From patchwork Mon Aug 12 04:12:59 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Christoffer Dall <christoffer.dall@linaro.org>
X-Patchwork-Id: 18991
Return-Path: <patchwork-forward+bncBCAJ5U7H64CRBY6BUGIAKGQE7CETKKQ@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-ve0-f197.google.com (mail-ve0-f197.google.com
 [209.85.128.197])
 by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id E3218248E6
 for <linaro@patches.linaro.org>; Mon, 12 Aug 2013 04:13:23 +0000 (UTC)
Received: by mail-ve0-f197.google.com with SMTP id ox1sf1609849veb.4
 for <linaro@patches.linaro.org>; Sun, 11 Aug 2013 21:13:23 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=google.com; s=20120113;
 h=mime-version:x-gm-message-state:delivered-to:from:to:cc:subject
 :date:message-id:in-reply-to:references:x-original-sender
 :x-original-authentication-results:precedence:mailing-list:list-id
 :list-post:list-help:list-archive:list-unsubscribe;
 bh=pro8AdxZ9SdiX2DFAgFXKV7OI/MeHrCNYRT4kWiS5mU=;
 b=X+rcUnDU/ytqMTtWHZVW5vCdFXhFsVDyQ7R5Zu4zTPkpHL7D71p6mKr0VvufuuvhmF
 bzjR2esJ0u4N4uKekpYUXph4ulmeDZNg+18O2r9yiqq/xe0JTnewtTFJvWGA5d9c4HWO
 P3+s/Xq/dlO12WQ99uvOYaNparUW0tWy0gZvyV441odgslYmI/O+pybeSdR0syO1bzR1
 duxOK7A9BGVBNCKaQS+id9mNmeR7X20gA8lueQ+kEKXWHs0+r5+PrZhoNwiWqWLFniKH
 Jh6CBlFrVVgk0pc9GDuojz2falw/s0hH0n7qcKA1ZbP1bo9u4xq8C9Bd126OSIu3UJv2
 Sh3Q==
X-Received: by 10.236.113.197 with SMTP id a45mr9791876yhh.14.1376280803439; 
 Sun, 11 Aug 2013 21:13:23 -0700 (PDT)
MIME-Version: 1.0
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.49.105.3 with SMTP id gi3ls1886724qeb.81.gmail; Sun, 11 Aug
 2013 21:13:23 -0700 (PDT)
X-Received: by 10.59.8.232 with SMTP id dn8mr5552032ved.8.1376280803303;
 Sun, 11 Aug 2013 21:13:23 -0700 (PDT)
Received: from mail-vc0-f180.google.com (mail-vc0-f180.google.com
 [209.85.220.180]) by mx.google.com with ESMTPS id
 c13si7819180veu.77.2013.08.11.21.13.23
 for <patchwork-forward@linaro.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Sun, 11 Aug 2013 21:13:23 -0700 (PDT)
Received-SPF: neutral (google.com: 209.85.220.180 is neither permitted nor
 denied by best guess record for domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org)
 client-ip=209.85.220.180; 
Received: by mail-vc0-f180.google.com with SMTP id gf11so2418548vcb.25
 for <patchwork-forward@linaro.org>;
 Sun, 11 Aug 2013 21:13:23 -0700 (PDT)
X-Gm-Message-State: ALoCoQkPIB1pJf7wlHAuxmjK+9qwsxPEWPTed9SxMt3PrmdLYzuYRZnJUMXYZiR6+5u40xTVw95Y
X-Received: by 10.220.164.202 with SMTP id f10mr11713711vcy.25.1376280803220; 
 Sun, 11 Aug 2013 21:13:23 -0700 (PDT)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patches@linaro.org
Received: by 10.220.174.196 with SMTP id u4csp75026vcz;
 Sun, 11 Aug 2013 21:13:22 -0700 (PDT)
X-Received: by 10.68.59.98 with SMTP id y2mr22183223pbq.135.1376280802350;
 Sun, 11 Aug 2013 21:13:22 -0700 (PDT)
Received: from mail-pd0-f174.google.com (mail-pd0-f174.google.com
 [209.85.192.174]) by mx.google.com with ESMTPS id
 tw4si20032581pbc.211.2013.08.11.21.13.22 for <patches@linaro.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Sun, 11 Aug 2013 21:13:22 -0700 (PDT)
Received-SPF: neutral (google.com: 209.85.192.174 is neither permitted nor
 denied by best guess record for domain of
 christoffer.dall@linaro.org) client-ip=209.85.192.174; 
Received: by mail-pd0-f174.google.com with SMTP id y13so2889570pdi.19
 for <patches@linaro.org>; Sun, 11 Aug 2013 21:13:22 -0700 (PDT)
X-Received: by 10.66.25.205 with SMTP id e13mr22608265pag.180.1376280801950; 
 Sun, 11 Aug 2013 21:13:21 -0700 (PDT)
Received: from localhost.localdomain (c-67-169-183-77.hsd1.ca.comcast.net.
 [67.169.183.77]) by mx.google.com with ESMTPSA id
 nj9sm34355902pbc.13.2013.08.11.21.13.20 for <multiple recipients>
 (version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Sun, 11 Aug 2013 21:13:21 -0700 (PDT)
From: Christoffer Dall <christoffer.dall@linaro.org>
To: Paolo Bonzini <pbonzini@redhat.com>,
	Gleb Natapov <gleb@redhat.com>
Cc: kvm@vger.kernel.org, kvmarm@lists.cs.columbia.edu,
 linux-arm-kernel@lists.infradead.org, linaro-kernel@lists.linaro.org,
 patches@linaro.org, Christoffer Dall <christoffer.dall@linaro.org>
Subject: [PATCH 2/4] ARM: KVM: Fix unaligned unmap_range leak
Date: Sun, 11 Aug 2013 21:12:59 -0700
Message-Id: <1376280781-6539-3-git-send-email-christoffer.dall@linaro.org>
X-Mailer: git-send-email 1.7.10.4
In-Reply-To: <1376280781-6539-1-git-send-email-christoffer.dall@linaro.org>
References: <1376280781-6539-1-git-send-email-christoffer.dall@linaro.org>
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: christoffer.dall@linaro.org
X-Original-Authentication-Results: mx.google.com;       spf=neutral
 (google.com: 209.85.220.180 is neither permitted nor denied by best
 guess record for domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org)
 smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org
Precedence: list
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
List-ID: <patchwork-forward.linaro.org>
X-Google-Group-Id: 836684582541
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Unsubscribe: <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>, 
 <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>

