[PATCH 3/5] KVM: mips: Grab MMU lock in kvm_arch_flush_shadow_all()
James Houghton
jthoughton at google.com
Mon May 4 15:42:10 PDT 2026
kvm_mips_flush_gpa_pt() expects the MMU lock to be held; it is not in
this path.
This can lead to a double-free of page table entries if
kvm_arch_flush_shadow_all() is called twice on the same `kvm`
concurrently; such a scenario is possible.
Cc: stable at vger.kernel.org
Fixes: b62091108633 ("KVM: MIPS: Implement kvm_arch_flush_shadow_all/memslot")
Signed-off-by: James Houghton <jthoughton at google.com>
---
Note: This is compile-tested only!
arch/mips/kvm/mips.c | 2 ++
arch/mips/kvm/mmu.c | 2 ++
2 files changed, 4 insertions(+)
diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c
index a53abbba43ea..463b6c4aa62c 100644
--- a/arch/mips/kvm/mips.c
+++ b/arch/mips/kvm/mips.c
@@ -180,6 +180,8 @@ long kvm_arch_dev_ioctl(struct file *filp, unsigned int ioctl,
void kvm_arch_flush_shadow_all(struct kvm *kvm)
{
+ guard(spinlock)(&kvm->mmu_lock);
+
/* Flush whole GPA */
kvm_mips_flush_gpa_pt(kvm, 0, ~0);
kvm_flush_remote_tlbs(kvm);
diff --git a/arch/mips/kvm/mmu.c b/arch/mips/kvm/mmu.c
index d2c3b6b41f18..5045833f8116 100644
--- a/arch/mips/kvm/mmu.c
+++ b/arch/mips/kvm/mmu.c
@@ -269,6 +269,8 @@ static bool kvm_mips_flush_gpa_pgd(pgd_t *pgd, unsigned long start_gpa,
*/
bool kvm_mips_flush_gpa_pt(struct kvm *kvm, gfn_t start_gfn, gfn_t end_gfn)
{
+ lockdep_assert_held(&kvm->mmu_lock);
+
return kvm_mips_flush_gpa_pgd(kvm->arch.gpa_mm.pgd,
start_gfn << PAGE_SHIFT,
end_gfn << PAGE_SHIFT);
--
2.54.0.545.g6539524ca2-goog
More information about the linux-arm-kernel
mailing list