From: Takuya Yoshikawa yoshikawa.tak...@oss.ntt.co.jp
In KVM_CREATE_IRQCHIP, kvm_io_bus_unregister_dev() is called without taking
slots_lock in the error handling path.
Signed-off-by: Takuya Yoshikawa yoshikawa.tak...@oss.ntt.co.jp
---
arch/ia64/kvm/kvm-ia64.c |2 ++
arch/x86/kvm/x86.c |4
2 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/arch/ia64/kvm/kvm-ia64.c b/arch/ia64/kvm/kvm-ia64.c
index 48a48bd..70d224d 100644
--- a/arch/ia64/kvm/kvm-ia64.c
+++ b/arch/ia64/kvm/kvm-ia64.c
@@ -951,7 +951,9 @@ long kvm_arch_vm_ioctl(struct file *filp,
goto out;
r = kvm_setup_default_irq_routing(kvm);
if (r) {
+ mutex_lock(kvm-slots_lock);
kvm_ioapic_destroy(kvm);
+ mutex_unlock(kvm-slots_lock);
goto out;
}
break;
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 8d76150..3113aaf 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3308,8 +3308,10 @@ long kvm_arch_vm_ioctl(struct file *filp,
if (vpic) {
r = kvm_ioapic_init(kvm);
if (r) {
+ mutex_lock(kvm-slots_lock);
kvm_io_bus_unregister_dev(kvm, KVM_PIO_BUS,
vpic-dev);
+ mutex_unlock(kvm-slots_lock);
kfree(vpic);
goto create_irqchip_unlock;
}
@@ -3320,10 +3322,12 @@ long kvm_arch_vm_ioctl(struct file *filp,
smp_wmb();
r = kvm_setup_default_irq_routing(kvm);
if (r) {
+ mutex_lock(kvm-slots_lock);
mutex_lock(kvm-irq_lock);
kvm_ioapic_destroy(kvm);
kvm_destroy_pic(kvm);
mutex_unlock(kvm-irq_lock);
+ mutex_unlock(kvm-slots_lock);
}
create_irqchip_unlock:
mutex_unlock(kvm-lock);
--
1.7.1
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
