Avi Kivity wrote:
> Gregory Haskins wrote:
>
>> +int
>> +kvm_irqfd(struct kvm *kvm, int gsi, int flags)
>> +{
>> + struct _irqfd *irqfd;
>> + struct file *file = NULL;
>> + int fd = -1;
>> + int ret;
>> +
>> + irqfd = kzalloc(sizeof(*irqfd), GFP_KERNEL);
>> + if (!irqfd)
>> + return -ENOMEM;
>> +
>> + irqfd->kvm = kvm;
>>
>
> You need to increase the refcount on struct kvm here. Otherwise evil
> userspace will create an irqfd, close the vm and vcpu fds, and inject
> an interrupt.
I just reviewed the code in prep for v5, and now I remember why I didnt
take a reference: I designed it the opposite direction: the vm-fd owns
a reference to the irqfd, and will decouple the kvm context from the
eventfd on shutdown (see kvm_irqfd_release()). I still need to spin a
v5 regardless in order to add the padding as previously discussed. But
let me know if you still see any holes in light of this alternate object
lifetime approach I am using.
-Greg
Attachment:
signature.asc
Description: OpenPGP digital signature
