From patchwork Fri Aug  9 03:53:08 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Christoffer Dall <christoffer.dall@linaro.org>
X-Patchwork-Id: 18903
Return-Path: <patchwork-forward+bncBCAJ5U7H64CRBRWPSGIAKGQEW2YKOIA@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-qa0-f69.google.com (mail-qa0-f69.google.com
 [209.85.216.69])
 by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id AE8E325D87
 for <linaro@patches.linaro.org>; Fri,  9 Aug 2013 03:53:42 +0000 (UTC)
Received: by mail-qa0-f69.google.com with SMTP id bv4sf1707140qab.0
 for <linaro@patches.linaro.org>; Thu, 08 Aug 2013 20:53:42 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=google.com; s=20120113;
 h=mime-version:x-gm-message-state:delivered-to:from:to:cc:subject
 :date:message-id:x-original-sender:x-original-authentication-results
 :precedence:mailing-list:list-id:list-post:list-help:list-archive
 :list-unsubscribe;
 bh=pro8AdxZ9SdiX2DFAgFXKV7OI/MeHrCNYRT4kWiS5mU=;
 b=bqUGTOFWjok9YkDtDnEd5yppyQ8+HF2PUneZf0r98c8mbGUnuzaE7oL7yrw0nxK313
 1J+Vs3wpoD71AFHZe2I7tOn/QTGnEfM/2VYYXdxCqADM/c/cbjnWR873mHPGYKOClA5w
 VYGYgH2BjWgmGUvSIc1zg9R1hfMqVxcejqNc90a3zIHXF2nvSOzcNa6eDagvUxaQtn9g
 C+3d792dbbmz3OqYrLcZlLdIvA9FoWPyiiZDeXDkktuOtagdQ4RHQGroGC8WA6rgsTSr
 oTGViN8rXvE4LEDu9ceny/P+fJuceZSS3jyh6Xx29LZ94SkaJHTBq4Ow2UMyqWMMkQiP
 ep1Q==
X-Received: by 10.224.173.4 with SMTP id n4mr7258486qaz.3.1376020422089;
 Thu, 08 Aug 2013 20:53:42 -0700 (PDT)
MIME-Version: 1.0
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.49.98.198 with SMTP id ek6ls1371336qeb.45.gmail; Thu, 08 Aug
 2013 20:53:41 -0700 (PDT)
X-Received: by 10.52.120.7 with SMTP id ky7mr4079539vdb.12.1376020421941;
 Thu, 08 Aug 2013 20:53:41 -0700 (PDT)
Received: from mail-vb0-f51.google.com (mail-vb0-f51.google.com
 [209.85.212.51]) by mx.google.com with ESMTPS id
 ix2si4084414vdb.124.2013.08.08.20.53.41
 for <patchwork-forward@linaro.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Thu, 08 Aug 2013 20:53:41 -0700 (PDT)
Received-SPF: neutral (google.com: 209.85.212.51 is neither permitted nor
 denied by best guess record for domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org)
 client-ip=209.85.212.51; 
Received: by mail-vb0-f51.google.com with SMTP id x16so3784269vbf.38
 for <patchwork-forward@linaro.org>;
 Thu, 08 Aug 2013 20:53:41 -0700 (PDT)
X-Gm-Message-State: ALoCoQm3tfyHz6ZxbkP0tzsMpoeIku9xTpLR8gHvudq6xmthR4nh+Gb8c0PCjnuI7dqnafKxbRHh
X-Received: by 10.52.117.208 with SMTP id kg16mr4192512vdb.48.1376020421826; 
 Thu, 08 Aug 2013 20:53:41 -0700 (PDT)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patches@linaro.org
Received: by 10.220.174.196 with SMTP id u4csp51331vcz;
 Thu, 8 Aug 2013 20:53:41 -0700 (PDT)
X-Received: by 10.66.156.229 with SMTP id wh5mr9184570pab.156.1376020420633; 
 Thu, 08 Aug 2013 20:53:40 -0700 (PDT)
Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com
 [209.85.160.54]) by mx.google.com with ESMTPS id
 hx8si10651583pbc.287.2013.08.08.20.53.40 for <patches@linaro.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Thu, 08 Aug 2013 20:53:40 -0700 (PDT)
Received-SPF: neutral (google.com: 209.85.160.54 is neither permitted nor
 denied by best guess record for domain of
 christoffer.dall@linaro.org) client-ip=209.85.160.54; 
Received: by mail-pb0-f54.google.com with SMTP id ro12so4250497pbb.41
 for <patches@linaro.org>; Thu, 08 Aug 2013 20:53:40 -0700 (PDT)
X-Received: by 10.68.13.42 with SMTP id e10mr9376046pbc.23.1376020420197;
 Thu, 08 Aug 2013 20:53:40 -0700 (PDT)
Received: from localhost.localdomain (c-67-169-183-77.hsd1.ca.comcast.net.
 [67.169.183.77]) by mx.google.com with ESMTPSA id
 s5sm17446188pbo.38.2013.08.08.20.53.37 for <multiple recipients>
 (version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Thu, 08 Aug 2013 20:53:39 -0700 (PDT)
From: Christoffer Dall <christoffer.dall@linaro.org>
To: kvmarm@lists.cs.columbia.edu
Cc: kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
 linaro-kernel@lists.linaro.org, patches@linaro.org,
 Christoffer Dall <christoffer.dall@linaro.org>
Subject: [PATCH] ARM: KVM: Fix unaligned unmap_range leak
Date: Thu,  8 Aug 2013 20:53:08 -0700
Message-Id: <1376020388-9880-1-git-send-email-christoffer.dall@linaro.org>
X-Mailer: git-send-email 1.7.10.4
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: christoffer.dall@linaro.org
X-Original-Authentication-Results: mx.google.com;       spf=neutral
 (google.com: 209.85.212.51 is neither permitted nor denied by best
 guess record for domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org)
 smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org
Precedence: list
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
List-ID: <patchwork-forward.linaro.org>
X-Google-Group-Id: 836684582541
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Unsubscribe: <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>, 
 <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>

