[Lucid][CVE-2014-3611] KVM: x86: Improve thread safety in pit

[Luis Henriques]

From: Andy Honig <ahonig at google.com>

There's a race condition in the PIT emulation code in KVM.  In
__kvm_migrate_pit_timer the pit_timer object is accessed without
synchronization.  If the race condition occurs at the wrong time this
can crash the host kernel.

This fixes CVE-2014-3611.

Cc: stable at vger.kernel.org
Signed-off-by: Andrew Honig <ahonig at google.com>
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
(backported from commit 2febc839133280d5a5e8e1179c94ea674489dae2)
CVE-2014-3611
BugLink: http://bugs.launchpad.net/bugs/1384540
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 arch/x86/kvm/i8254.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
index 7e361b4d2a8c..3fae9cd67a1b 100644
--- a/arch/x86/kvm/i8254.c
+++ b/arch/x86/kvm/i8254.c
@@ -256,8 +256,10 @@ void __kvm_migrate_pit_timer(struct kvm_vcpu *vcpu)
 		return;
 
 	timer = &pit->pit_state.pit_timer.timer;
+	mutex_lock(&pit->pit_state.lock);
 	if (hrtimer_cancel(timer))
 		hrtimer_start_expires(timer, HRTIMER_MODE_ABS);
+	mutex_unlock(&pit->pit_state.lock);
 }
 
 static void destroy_pit_timer(struct kvm_timer *pt)
-- 
2.1.0