From patchwork Wed Jul 11 16:09:33 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: KVM: fix backport of 3e51570 on hardy Date: Wed, 11 Jul 2012 06:09:33 -0000 From: Herton Ronaldo Krzesinski X-Patchwork-Id: 170488 Message-Id: <1342022973-6783-1-git-send-email-herton.krzesinski@canonical.com> To: kernel-team@lists.ubuntu.com CVE-2012-1601 BugLink: http://bugs.launchpad.net/bugs/971685 John Johansen reported that our backport of 3e51570 ("KVM: Ensure all vcpus are consistent with in-kernel irqchip settings") has a bug, and suggested possible fixes. We increment kvm->online_vcpus, but not decrement it in the case create_vcpu_fd fails, which could cause issues if it fails and vm is not destroyed after (counter will be out of sync). In the upstream change this is not a problem since the increment is done after create_vcpu_fd is called. The solution chosen here is to just decrement it on the failure path. Reported-by: John Johansen Signed-off-by: Herton Ronaldo Krzesinski Reported-by: Sasha Levin --- virt/kvm/kvm_main.c | 1 + 1 file changed, 1 insertion(+) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index d9a8ae0..61c18ba 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -823,6 +823,7 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, int n) unlink: mutex_lock(&kvm->lock); kvm->vcpus[n] = NULL; + atomic_dec(&kvm->online_vcpus); vcpu_destroy: mutex_unlock(&kvm->lock); kvm_arch_vcpu_destroy(vcpu);