From mboxrd@z Thu Jan  1 00:00:00 1970
From: Christoffer Dall <cdall@linaro.org>
Subject: [PULL 11/13] kvm: arm/arm64: Fix use after free of stage2 page table
Date: Thu, 18 May 2017 11:47:20 +0200
Message-ID: <20170518094722.9926-12-cdall@linaro.org>
References: <20170518094722.9926-1-cdall@linaro.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Cc: Christoffer Dall <cdall@linaro.org>, kvm@vger.kernel.org,
 Marc Zyngier <marc.zyngier@arm.com>, andreyknvl@google.com,
 stable@vger.kernel.org, kvmarm@lists.cs.columbia.edu,
 linux-arm-kernel@lists.infradead.org
To: Paolo Bonzini <pbonzini@redhat.com>,
 =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
Return-path: <kvmarm-bounces@lists.cs.columbia.edu>
In-Reply-To: <20170518094722.9926-1-cdall@linaro.org>
List-Unsubscribe: <https://lists.cs.columbia.edu/mailman/options/kvmarm>,
 <mailto:kvmarm-request@lists.cs.columbia.edu?subject=unsubscribe>
List-Archive: <https://lists.cs.columbia.edu/pipermail/kvmarm>
List-Post: <mailto:kvmarm@lists.cs.columbia.edu>
List-Help: <mailto:kvmarm-request@lists.cs.columbia.edu?subject=help>
List-Subscribe: <https://lists.cs.columbia.edu/mailman/listinfo/kvmarm>,
 <mailto:kvmarm-request@lists.cs.columbia.edu?subject=subscribe>
Errors-To: kvmarm-bounces@lists.cs.columbia.edu
Sender: kvmarm-bounces@lists.cs.columbia.edu
List-Id: kvm.vger.kernel.org

RnJvbTogU3V6dWtpIEsgUG91bG9zZSA8c3V6dWtpLnBvdWxvc2VAYXJtLmNvbT4KCldlIHlpZWxk
IHRoZSBrdm0tPm1tdV9sb2NrIG9jY2Fzc2lvbmFseSB3aGlsZSBwZXJmb3JtaW5nIGFuIG9wZXJh
dGlvbgooZS5nLCB1bm1hcCBvciBwZXJtaXNzaW9uIGNoYW5nZXMpIG9uIGEgbGFyZ2UgYXJlYSBv
ZiBzdGFnZTIgbWFwcGluZ3MuCkhvd2V2ZXIgdGhpcyBjb3VsZCBwb3NzaWJseSBjYXVzZSBhbm90
aGVyIHRocmVhZCB0byBjbGVhciBhbmQgZnJlZSB1cAp0aGUgc3RhZ2UyIHBhZ2UgdGFibGVzIHdo
aWxlIHdlIHdlcmUgd2FpdGluZyBmb3IgcmVnYWluaW5nIHRoZSBsb2NrIGFuZAp0aHVzIHRoZSBv
cmlnaW5hbCB0aHJlYWQgY291bGQgZW5kIHVwIGluIGFjY2Vzc2luZyBtZW1vcnkgdGhhdCB3YXMK
ZnJlZWQuIFRoaXMgcGF0Y2ggZml4ZXMgdGhlIHByb2JsZW0gYnkgbWFraW5nIHN1cmUgdGhhdCB0
aGUgc3RhZ2UyCnBhZ2V0YWJsZSBpcyBzdGlsbCB2YWxpZCBhZnRlciB3ZSByZWdhaW4gdGhlIGxv
Y2suIFRoZSBmYWN0IHRoYXQKbW11X25vdGlmZXItPnJlbGVhc2UoKSBjb3VsZCBiZSBjYWxsZWQg
dHdpY2UgKHZpYSBfX21tdV9ub3RpZmllcl9yZWxlYXNlCmFuZCBtbXVfbm90aWZpZXJfdW5yZWdz
aXN0ZXIpIGVuaGFuY2VzIHRoZSBwb3NzaWJpbGl0eSBvZiBoaXR0aW5nCnRoaXMgcmFjZSB3aGVy
ZSB0aGVyZSBhcmUgdHdvIHRocmVhZHMgdHJ5aW5nIHRvIHVubWFwIHRoZSBlbnRpcmUgZ3Vlc3QK
c2hhZG93IHBhZ2VzLgoKV2hpbGUgYXQgaXQsIGNsZWFudXAgdGhlIHJlZHVkYW50IGNoZWNrcyBh
cm91bmQgY29uZF9yZXNjaGVkX2xvY2sgaW4Kc3RhZ2UyX3dwX3JhbmdlKCksIGFzIGNvbmRfcmVz
Y2hlZF9sb2NrIGFscmVhZHkgZG9lcyB0aGUgc2FtZSBjaGVja3MuCgpDYzogTWFyayBSdXRsYW5k
IDxtYXJrLnJ1dGxhbmRAYXJtLmNvbT4KQ2M6IFJhZGltIEtyxI1tw6HFmSA8cmtyY21hckByZWRo
