KVM: fix unregistering coalesced mmio zone from wrong bus
authorEric Biggers <ebiggers@google.com>
Mon, 17 Dec 2018 17:36:19 +0000 (09:36 -0800)
committerPaolo Bonzini <pbonzini@redhat.com>
Tue, 18 Dec 2018 21:07:25 +0000 (22:07 +0100)
commit987d1149be7ddcc1380ff946cf236874421a7e1b
tree9be3c66bbd4dbee557e1372874b6b913535c73cc
parent7566ec393f4161572ba6f11ad5171fd5d59b0fbd
KVM: fix unregistering coalesced mmio zone from wrong bus

If you register a kvm_coalesced_mmio_zone with '.pio = 0' but then
unregister it with '.pio = 1', KVM_UNREGISTER_COALESCED_MMIO will try to
unregister it from KVM_PIO_BUS rather than KVM_MMIO_BUS, which is a
no-op.  But it frees the kvm_coalesced_mmio_dev anyway, causing a
use-after-free.

Fix it by only unregistering and freeing the zone if the correct value
of 'pio' is provided.

Reported-by: syzbot+f87f60bb6f13f39b54e3@syzkaller.appspotmail.com
Fixes: 0804c849f1df ("kvm/x86 : add coalesced pio support")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
virt/kvm/coalesced_mmio.c