| From 594b27e677b35f9734b1969d175ebc6146741109 Mon Sep 17 00:00:00 2001 |
| From: Thomas Gleixner <tglx@linutronix.de> |
| Date: Wed, 5 May 2021 23:48:17 +0200 |
| Subject: KVM: x86: Cancel pvclock_gtod_work on module removal |
| |
| From: Thomas Gleixner <tglx@linutronix.de> |
| |
| commit 594b27e677b35f9734b1969d175ebc6146741109 upstream. |
| |
| Nothing prevents the following: |
| |
| pvclock_gtod_notify() |
| queue_work(system_long_wq, &pvclock_gtod_work); |
| ... |
| remove_module(kvm); |
| ... |
| work_queue_run() |
| pvclock_gtod_work() <- UAF |
| |
| Ditto for any other operation on that workqueue list head which touches |
| pvclock_gtod_work after module removal. |
| |
| Cancel the work in kvm_arch_exit() to prevent that. |
| |
| Fixes: 16e8d74d2da9 ("KVM: x86: notifier for clocksource changes") |
| Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
| Message-Id: <87czu4onry.ffs@nanos.tec.linutronix.de> |
| Cc: stable@vger.kernel.org |
| Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| arch/x86/kvm/x86.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| --- a/arch/x86/kvm/x86.c |
| +++ b/arch/x86/kvm/x86.c |
| @@ -6420,6 +6420,7 @@ void kvm_arch_exit(void) |
| cpuhp_remove_state_nocalls(CPUHP_AP_X86_KVM_CLK_ONLINE); |
| #ifdef CONFIG_X86_64 |
| pvclock_gtod_unregister_notifier(&pvclock_gtod_notifier); |
| + cancel_work_sync(&pvclock_gtod_work); |
| #endif |
| kvm_x86_ops = NULL; |
| kvm_mmu_module_exit(); |