The unmap_range function did not properly cover the case when the start
address was not aligned to PMD_SIZE or PUD_SIZE and an entire pte table
or pmd table was cleared, causing us to leak memory when incrementing
the addr.

The fix is to always move onto the next page table entry boundary
instead of adding the full size of the VA range covered by the
corresponding table level entry.

Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
---
 arch/arm/kvm/mmu.c |   14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c
index ca6bea4..80a83ec 100644
--- a/arch/arm/kvm/mmu.c
+++ b/arch/arm/kvm/mmu.c
@@ -132,37 +132,37 @@ static void unmap_range(struct kvm *kvm, pgd_t *pgdp,
 	pmd_t *pmd;
 	pte_t *pte;
 	unsigned long long addr = start, end = start + size;
-	u64 range;
+	u64 next;
 
 	while (addr < end) {
 		pgd = pgdp + pgd_index(addr);
 		pud = pud_offset(pgd, addr);
 		if (pud_none(*pud)) {
-			addr += PUD_SIZE;
+			addr = pud_addr_end(addr, end);
 			continue;
 		}
 
 		pmd = pmd_offset(pud, addr);
 		if (pmd_none(*pmd)) {
-			addr += PMD_SIZE;
+			addr = pmd_addr_end(addr, end);
 			continue;
 		}
 
 		pte = pte_offset_kernel(pmd, addr);
 		clear_pte_entry(kvm, pte, addr);
-		range = PAGE_SIZE;
+		next = addr + PAGE_SIZE;
 
 		/* If we emptied the pte, walk back up the ladder */
 		if (pte_empty(pte)) {
 			clear_pmd_entry(kvm, pmd, addr);
-			range = PMD_SIZE;
+			next = pmd_addr_end(addr, end);
 			if (pmd_empty(pmd)) {
 				clear_pud_entry(kvm, pud, addr);
-				range = PUD_SIZE;
+				next = pud_addr_end(addr, end);
 			}
 		}
 
-		addr += range;
+		addr = next;
 	}
 }