YXQuY29tPgpDYzogYW5kcmV5a252bEBnb29nbGUuY29tCkNjOiBQYW9sbyBCb256aW5pIDxwYm9u
emluaUByZWRoYXQuY29tPgpDYzogc3RhYmxlQHZnZXIua2VybmVsLm9yZwpBY2tlZC1ieTogTWFy
YyBaeW5naWVyIDxtYXJjLnp5bmdpZXJAYXJtLmNvbT4KU2lnbmVkLW9mZi1ieTogU3V6dWtpIEsg
UG91bG9zZSA8c3V6dWtpLnBvdWxvc2VAYXJtLmNvbT4KUmV2aWV3ZWQtYnk6IENocmlzdG9mZmVy
IERhbGwgPGNkYWxsQGxpbmFyby5vcmc+ClNpZ25lZC1vZmYtYnk6IENocmlzdG9mZmVyIERhbGwg
PGNkYWxsQGxpbmFyby5vcmc+Ci0tLQogdmlydC9rdm0vYXJtL21tdS5jIHwgMTcgKysrKysrKysr
KysrKy0tLS0KIDEgZmlsZSBjaGFuZ2VkLCAxMyBpbnNlcnRpb25zKCspLCA0IGRlbGV0aW9ucygt
KQoKZGlmZiAtLWdpdCBhL3ZpcnQva3ZtL2FybS9tbXUuYyBiL3ZpcnQva3ZtL2FybS9tbXUuYwpp
bmRleCA3MDRlMzVmLi5hMmQ2MzI0IDEwMDY0NAotLS0gYS92aXJ0L2t2bS9hcm0vbW11LmMKKysr
IGIvdmlydC9rdm0vYXJtL21tdS5jCkBAIC0yOTUsNiArMjk1LDEzIEBAIHN0YXRpYyB2b2lkIHVu
bWFwX3N0YWdlMl9yYW5nZShzdHJ1Y3Qga3ZtICprdm0sIHBoeXNfYWRkcl90IHN0YXJ0LCB1NjQg
c2l6ZSkKIAlhc3NlcnRfc3Bpbl9sb2NrZWQoJmt2bS0+bW11X2xvY2spOwogCXBnZCA9IGt2bS0+
YXJjaC5wZ2QgKyBzdGFnZTJfcGdkX2luZGV4KGFkZHIpOwogCWRvIHsKKwkJLyoKKwkJICogTWFr
ZSBzdXJlIHRoZSBwYWdlIHRhYmxlIGlzIHN0aWxsIGFjdGl2ZSwgYXMgYW5vdGhlciB0aHJlYWQK
KwkJICogY291bGQgaGF2ZSBwb3NzaWJseSBmcmVlZCB0aGUgcGFnZSB0YWJsZSwgd2hpbGUgd2Ug
cmVsZWFzZWQKKwkJICogdGhlIGxvY2suCisJCSAqLworCQlpZiAoIVJFQURfT05DRShrdm0tPmFy
Y2gucGdkKSkKKwkJCWJyZWFrOwogCQluZXh0ID0gc3RhZ2UyX3BnZF9hZGRyX2VuZChhZGRyLCBl
bmQpOwogCQlpZiAoIXN0YWdlMl9wZ2Rfbm9uZSgqcGdkKSkKIAkJCXVubWFwX3N0YWdlMl9wdWRz
KGt2bSwgcGdkLCBhZGRyLCBuZXh0KTsKQEAgLTExNzAsMTEgKzExNzcsMTMgQEAgc3RhdGljIHZv
aWQgc3RhZ2UyX3dwX3JhbmdlKHN0cnVjdCBrdm0gKmt2bSwgcGh5c19hZGRyX3QgYWRkciwgcGh5
c19hZGRyX3QgZW5kKQogCQkgKiBsYXJnZS4gT3RoZXJ3aXNlLCB3ZSBtYXkgc2VlIGtlcm5lbCBw
YW5pY3Mgd2l0aAogCQkgKiBDT05GSUdfREVURUNUX0hVTkdfVEFTSywgQ09ORklHX0xPQ0tVUF9E
RVRFQ1RPUiwKIAkJICogQ09ORklHX0xPQ0tERVAuIEFkZGl0aW9uYWxseSwgaG9sZGluZyB0aGUg
bG9jayB0b28gbG9uZwotCQkgKiB3aWxsIGFsc28gc3RhcnZlIG90aGVyIHZDUFVzLgorCQkgKiB3
aWxsIGFsc28gc3RhcnZlIG90aGVyIHZDUFVzLiBXZSBoYXZlIHRvIGFsc28gbWFrZSBzdXJlCisJ
CSAqIHRoYXQgdGhlIHBhZ2UgdGFibGVzIGFyZSBub3QgZnJlZWQgd2hpbGUgd2UgcmVsZWFzZWQK
KwkJICogdGhlIGxvY2suCiAJCSAqLwotCQlpZiAobmVlZF9yZXNjaGVkKCkgfHwgc3Bpbl9uZWVk
YnJlYWsoJmt2bS0+bW11X2xvY2spKQotCQkJY29uZF9yZXNjaGVkX2xvY2soJmt2bS0+bW11X2xv
Y2spOwotCisJCWNvbmRfcmVzY2hlZF9sb2NrKCZrdm0tPm1tdV9sb2NrKTsKKwkJaWYgKCFSRUFE
X09OQ0Uoa3ZtLT5hcmNoLnBnZCkpCisJCQlicmVhazsKIAkJbmV4dCA9IHN0YWdlMl9wZ2RfYWRk
cl9lbmQoYWRkciwgZW5kKTsKIAkJaWYgKHN0YWdlMl9wZ2RfcHJlc2VudCgqcGdkKSkKIAkJCXN0
YWdlMl93cF9wdWRzKHBnZCwgYWRkciwgbmV4dCk7Ci0tIAoyLjkuMAoKX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18Ka3ZtYXJtIG1haWxpbmcgbGlzdAprdm1h
cm1AbGlzdHMuY3MuY29sdW1iaWEuZWR1Cmh0dHBzOi8vbGlzdHMuY3MuY29sdW1iaWEuZWR1L21h
aWxtYW4vbGlzdGluZm8va3ZtYXJtCg==