diff options
author | Quentin Casasnovas <quentin.casasnovas@oracle.com> | 2014-10-18 00:55:59 +0400 |
---|---|---|
committer | Paolo Bonzini <pbonzini@redhat.com> | 2014-10-24 15:30:37 +0400 |
commit | 3d32e4dbe71374a6780eaf51d719d76f9a9bf22f (patch) | |
tree | 977b69a4db7362325a5fda148ba2e43e2a8e07df /crypto/crc32c_generic.c | |
parent | 3f6f1480d86bf9fc16c160d803ab1d006e3058d5 (diff) | |
download | linux-3d32e4dbe71374a6780eaf51d719d76f9a9bf22f.tar.xz |
kvm: fix excessive pages un-pinning in kvm_iommu_map error path.
The third parameter of kvm_unpin_pages() when called from
kvm_iommu_map_pages() is wrong, it should be the number of pages to un-pin
and not the page size.
This error was facilitated with an inconsistent API: kvm_pin_pages() takes
a size, but kvn_unpin_pages() takes a number of pages, so fix the problem
by matching the two.
This was introduced by commit 350b8bd ("kvm: iommu: fix the third parameter
of kvm_iommu_put_pages (CVE-2014-3601)"), which fixes the lack of
un-pinning for pages intended to be un-pinned (i.e. memory leak) but
unfortunately potentially aggravated the number of pages we un-pin that
should have stayed pinned. As far as I understand though, the same
practical mitigations apply.
This issue was found during review of Red Hat 6.6 patches to prepare
Ksplice rebootless updates.
Thanks to Vegard for his time on a late Friday evening to help me in
understanding this code.
Fixes: 350b8bd ("kvm: iommu: fix the third parameter of... (CVE-2014-3601)")
Cc: stable@vger.kernel.org
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Jamie Iles <jamie.iles@oracle.com>
Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'crypto/crc32c_generic.c')
0 files changed, 0 insertions, 0 deletions