KVM: MMU: do not free active mmu pages in free_mmu_pages()
From: Gleb Natapov <gleb@redhat.com>
CVE-2012-1601 BugLink: http://bugs.launchpad.net/bugs/971685 free_mmu_pages() should only undo what alloc_mmu_pages() does. Free mmu pages from the generic VM destruction function, kvm_destroy_vm(). Signed-off-by: Gleb Natapov <gleb@redhat.com> Signed-off-by: Avi Kivity <avi@redhat.com> (backported from commit f00be0cae4e6ad0a8c7be381c6d9be3586800b3e upstream) [ herton: backport details: cond_resched() wasn't called from free_mmu_pages in 2.6.24, rediff was necessary. Also, we still didn't have mmu notifier stuff, so just call kvm_arch_flush_shadow unconditionally ] Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com> --- arch/x86/kvm/mmu.c | 7 ------- .../binary-custom.d/openvz/src/arch/x86/kvm/mmu.c | 7 ------- .../binary-custom.d/openvz/src/virt/kvm/kvm_main.c | 1 + debian/binary-custom.d/xen/src/arch/x86/kvm/mmu.c | 7 ------- debian/binary-custom.d/xen/src/virt/kvm/kvm_main.c | 1 + virt/kvm/kvm_main.c | 1 + 6 files changed, 3 insertions(+), 21 deletions(-) diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c index 95d4132..1505902 100644 --- a/arch/x86/kvm/mmu.c +++ b/arch/x86/kvm/mmu.c @@ -1844,13 +1844,6 @@ EXPORT_SYMBOL_GPL(kvm_enable_tdp); static void free_mmu_pages(struct kvm_vcpu *vcpu) { - struct kvm_mmu_page *sp; - - while (!list_empty(&vcpu->kvm->arch.active_mmu_pages)) { - sp = container_of(vcpu->kvm->arch.active_mmu_pages.next, - struct kvm_mmu_page, link); - kvm_mmu_zap_page(vcpu->kvm, sp); - } free_page((unsigned long)vcpu->arch.mmu.pae_root); } diff --git a/debian/binary-custom.d/openvz/src/arch/x86/kvm/mmu.c b/debian/binary-custom.d/openvz/src/arch/x86/kvm/mmu.c index 95d4132..1505902 100644 --- a/debian/binary-custom.d/openvz/src/arch/x86/kvm/mmu.c +++ b/debian/binary-custom.d/openvz/src/arch/x86/kvm/mmu.c @@ -1844,13 +1844,6 @@ EXPORT_SYMBOL_GPL(kvm_enable_tdp); static void free_mmu_pages(struct kvm_vcpu *vcpu) { - struct kvm_mmu_page *sp; - - while (!list_empty(&vcpu->kvm->arch.active_mmu_pages)) { - sp = container_of(vcpu->kvm->arch.active_mmu_pages.next, - struct kvm_mmu_page, link); - kvm_mmu_zap_page(vcpu->kvm, sp); - } free_page((unsigned long)vcpu->arch.mmu.pae_root); } diff --git a/debian/binary-custom.d/openvz/src/virt/kvm/kvm_main.c b/debian/binary-custom.d/openvz/src/virt/kvm/kvm_main.c index 2a4bdbd..a1794b6 100644 --- a/debian/binary-custom.d/openvz/src/virt/kvm/kvm_main.c +++ b/debian/binary-custom.d/openvz/src/virt/kvm/kvm_main.c @@ -238,6 +238,7 @@ static void kvm_destroy_vm(struct kvm *kvm) spin_unlock(&kvm_lock); kvm_io_bus_destroy(&kvm->pio_bus); kvm_io_bus_destroy(&kvm->mmio_bus); + kvm_arch_flush_shadow(kvm); kvm_arch_destroy_vm(kvm); mmdrop(mm); } diff --git a/debian/binary-custom.d/xen/src/arch/x86/kvm/mmu.c b/debian/binary-custom.d/xen/src/arch/x86/kvm/mmu.c index 95d4132..1505902 100644 --- a/debian/binary-custom.d/xen/src/arch/x86/kvm/mmu.c +++ b/debian/binary-custom.d/xen/src/arch/x86/kvm/mmu.c @@ -1844,13 +1844,6 @@ EXPORT_SYMBOL_GPL(kvm_enable_tdp); static void free_mmu_pages(struct kvm_vcpu *vcpu) { - struct kvm_mmu_page *sp; - - while (!list_empty(&vcpu->kvm->arch.active_mmu_pages)) { - sp = container_of(vcpu->kvm->arch.active_mmu_pages.next, - struct kvm_mmu_page, link); - kvm_mmu_zap_page(vcpu->kvm, sp); - } free_page((unsigned long)vcpu->arch.mmu.pae_root); } diff --git a/debian/binary-custom.d/xen/src/virt/kvm/kvm_main.c b/debian/binary-custom.d/xen/src/virt/kvm/kvm_main.c index 2a4bdbd..a1794b6 100644 --- a/debian/binary-custom.d/xen/src/virt/kvm/kvm_main.c +++ b/debian/binary-custom.d/xen/src/virt/kvm/kvm_main.c @@ -238,6 +238,7 @@ static void kvm_destroy_vm(struct kvm *kvm) spin_unlock(&kvm_lock); kvm_io_bus_destroy(&kvm->pio_bus); kvm_io_bus_destroy(&kvm->mmio_bus); + kvm_arch_flush_shadow(kvm); kvm_arch_destroy_vm(kvm); mmdrop(mm); } diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 2a4bdbd..a1794b6 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -238,6 +238,7 @@ static void kvm_destroy_vm(struct kvm *kvm) spin_unlock(&kvm_lock); kvm_io_bus_destroy(&kvm->pio_bus); kvm_io_bus_destroy(&kvm->mmio_bus); + kvm_arch_flush_shadow(kvm); kvm_arch_destroy_vm(kvm); mmdrop(mm); } -- 1.7.9.5 -- kernel-team mailing list kernel-team@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kernel-team |
| All times are GMT. The time now is 02:33 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.