github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-31 02:24:24 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph

KVM: arm64: Don't leave mmu->pgt dangling on kvm_init_stage2_mmu() error

Browse Source 
If kvm_init_stage2_mmu() fails to allocate 'mmu->last_vcpu_ran', it
destroys the newly allocated stage-2 page-table before returning ENOMEM.

Unfortunately, it also leaves a dangling pointer in 'mmu->pgt' which
points at the freed 'kvm_pgtable' structure. This is likely to confuse
the kvm_vcpu_init_nested() failure path which can double-free the
structure if it finds it via kvm_free_stage2_pgd().

Ensure that the dangling 'mmu->pgt' pointer is cleared when returning an
error from kvm_init_stage2_mmu().

Link: https://sashiko.dev/#/patchset/20260327140039.21228-1-will%40kernel.org?patch=12265
Signed-off-by: Will Deacon <will@kernel.org>
Link: https://patch.msgid.link/20260327192758.21739-2-will@kernel.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
This commit is contained in:
Will Deacon 2026-03-27 19:27:56 +00:00 committed by Marc Zyngier
parent cf6348af64
commit 2fc0f3e2b9
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
arch/arm64/kvm/mmu.c
View File

@ -1013,6 +1013,7 @@ int kvm_init_stage2_mmu(struct kvm *kvm, struct kvm_s2_mmu *mmu, unsigned long t
out_destroy_pgtable:
kvm_stage2_destroy(pgt);
mmu->pgt = NULL;
out_free_pgtable:
kfree(pgt);
return err;