Searched hist:"987 d1149be7ddcc1380ff946cf236874421a7e1b" (Results 1 – 1 of 1) sorted by relevance
| /openbmc/linux/virt/kvm/ |
| H A D | coalesced_mmio.c | diff 987d1149be7ddcc1380ff946cf236874421a7e1b Mon Dec 17 11:36:19 CST 2018 Eric Biggers <ebiggers@google.com> KVM: fix unregistering coalesced mmio zone from wrong bus
If you register a kvm_coalesced_mmio_zone with '.pio = 0' but then
unregister it with '.pio = 1', KVM_UNREGISTER_COALESCED_MMIO will try to
unregister it from KVM_PIO_BUS rather than KVM_MMIO_BUS, which is a
no-op. But it frees the kvm_coalesced_mmio_dev anyway, causing a
use-after-free.
Fix it by only unregistering and freeing the zone if the correct value
of 'pio' is provided.
Reported-by: syzbot+f87f60bb6f13f39b54e3@syzkaller.appspotmail.com
Fixes: 0804c849f1df ("kvm/x86 : add coalesced pio support")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|