On Thu, Feb 21, 2019 at 5:10 AM Sasha Levin <sashal@xxxxxxxxxx> wrote:
>
> On Mon, Feb 18, 2019 at 05:53:28PM +0100, Jann Horn wrote:
> >commit cfa39381173d5f969daf43582c95ad679189cbc9 upstream.
> >
> >kvm_ioctl_create_device() does the following:
> >
> >1. creates a device that holds a reference to the VM object (with a borrowed
> > reference, the VM's refcount has not been bumped yet)
> >2. initializes the device
> >3. transfers the reference to the device to the caller's file descriptor table
> >4. calls kvm_get_kvm() to turn the borrowed reference to the VM into a real
> > reference
> >
> >The ownership transfer in step 3 must not happen before the reference to the VM
> >becomes a proper, non-borrowed reference, which only happens in step 4.
> >After step 3, an attacker can close the file descriptor and drop the borrowed
> >reference, which can cause the refcount of the kvm object to drop to zero.
> >
> >This means that we need to grab a reference for the device before
> >anon_inode_getfd(), otherwise the VM can disappear from under us.
> >
> >Fixes: 852b6d57dc7f ("kvm: add device control API")
> >Cc: stable@xxxxxxxxxx
> >Signed-off-by: Jann Horn <jannh@xxxxxxxxxx>
>
> Hi Jann,
>
> You've dropped Paolo's S-O-B line, was it on purpose?
The stable kernel rules don't explicitly say that I'm allowed to keep
other people's sign-off lines when manually submitting backports, so I
removed it to be on the safe side.
