| Message ID | 1423674872-10676-4-git-send-email-pbonzini@redhat.com |
|---|---|
| State | New |
| Headers | show |
Quoting Paolo Bonzini (2015-02-11 11:14:32) > This fixes a use-after-free if do_address_space_destroy is executed > too late. > > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Looks like this did the trick for me. Haven't been able to reproduce for a couple hours. Thanks! Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com> Tested-by: Michael Roth <mdroth@linux.vnet.ibm.com> > --- > memory.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/memory.c b/memory.c > index 130152c..20f6d9e 100644 > --- a/memory.c > +++ b/memory.c > @@ -1943,6 +1943,7 @@ void memory_listener_unregister(MemoryListener *listener) > > void address_space_init(AddressSpace *as, MemoryRegion *root, const char *name) > { > + memory_region_ref(root); > memory_region_transaction_begin(); > as->root = root; > as->current_map = g_new(FlatView, 1); > @@ -1969,10 +1970,13 @@ static void do_address_space_destroy(AddressSpace *as) > flatview_unref(as->current_map); > g_free(as->name); > g_free(as->ioeventfds); > + memory_region_unref(as->root); > } > > void address_space_destroy(AddressSpace *as) > { > + MemoryRegion *root = as->root; > + > /* Flush out anything from MemoryListeners listening in on this */ > memory_region_transaction_begin(); > as->root = NULL; > @@ -1984,6 +1988,7 @@ void address_space_destroy(AddressSpace *as) > * entries that the guest should never use. Wait for the old > * values to expire before freeing the data. > */ > + as->root = root; > call_rcu(as, do_address_space_destroy, rcu); > } > > -- > 1.8.3.1
diff --git a/memory.c b/memory.c index 130152c..20f6d9e 100644 --- a/memory.c +++ b/memory.c @@ -1943,6 +1943,7 @@ void memory_listener_unregister(MemoryListener *listener) void address_space_init(AddressSpace *as, MemoryRegion *root, const char *name) { + memory_region_ref(root); memory_region_transaction_begin(); as->root = root; as->current_map = g_new(FlatView, 1); @@ -1969,10 +1970,13 @@ static void do_address_space_destroy(AddressSpace *as) flatview_unref(as->current_map); g_free(as->name); g_free(as->ioeventfds); + memory_region_unref(as->root); } void address_space_destroy(AddressSpace *as) { + MemoryRegion *root = as->root; + /* Flush out anything from MemoryListeners listening in on this */ memory_region_transaction_begin(); as->root = NULL; @@ -1984,6 +1988,7 @@ void address_space_destroy(AddressSpace *as) * entries that the guest should never use. Wait for the old * values to expire before freeing the data. */ + as->root = root; call_rcu(as, do_address_space_destroy, rcu); }
This fixes a use-after-free if do_address_space_destroy is executed too late. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> --- memory.c | 5 +++++ 1 file changed, 5 insertions(+)