KVM: avoid double put_page with gfn-to-pfn cache

dwmw2 · bonzini · commit 79593c086eb9 · 2022-04-02T05:34:39.000-04:00
If the cache's user host virtual address becomes invalid, there is still a path from kvm_gfn_to_pfn_cache_refresh() where __release_gpc() could release the pfn but the gpc->pfn field has not been overwritten with an error value. If this happens, kvm_gfn_to_pfn_cache_unmap will call put_page again on the same page. Cc: stable@vger.kernel.org Fixes: 982ed0d ("KVM: Reinstate gfn_to_pfn_cache with invalidation support") Signed-off-by: David Woodhouse <dwmw2@infradead.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
diff --git a/virt/kvm/pfncache.c b/virt/kvm/pfncache.c
@@ -191,6 +191,7 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc,
 		gpc->uhva = gfn_to_hva_memslot(gpc->memslot, gfn);
 
 		if (kvm_is_error_hva(gpc->uhva)) {
+			gpc->pfn = KVM_PFN_ERR_FAULT;
 			ret = -EFAULT;
 			goto out;
 		}

Original file line number	Diff line number	Diff line change
`@@ -191,6 +191,7 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm kvm, struct gfn_to_pfn_cache gpc,`
`191`	`191`	`gpc->uhva = gfn_to_hva_memslot(gpc->memslot, gfn);`
`192`	`192`
`193`	`193`	`if (kvm_is_error_hva(gpc->uhva)) {`
	`194`	`+ gpc->pfn = KVM_PFN_ERR_FAULT;`
`194`	`195`	`ret = -EFAULT;`
`195`	`196`	`goto out;`
`196`	`197`	`}`