On 10/20/2010 10:26 AM, Sheng Yang wrote:
We need to query the entry later.+struct kvm_kernel_irq_routing_entry *kvm_get_irq_routing_entry(struct kvm *kvm, + int gsi) +{ + int count = 0; + struct kvm_kernel_irq_routing_entry *ei = NULL; + struct kvm_irq_routing_table *irq_rt; + struct hlist_node *n; + + rcu_read_lock(); + irq_rt = rcu_dereference(kvm->irq_routing); + if (gsi< irq_rt->nr_rt_entries) + hlist_for_each_entry(ei, n,&irq_rt->map[gsi], link) + count++; + rcu_read_unlock(); + if (count == 1) + return ei; + + return NULL; +} +
I believe this is incorrect rcu usage. rcu_read_lock() prevents ei from being destroyed under us, but rcu_read_unlock() removes that protection, and a future dereference of ei may access freed memory.
-- error compiling committee.c: too many arguments to function -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
