dba788e25f
commit ad362fe07fecf0aba839ff2cc59a3617bd42c33f upstream. There is a potential UAF scenario in the case of an LPI translation cache hit racing with an operation that invalidates the cache, such as a DISCARD ITS command. The root of the problem is that vgic_its_check_cache() does not elevate the refcount on the vgic_irq before dropping the lock that serializes refcount changes. Have vgic_its_check_cache() raise the refcount on the returned vgic_irq and add the corresponding decrement after queueing the interrupt. Cc: stable@vger.kernel.org Signed-off-by: Oliver Upton <oliver.upton@linux.dev> Signed-off-by: Marc Zyngier <maz@kernel.org> Link: https://lore.kernel.org/r/20240104183233.3560639-1-oliver.upton@linux.dev Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|---|---|---|
| .. | ||
| hyp | ||
| vgic | ||
| .gitignore | ||
| Kconfig | ||
| Makefile | ||
| arch_timer.c | ||
| arm.c | ||
| debug.c | ||
| fpsimd.c | ||
| guest.c | ||
| handle_exit.c | ||
| hypercalls.c | ||
| inject_fault.c | ||
| irq.h | ||
| mmio.c | ||
| mmu.c | ||
| pkvm.c | ||
| pmu-emul.c | ||
| pmu.c | ||
| psci.c | ||
| pvtime.c | ||
| reset.c | ||
| stacktrace.c | ||
| sys_regs.c | ||
| sys_regs.h | ||
| trace.h | ||
| trace_arm.h | ||
| trace_handle_exit.h | ||
| trng.c | ||
| va_layout.c | ||
| vgic-sys-reg-v3.c | ||
| vmid.c | ||