diff options
author | Andy Honig <ahonig@google.com> | 2014-08-27 14:42:54 -0700 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2014-11-05 20:27:47 +0000 |
commit | 30a340f59414f02434e8b7a880241b2bd657cb7b (patch) | |
tree | 27be63c790716b35c6af1337c97e4f41fe9e7364 | |
parent | 76715b56c6fcdafae8d47d4fcfe8c940e76f0553 (diff) |
KVM: x86: Improve thread safety in pit
commit 2febc839133280d5a5e8e1179c94ea674489dae2 upstream.
There's a race condition in the PIT emulation code in KVM. In
__kvm_migrate_pit_timer the pit_timer object is accessed without
synchronization. If the race condition occurs at the wrong time this
can crash the host kernel.
This fixes CVE-2014-3611.
Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
-rw-r--r-- | arch/x86/kvm/i8254.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c index 139415e2c5bf..cced57f8b23b 100644 --- a/arch/x86/kvm/i8254.c +++ b/arch/x86/kvm/i8254.c @@ -264,8 +264,10 @@ void __kvm_migrate_pit_timer(struct kvm_vcpu *vcpu) return; timer = &pit->pit_state.pit_timer.timer; + mutex_lock(&pit->pit_state.lock); if (hrtimer_cancel(timer)) hrtimer_start_expires(timer, HRTIMER_MODE_ABS); + mutex_unlock(&pit->pit_state.lock); } static void destroy_pit_timer(struct kvm_pit *pit) |