuli@xxxxxxxxxxxxx>
---
arch/arm64/kvm/vgic/vgic-its.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/kvm/vgic/vgic-its.c b/arch/arm64/kvm/vgic/vgic-its.c
index ba945ba78cc7..fb5f57cbab42 100644
--- a/arch/arm64/kvm/vgic/vgic-its.c
+++ b/arch/arm64/kvm/vgic/vgic-its.c
@@ -679,6 +679,7 @@ static int vgic_its_trigger_msi(struct kvm *kvm, struct vgic_its *its,
raw_spin_lock_irqsave(&irq->irq_lock, flags);
irq->pending_latch = true;
vgic_queue_irq_unlock(kvm, irq, flags);
+ vgic_put_irq(kvm, irq);
return 0;
}
@@ -697,7 +698,6 @@ int vgic_its_inject_cached_translation(struct kvm *kvm, struct kvm_msi *msi)
raw_spin_lock_irqsave(&irq->irq_lock, flags);
irq->pending_latch = true;
vgic_queue_irq_unlock(kvm, irq, flags);
- vgic_put_irq(kvm, irq);
return 0;
}
--
2.45.2
