git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/commit

author	David Hildenbrand <david@redhat.com>
	Thu, 23 Mar 2017 17:24:19 +0000 (18:24 +0100)
committer	Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
	Thu, 27 Apr 2017 13:03:55 +0000 (10:03 -0300)
commit	d2127320064055bb1d7a1f75736cc33725d8b9bd
tree	7cf4495aee18e1b286069b9ef51ce17502f5dae9	tree
parent	d90c4fb70c63651b498725024f4d31ec22169d92	commit \| diff

KVM: kvm_io_bus_unregister_dev() should never fail

BugLink: http://bugs.launchpad.net/bugs/1681862
commit 90db10434b163e46da413d34db8d0e77404cc645 upstream.

No caller currently checks the return value of
kvm_io_bus_unregister_dev(). This is evil, as all callers silently go on
freeing their device. A stale reference will remain in the io_bus,
getting at least used again, when the iobus gets teared down on
kvm_destroy_vm() - leading to use after free errors.

There is nothing the callers could do, except retrying over and over
again.

So let's simply remove the bus altogether, print an error and make
sure no one can access this broken bus again (returning -ENOMEM on any
attempt to access it).

Fixes: e93f8a0f821e ("KVM: convert io_bus to SRCU")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

include/linux/kvm_host.h		diff \| blob \| blame \| history
virt/kvm/eventfd.c		diff \| blob \| blame \| history
virt/kvm/kvm_main.c		diff \| blob \| blame \| history