From mboxrd@z Thu Jan  1 00:00:00 1970
From: Avi Kivity <avi@redhat.com>
Subject: Re: [PATCH 5/8] KVM: Add kvm_get_irq_routing_entry() func
Date: Wed, 20 Oct 2010 10:53:02 +0200
Message-ID: <4CBEADEE.2010408@redhat.com>
References: <1287563192-29685-1-git-send-email-sheng@linux.intel.com> <1287563192-29685-6-git-send-email-sheng@linux.intel.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Marcelo Tosatti <mtosatti@redhat.com>, kvm@vger.kernel.org,
	"Michael S. Tsirkin" <mst@redhat.com>
To: Sheng Yang <sheng@linux.intel.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mx1.redhat.com ([209.132.183.28]:44505 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1750879Ab0JTIxH (ORCPT <rfc822;kvm@vger.kernel.org>);
	Wed, 20 Oct 2010 04:53:07 -0400
In-Reply-To: <1287563192-29685-6-git-send-email-sheng@linux.intel.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

  On 10/20/2010 10:26 AM, Sheng Yang wrote:
> We need to query the entry later.
>
>
> +struct kvm_kernel_irq_routing_entry *kvm_get_irq_routing_entry(struct kvm *kvm,
> +							       int gsi)
> +{
> +	int count = 0;
> +	struct kvm_kernel_irq_routing_entry *ei = NULL;
> +	struct kvm_irq_routing_table *irq_rt;
> +	struct hlist_node *n;
> +
> +	rcu_read_lock();
> +	irq_rt = rcu_dereference(kvm->irq_routing);
> +	if (gsi<  irq_rt->nr_rt_entries)
> +		hlist_for_each_entry(ei, n,&irq_rt->map[gsi], link)
> +			count++;
> +	rcu_read_unlock();
> +	if (count == 1)
> +		return ei;
> +
> +	return NULL;
> +}
> +

I believe this is incorrect rcu usage.  rcu_read_lock() prevents ei from 
being destroyed under us, but rcu_read_unlock() removes that protection, 
and a future dereference of ei may access freed memory.

-- 
error compiling committee.c: too many arguments to function