git.baikalelectronics.ru Git - kernel.git/commit

author	David Hildenbrand <david@redhat.com>
	Thu, 23 Mar 2017 17:24:19 +0000 (18:24 +0100)
committer	Paolo Bonzini <pbonzini@redhat.com>
	Thu, 23 Mar 2017 18:02:25 +0000 (19:02 +0100)
commit	6b5dc20cfb68685e8715c438a39470c8db8d3ab0
tree	601dc6a684ee2cefe60dcf57ce13dc8472f2511e	tree \| snapshot
parent	ad3fc8f7e033f9af82e2a79d1bb969e4dadb803e	commit \| diff

KVM: kvm_io_bus_unregister_dev() should never fail

No caller currently checks the return value of
kvm_io_bus_unregister_dev(). This is evil, as all callers silently go on
freeing their device. A stale reference will remain in the io_bus,
getting at least used again, when the iobus gets teared down on
kvm_destroy_vm() - leading to use after free errors.

There is nothing the callers could do, except retrying over and over
again.

So let's simply remove the bus altogether, print an error and make
sure no one can access this broken bus again (returning -ENOMEM on any
attempt to access it).

Fixes: c365fb359442 ("KVM: convert io_bus to SRCU")
Cc: stable@vger.kernel.org # 3.4+
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

include/linux/kvm_host.h		diff \| blob \| history
virt/kvm/eventfd.c		diff \| blob \| history
virt/kvm/kvm_main.c		diff \| blob \| history