From patchwork Thu Oct 17 06:13:34 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: WangYuli <wangyuli@uniontech.com>
X-Patchwork-Id: 13839486
Return-Path: 
 <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org
 [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id D169BD2F7D5
	for <linux-arm-kernel@archiver.kernel.org>;
 Thu, 17 Oct 2024 06:16:48 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help
	:List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Transfer-Encoding:
	MIME-Version:Message-ID:Date:Subject:Cc:To:From:Reply-To:Content-Type:
	Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
	Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner;
	bh=hA4hUN+9KBWHFCEFczU3MeRYWfArLynwxZaFIvHd2oQ=; b=Iy945w2cicKwffSSbhpAfi7QbA
	9nVLcq4ZCY3zKAXK/nHjF7kIebOMGsRBSxtVDk1cvJaksvZ7X6HH/SbCj19zSMVqUB7JjDvlgUEXA
	AzVn5F2upKOkPgW7B7z4r3W/ntGq0w4kIxWiv5eZyt0IczJNcCMg8AJwIeHb9sZZBOHSJcyifdB/1
	j3nDXQxfAYBHzTOqWJ3TUmdpeyDSZZzzwSK9qXeHJ9Ny3uDQKPXu64PHATMuuzop6Y9wH4OHZ4jGl
	2oezvrq7Fjko3HNuZ2hybzavEeEAtc29qEjRxDRXo/II/U0RBpxVQBdYYNCJ4OfIAGJ/SVa7IJaSV
	HeNgBuEw==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux))
	id 1t1JoJ-0000000Dr2E-1z4B;
	Thu, 17 Oct 2024 06:16:35 +0000
Received: from smtpbg150.qq.com ([18.132.163.193])
	by bombadil.infradead.org with esmtps (Exim 4.98 #2 (Red Hat Linux))
	id 1t1Jmo-0000000Dqr9-0i7b
	for linux-arm-kernel@lists.infradead.org;
	Thu, 17 Oct 2024 06:15:06 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uniontech.com;
	s=onoh2408; t=1729145626;
	bh=hA4hUN+9KBWHFCEFczU3MeRYWfArLynwxZaFIvHd2oQ=;
	h=From:To:Subject:Date:Message-ID:MIME-Version;
	b=h69ar9IICG9t9Gvoz4CEfc75c7ZodsKdkcnAN5eRkUopodeP4UkAHGFoDbI/4on4e
	 Nhk5eM6ZfbVuD2ckWFBJGOOsqBPTAXGNBWsZJh1jk/sZ7aD3fXwQwiUEvhd+PidV0Q
	 ki0u19djg63d1NvgcQ0Zx6mP33dbziKrm4YvMROw=
X-QQ-mid: bizesmtpsz4t1729145617taeiv3x
X-QQ-Originating-IP: uYtshKjOGBnpjT4JIwF/uJpPdH4CCOgdEKjvuAdhe+g=
Received: from localhost.localdomain ( [113.57.152.160])
	by bizesmtp.qq.com (ESMTP) with
	id ; Thu, 17 Oct 2024 14:13:35 +0800 (CST)
X-QQ-SSF: 0000000000000000000000000000000
X-QQ-GoodBg: 1
X-BIZMAIL-ID: 12168614839949333599
From: WangYuli <wangyuli@uniontech.com>
To: maz@kernel.org,
	oliver.upton@linux.dev,
	james.morse@arm.com,
	suzuki.poulose@arm.com,
	yuzenghui@huawei.com,
	catalin.marinas@arm.com,
	will@kernel.org,
	rdunlap@infradead.org,
	sebott@redhat.com
Cc: linux-arm-kernel@lists.infradead.org,
	kvmarm@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	guanwentao@uniontech.com,
	zhanjun@uniontech.com,
	WangYuli <wangyuli@uniontech.com>,
	stable@vger.kernel.org
Subject: [PATCH] KVM: arm64: vgic-its: Do not call vgic_put_irq() within
 vgic_its_inject_cached_translation()
Date: Thu, 17 Oct 2024 14:13:34 +0800
Message-ID: <FEBA39FEBDA1C9D7+20241017061334.222103-1-wangyuli@uniontech.com>
X-Mailer: git-send-email 2.45.2
MIME-Version: 1.0
X-QQ-SENDSIZE: 520
Feedback-ID: bizesmtpsz:uniontech.com:qybglogicsvrgz:qybglogicsvrgz8a-1
X-QQ-XMAILINFO: Mm/Yx8ZY6QnDL0vQ5ZRRuuBcY6wyS+yuf9CAkzWF5K99u/tRzQ+/stRh
	IU13GfE5sajErRHDaTni4di69HGo9lSbwjySFzdTgaR6Vw9goww7Kz4Xitsnv5DCuST3FFS
	EWrQpn4+YyD/rZXHysnxQr2Rz8qx2HIamINO2wcF0Q000EceoO3+zxzBDod9UcNF1k+qHIC
	apf5wCkuGovoGZZuMNfWmHxWMrTjBdVgH2G5nrZ2JTM8X1qKJORAV1hvayp2+x9/yfBRU6+
	lKPC2gTA8V0vZzjJVPFIPVrv2HWB7JOQPl60avA/8D6NXCaMrx2JnTgTVFfnLqY6dDi0jFc
	aP1sC4cSq3QUCHoDnl4wIfjyiTPODyZx+m1vv/2lqGvL9L0g8MJtiIB23aHJM9h97zI7PZ/
	uEm5sTNwfd6NqIib23sgwMZukdms7J7oX92aygObVqNHwqw+YFRRjdLlLt36V8Gp6I8fFO7
	b/FctHl44whxmC8Ev68Bzu9LXhjhxDNgmmG39zqQShAP+Esq50DVVSFJxonjQLhBzU5s9wP
	grdm49BIZnrnEz5fv9azaUbLvOeKuhFjOFplU0ij3Jp7SiBMY4oF08jESrgE76Mn58DOGJj
	MpJpqesW0njFeDE75yGvWw+/UXhmD2QIQ9eFpWMfj/cdn3xWQjIWo6ilKWmxsyCiJjhcaTM
	El8JNOjWt7oppVmQi2cdNiy04qk+/DZ56BmTXAwaFoZKoWUPcXJwHArBR8bvc4PpJQQqSUS
	bJp36XLBXWe72tk2fNmdcwN6AWkjzHLvIwLdSapK5kklwUc9tpd7GYQvKrXal3cGZTu1D44
	gUKTdECI9G/LZN42PxbZse0q1Q6XKReN5fTBKkMJJ2CwlmPIwI4wdQiUG+AKLVdLfj+Lg5/
	h1BKD+YPTihftPqAkAfhmf+7tINli/G1D97c9MliNwM+0NR7jwQ7CDWVTqH9MmOb315VX9c
	RBZrv/EZCfQM2bcy2DqKN8AWjqEX7ymPskZp/T0NFQh/ClRrDPuo9od2Db7wC9onyPtSXJG
	oSvtHIGTYO2KI8/Clb
X-QQ-XMRINFO: NyFYKkN4Ny6FSmKK/uo/jdU=
X-QQ-RECHKSPAM: 0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20241016_231502_881655_3E728CA5 
X-CRM114-Status: GOOD (  10.10  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

