[PATCH 2/2] kvm: validate irqfd type

From: Gregory Haskins
Date: Wed May 27 2009 - 11:17:24 EST

We should be more vigilant in validating the fd type passed down for use
in irqfd. A malicious userspace could do something nasty like pass the
kvm fd which would cause problems such as a reference leak on the kvm
object on shutdown.

Therefore, we use the eventfd_fget() routine in place of the plain fget()
to at least make sure its of the proper type.

Reported-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
Signed-off-by: Gregory Haskins <ghaskins@xxxxxxxxxx>

virt/kvm/eventfd.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/virt/kvm/eventfd.c b/virt/kvm/eventfd.c
index c63ff6a..f3f2ea1 100644
--- a/virt/kvm/eventfd.c
+++ b/virt/kvm/eventfd.c
@@ -27,6 +27,7 @@
#include <linux/poll.h>
#include <linux/file.h>
#include <linux/list.h>
+#include <linux/eventfd.h>

* --------------------------------------------------------------------
@@ -102,7 +103,7 @@ kvm_assign_irqfd(struct kvm *kvm, int fd, int gsi)
* Embed the file* lifetime in the irqfd.
- file = fget(fd);
+ file = eventfd_fget(fd);
if (IS_ERR(file)) {
ret = PTR_ERR(file);
goto fail;

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/