From 63959e339e3204f539c71a03ff44ca2ffe42644f Mon Sep 17 00:00:00 2001
From: ZhangPeng <zhangpeng362@huawei.com>
Date: Tue, 9 Apr 2024 17:03:34 +0800
Subject: [PATCH] KVM: arm64: vgic-its: use vgic_get_irq_kref() before
 vgic_put_irq()

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I9F8AD

--------------------------------

Commit 1a8251a1520f ("KVM: arm64: vgic-its: Avoid potential UAF in LPI
translation cache") fixes the UAF problem of the general path, but does
not fix the UAF problem of multiple LPI translation caches.
Fix UAF issue with vgic_get_irq_kref() in multiple LPI translation cache
path before vgic_put_irq().

Fixes: 1a8251a1520f ("KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache")
Suggested-by: Jia Qingtong <jiaqingtong@huawei.com>
Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>
---
 arch/arm64/kvm/vgic/vgic-its.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/arm64/kvm/vgic/vgic-its.c b/arch/arm64/kvm/vgic/vgic-its.c
index d095bab1eeae..a22649011233 100644
--- a/arch/arm64/kvm/vgic/vgic-its.c
+++ b/arch/arm64/kvm/vgic/vgic-its.c
@@ -642,6 +642,9 @@ static struct vgic_irq *vgic_its_check_cache(struct kvm *kvm, phys_addr_t db,
 
 	raw_spin_lock_irqsave(&dist->lpi_translation_cache[cacheid].lpi_cache_lock, flags);
 	irq = __vgic_its_check_cache(dist, db, devid, eventid, cacheid);
+	if (irq)
+		vgic_get_irq_kref(irq);
+
 	raw_spin_unlock_irqrestore(&dist->lpi_translation_cache[cacheid].lpi_cache_lock, flags);
 #else
 	raw_spin_lock_irqsave(&dist->lpi_list_lock, flags);
-- 
Gitee