KVM: x86: Improve thread safety in pit Message-id: <20150225140144.GA17891@localhost.localdomain> Patchwork-id: 63936 O-Subject: [RHEL5.11.z PATCH CVE-2014-3611] KVM: x86: Improve thread safety in pit Bugzilla: 1152985 RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com> RH-Acked-by: Andrew Jones <drjones@redhat.com> RH-Acked-by: Radim Krcmar <rkrcmar@redhat.com> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1152985 CVE: CVE-2014-3611 Brew build: https://brewweb.devel.redhat.com/taskinfo?taskID=8779284 Upstream status: 2febc839133280d5a5e8e1179c94ea674489dae2 Testing: Only compile-tested commit 2febc839133280d5a5e8e1179c94ea674489dae2 Author: Andy Honig <ahonig@google.com> Date: Wed Aug 27 14:42:54 2014 -0700 KVM: x86: Improve thread safety in pit There's a race condition in the PIT emulation code in KVM. In __kvm_migrate_pit_timer the pit_timer object is accessed without synchronization. If the race condition occurs at the wrong time this can crash the host kernel. This fixes CVE-2014-3611. Cc: stable@vger.kernel.org Signed-off-by: Andrew Honig <ahonig@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Frantisek Hrbata <fhrbata@redhat.com> --- arch/x86/kvm/i8254.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c index 229b30a..6c1f8b7 100644 --- a/arch/x86/kvm/i8254.c +++ b/arch/x86/kvm/i8254.c @@ -259,8 +259,10 @@ void __kvm_migrate_pit_timer(struct kvm_vcpu *vcpu) return; timer = &pit->pit_state.pit_timer.timer; + mutex_lock(&pit->pit_state.lock); if (hrtimer_cancel(timer)) hrtimer_start_expires(timer, HRTIMER_MODE_ABS); + mutex_unlock(&pit->pit_state.lock); } static void destroy_pit_timer(struct kvm_kpit_timer *pt)