--- /dev/null
+From 594b27e677b35f9734b1969d175ebc6146741109 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 5 May 2021 23:48:17 +0200
+Subject: KVM: x86: Cancel pvclock_gtod_work on module removal
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 594b27e677b35f9734b1969d175ebc6146741109 upstream.
+
+Nothing prevents the following:
+
+ pvclock_gtod_notify()
+ queue_work(system_long_wq, &pvclock_gtod_work);
+ ...
+ remove_module(kvm);
+ ...
+ work_queue_run()
+ pvclock_gtod_work() <- UAF
+
+Ditto for any other operation on that workqueue list head which touches
+pvclock_gtod_work after module removal.
+
+Cancel the work in kvm_arch_exit() to prevent that.
+
+Fixes: 16e8d74d2da9 ("KVM: x86: notifier for clocksource changes")
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Message-Id: <87czu4onry.ffs@nanos.tec.linutronix.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/x86.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -6016,6 +6016,7 @@ void kvm_arch_exit(void)
+ unregister_hotcpu_notifier(&kvmclock_cpu_notifier_block);
+ #ifdef CONFIG_X86_64
+ pvclock_gtod_unregister_notifier(&pvclock_gtod_notifier);
++ cancel_work_sync(&pvclock_gtod_work);
+ #endif
+ kvm_x86_ops = NULL;
+ kvm_mmu_module_exit();
projects / thirdparty / kernel / stable-queue.git / commitdiff
