kvm: fix page struct leak in handle_vmon

commit 06ce521af9558814b8606c0476c54497cf83a653 upstream.

handle_vmon gets a reference on VMXON region page,
but does not release it. Release the reference.

Found by syzkaller; based on a patch by Dmitry.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16: use skip_emulated_instruction()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

1 files changed, 8 insertions, 2 deletions

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 69b8f8a5ecb0..43b55ef82bac 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -6925,14 +6925,20 @@ static int nested_vmx_check_vmptr(struct kvm_vcpu *vcpu, int exit_reason,
                 }
 
                 page = nested_get_page(vcpu, vmptr);
-                if (page == NULL ||
-                    *(u32 *)kmap(page) != VMCS12_REVISION) {
+                if (page == NULL) {
                         nested_vmx_failInvalid(vcpu);
+                        skip_emulated_instruction(vcpu);
+                        return 1;
+                }
+                if (*(u32 *)kmap(page) != VMCS12_REVISION) {
                         kunmap(page);
+                        nested_release_page_clean(page);
+                        nested_vmx_failInvalid(vcpu);
                         skip_emulated_instruction(vcpu);
                         return 1;
                 }
                 kunmap(page);
+                nested_release_page_clean(page);
                 vmx->nested.vmxon_ptr = vmptr;
                 break;
         case EXIT_REASON_VMCLEAR: