There's a race condition in the PIT emulation code in KVM. In __kvm_migrate_pit_timer the pit_timer object is accessed without synchronization. A local guest user with access to the PIT i/o ports could use this flaw to crash the host. Acknowledgements: Red Hat would like to thank Lars Bull of Google for reporting this issue.
Statement: This issue does affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6 and 7. This issue does affect the kvm packages as shipped with Red Hat Enterprise Linux 5. Future updates may address this issue in the respective Red Hat Enterprise Linux releases.
Upstream patch: http://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=2febc839133280d5a5e8e1179c94ea674489dae2
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1156537]
kernel-3.16.6-203.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2014:1724 https://rhn.redhat.com/errata/RHSA-2014-1724.html
IssueDescription: A race condition flaw was found in the way the Linux kernel's KVM subsystem handled PIT (Programmable Interval Timer) emulation. A guest user who has access to the PIT I/O ports could use this flaw to crash the host.
kernel-3.17.2-300.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2014:1843 https://rhn.redhat.com/errata/RHSA-2014-1843.html
kernel-3.14.23-100.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: RHEV-H and Agents for RHEL-6 Via RHSA-2015:0126 https://rhn.redhat.com/errata/RHSA-2015-0126.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.5 EUS - Server and Compute Node Only Via RHSA-2015:0284 https://rhn.redhat.com/errata/RHSA-2015-0284.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2015:0869 https://rhn.redhat.com/errata/RHSA-2015-0869.html