On Mon, Nov 01, 2010 at 05:03:44PM +0800, Xiao Guangrong wrote:
> In kvm_async_pf_wakeup_all(), we add a dummy apf to vcpu->async_pf.done
> without holding vcpu->async_pf.lock, it will break if we are handling apfs
> at this time.
>
This should never happen to well behaved guest, but malicious guest can do it
on purpose.
> Also use 'list_empty_careful()' instead of 'list_empty()'
>
> Signed-off-by: Xiao Guangrong <xiaoguangrong@xxxxxxxxxxxxxx>
Acked-by: Gleb Natapov <gleb@xxxxxxxxxx>
> ---
> virt/kvm/async_pf.c | 5 ++++-
> 1 files changed, 4 insertions(+), 1 deletions(-)
>
> diff --git a/virt/kvm/async_pf.c b/virt/kvm/async_pf.c
> index d57ec92..6ef3373 100644
> --- a/virt/kvm/async_pf.c
> +++ b/virt/kvm/async_pf.c
> @@ -200,7 +200,7 @@ int kvm_async_pf_wakeup_all(struct kvm_vcpu *vcpu)
> {
> struct kvm_async_pf *work;
>
> - if (!list_empty(&vcpu->async_pf.done))
> + if (!list_empty_careful(&vcpu->async_pf.done))
> return 0;
>
> work = kmem_cache_zalloc(async_pf_cache, GFP_ATOMIC);
> @@ -211,7 +211,10 @@ int kvm_async_pf_wakeup_all(struct kvm_vcpu *vcpu)
> get_page(bad_page);
> INIT_LIST_HEAD(&work->queue); /* for list_del to work */
>
> + spin_lock(&vcpu->async_pf.lock);
> list_add_tail(&work->link, &vcpu->async_pf.done);
> + spin_unlock(&vcpu->async_pf.lock);
> +
> vcpu->async_pf.queued++;
> return 0;
> }
> --
> 1.7.0.4
--
Gleb.
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
