From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [PATCH] kvm:iommu: fix the third parameter of kvm_iommu_put_pages
Date: Tue, 19 Aug 2014 15:00:06 +0200
Message-ID: <53F34A56.3040801@redhat.com>
References: <1408446890-8284-1-git-send-email-zhang.zhanghailiang@huawei.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: gleb@kernel.org, peter.huangpeng@huawei.com, luonengjun@huawei.com,
	"Michael S. Tsirkin" <mst@redhat.com>
To: zhanghailiang <zhang.zhanghailiang@huawei.com>, kvm@vger.kernel.org
Return-path: <kvm-owner@vger.kernel.org>
Received: from mail-we0-f181.google.com ([74.125.82.181]:47524 "EHLO
	mail-we0-f181.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750789AbaHSNAL (ORCPT <rfc822;kvm@vger.kernel.org>);
	Tue, 19 Aug 2014 09:00:11 -0400
Received: by mail-we0-f181.google.com with SMTP id k48so6437650wev.40
        for <kvm@vger.kernel.org>; Tue, 19 Aug 2014 06:00:10 -0700 (PDT)
In-Reply-To: <1408446890-8284-1-git-send-email-zhang.zhanghailiang@huawei.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

Il 19/08/2014 13:14, zhanghailiang ha scritto:
> The third parameter of kvm_iommu_put_pages is wrong,
> It should be 'gfn-slot->base_gfn'

This fixes a crash, doesn't it?  Please mention it in the commit
message, because we have to assign a CVE for this kind of issue.  It
will be CVE-2014-3601.

I have learnt about this crash last week from Michael Tsirkin, whose
patch also had the following hunk:

diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c
index 0df7d4b34dfe..1e458a7d96f1 100644
--- a/virt/kvm/iommu.c
+++ b/virt/kvm/iommu.c
@@ -123,6 +123,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct
kvm_memory_slot *slot)
 		if (r) {
 			printk(KERN_ERR "kvm_iommu_map_address:"
 			       "iommu failed to map pfn=%llx\n", pfn);
+			kvm_unpin_pages(kvm, pfn, page_size);
 			goto unmap_pages;
 		}

So I'm going to apply his instead.

Thanks for the report,

Paolo

> Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
> ---
>  virt/kvm/iommu.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c
> index 0df7d4b..c02f9a3 100644
> --- a/virt/kvm/iommu.c
> +++ b/virt/kvm/iommu.c
> @@ -134,7 +134,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
>  	return 0;
>  
>  unmap_pages:
> -	kvm_iommu_put_pages(kvm, slot->base_gfn, gfn);
> +	kvm_iommu_put_pages(kvm, slot->base_gfn, gfn - slot->base_gfn);
>  	return r;
>  }
>  
>