On Mon, Feb 18, 2019 at 05:53:28PM +0100, Jann Horn wrote:
> commit cfa39381173d5f969daf43582c95ad679189cbc9 upstream.
>
> kvm_ioctl_create_device() does the following:
>
> 1. creates a device that holds a reference to the VM object (with a borrowed
> reference, the VM's refcount has not been bumped yet)
> 2. initializes the device
> 3. transfers the reference to the device to the caller's file descriptor table
> 4. calls kvm_get_kvm() to turn the borrowed reference to the VM into a real
> reference
>
> The ownership transfer in step 3 must not happen before the reference to the VM
> becomes a proper, non-borrowed reference, which only happens in step 4.
> After step 3, an attacker can close the file descriptor and drop the borrowed
> reference, which can cause the refcount of the kvm object to drop to zero.
>
> This means that we need to grab a reference for the device before
> anon_inode_getfd(), otherwise the VM can disappear from under us.
>
> Fixes: 852b6d57dc7f ("kvm: add device control API")
> Cc: stable@xxxxxxxxxx
> Signed-off-by: Jann Horn <jannh@xxxxxxxxxx>
> ---
> virt/kvm/kvm_main.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
Now queued up, thanks.
greg k-h