The unmap_range function did not properly cover the case when the start
address was not aligned to PMD_SIZE or PUD_SIZE and an entire pte table
or pmd table was cleared, causing us to leak memory when incrementing
the addr.

The fix is to always move onto the next page table entry boundary
instead of adding the full size of the VA range covered by the
corresponding table level entry.

Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
---
 arch/arm/kvm/mmu.c |   14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c
index ca6bea4..80a83ec 100644
--- a/arch/arm/kvm/mmu.c
+++ b/arch/arm/kvm/mmu.c
@@ -132,37 +132,37 @@ static void unmap_range(struct kvm *kvm, pgd_t *pgdp,
 	pmd_t *pmd;
 	pte_t *pte;
 	unsigned long long addr = start, end = start + size;
-	u64 range;
+	u64 next;
 
 	while (addr < end) {
 		pgd = pgdp + pgd_index(addr);
 		pud = pud_offset(pgd, addr);
 		if (pud_none(*pud)) {
-			addr += PUD_SIZE;
+			addr = pud_addr_end(addr, end);
 			continue;
 		}
 
 		pmd = pmd_offset(pud, addr);
 		if (pmd_none(*pmd)) {
-			addr += PMD_SIZE;
+			addr = pmd_addr_end(addr, end);
 			continue;
 		}
 
 		pte = pte_offset_kernel(pmd, addr);
 		clear_pte_entry(kvm, pte, addr);
-		range = PAGE_SIZE;
+		next = addr + PAGE_SIZE;
 
 		/* If we emptied the pte, walk back up the ladder */
 		if (pte_empty(pte)) {
 			clear_pmd_entry(kvm, pmd, addr);
-			range = PMD_SIZE;
+			next = pmd_addr_end(addr, end);
 			if (pmd_empty(pmd)) {
 				clear_pud_entry(kvm, pud, addr);
-				range = PUD_SIZE;
+				next = pud_addr_end(addr, end);
 			}
 		}
 
-		addr += range;
+		addr = next;
 	}
 }