There is a probability that the host machine will also restart
when the virtual machine is restarting.

Commit ad362fe07fec ("KVM: arm64: vgic-its: Avoid potential UAF
in LPI translation cache") released the reference count of an IRQ
when it shouldn't have. This led to a situation where, when the
system finally released the IRQ, it found that the structure had
already been freed, triggering a
'refcount_t: underflow; use-after-free' error.

In fact, the function "vgic_put_irq" should be called by
"vgic_its_inject_cached_translation" instead of
"vgic_its_trigger_msi".

Call trace:
  its_free_ite+0x90/0xa0
  vgic_its_free_device+0x3c/0xa0
  vgic_its_destroy+0x4c/0xb8
  kvm_put_kvm+0x214/0x358
  kvm_vcpu_release+0x24/0x38
  __fput+0x84/0x278
  ____fput+0x20/0x30
  task_work_run+0xcc/0x190
  do_exit+0x36c/0xa88
  do_group_exit+0x4c/0xb8
  __arm64_sys_exit_group+0x24/0x28
  invoke_syscall+0x54/0x120
  el0_svc_common.constprop.4+0x16c/0x1f0
  do_el0_svc+0x34/0xb0
  el0_svc+0x1c/0x28
  el0_sync_handler+0x8c/0xb0
  el0_sync+0x148/0x180

Fixes: ad362fe07fec ("KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache")
Cc: stable@vger.kernel.org
Signed-off-by: Wenyao Hai <haiwenyao@uniontech.com>
Signed-off-by: WangYuli <wangyuli@uniontech.com>
---
 arch/arm64/kvm/vgic/vgic-its.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm64/kvm/vgic/vgic-its.c b/arch/arm64/kvm/vgic/vgic-its.c
index ba945ba78cc7..fb5f57cbab42 100644
--- a/arch/arm64/kvm/vgic/vgic-its.c
+++ b/arch/arm64/kvm/vgic/vgic-its.c
@@ -679,6 +679,7 @@ static int vgic_its_trigger_msi(struct kvm *kvm, struct vgic_its *its,
 	raw_spin_lock_irqsave(&irq->irq_lock, flags);
 	irq->pending_latch = true;
 	vgic_queue_irq_unlock(kvm, irq, flags);
+	vgic_put_irq(kvm, irq);
 
 	return 0;
 }
@@ -697,7 +698,6 @@ int vgic_its_inject_cached_translation(struct kvm *kvm, struct kvm_msi *msi)
 	raw_spin_lock_irqsave(&irq->irq_lock, flags);
 	irq->pending_latch = true;
 	vgic_queue_irq_unlock(kvm, irq, flags);
-	vgic_put_irq(kvm, irq);
 
 	return 0;
 }