提交 716cb116 编写于 作者: A Alexey Kardashevskiy 提交者: Paul Mackerras

KVM: PPC: Book3S: Improve KVM reference counting

The anon fd's ops releases the KVM reference in the release hook.
However we reference the KVM object after we create the fd so there is
small window when the release function can be called and
dereferenced the KVM object which potentially may free it.

It is not a problem at the moment as the file is created and KVM is
referenced under the KVM lock and the release function obtains the same
lock before dereferencing the KVM (although the lock is not held when
calling kvm_put_kvm()) but it is potentially fragile against future changes.

This references the KVM object before creating a file.
Signed-off-by: NAlexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: NPaul Mackerras <paulus@ozlabs.org>
上级 e40542af
...@@ -337,14 +337,15 @@ long kvm_vm_ioctl_create_spapr_tce(struct kvm *kvm, ...@@ -337,14 +337,15 @@ long kvm_vm_ioctl_create_spapr_tce(struct kvm *kvm,
} }
} }
kvm_get_kvm(kvm);
if (!ret) if (!ret)
ret = anon_inode_getfd("kvm-spapr-tce", &kvm_spapr_tce_fops, ret = anon_inode_getfd("kvm-spapr-tce", &kvm_spapr_tce_fops,
stt, O_RDWR | O_CLOEXEC); stt, O_RDWR | O_CLOEXEC);
if (ret >= 0) { if (ret >= 0)
list_add_rcu(&stt->list, &kvm->arch.spapr_tce_tables); list_add_rcu(&stt->list, &kvm->arch.spapr_tce_tables);
kvm_get_kvm(kvm); else
} kvm_put_kvm(kvm);
mutex_unlock(&kvm->lock); mutex_unlock(&kvm->lock);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册