A patch similar to commit 5593473a1e6c ("KVM: avoid NULL pointer
dereference in kvm_dirty_ring_push").
If kvm_get_vcpu_by_id() or xa_insert() failed, kvm_vm_ioctl_create_vcpu()
will call kvm_dirty_ring_free(), freeing ring->dirty_gfns and setting it
to NULL. Then, it calls kvm_arch_vcpu_destroy(), which may call
kvm_dirty_ring_push() in specific call stack under the same conditions as
previous commit said. Finally, kvm_dirty_ring_push() will use
ring->dirty_gfns, leading to a NULL pointer dereference.
v2:
- fixed in better way by just moving the position of kvm_dirty_ring_free
v1: https://lore.kernel.org/kvm/596ce9b2-aa00-4bc5-ae20-451f3176d904@xxxxxxxxxx
Signed-off-by: Chen Yufeng <chenyufeng@xxxxxxxxx>
---
virt/kvm/kvm_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index e85b33a92624..089efc4d01c6 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -4178,9 +4178,9 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, unsigned long id)
xa_erase(&kvm->vcpu_array, vcpu->vcpu_idx);
unlock_vcpu_destroy:
mutex_unlock(&kvm->lock);
- kvm_dirty_ring_free(&vcpu->dirty_ring);
arch_vcpu_destroy:
kvm_arch_vcpu_destroy(vcpu);
+ kvm_dirty_ring_free(&vcpu->dirty_ring);
vcpu_free_run_page:
free_page((unsigned long)vcpu->run);
vcpu_free:
--
2.34.1
