packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
qemu/system-physmem-Fix-possible-double-free-when-destroy.patch

65 lines
2.0 KiB
Diff
Raw Normal View History

QEMU update to version 8.2.0-6: - coro: support live patch for libcare - tests/acpi: Update expected ACPI tables for vcpu hotplug(update BinDir) - arm/virt: Require mc->has_hotpluggable_cpus for cold-plugged vcpu - arm/virt: Consider has_ged when set mc->has_hotpluggable_cpus - arm/virt-acpi: Require possible_cpu_arch_ids for build_cpus_aml() - acpi/ged: Remove cpuhp field of ged - acpi/ged: Init cpu hotplug only when machine support it - intc/gicv3: Fixes for vcpu hotplug - arm/kvm: Set psci smccc filter only with vcpu hotplug - accel/kvm: Use correct id for parked vcpu - arm/virt: Fix adjudgement of core_id for vcpu hotplugged - arm/virt.c: Convey local_err when set psci-conduit - system/cpus: Fix resume_all_vcpus() under vCPU hotplug condition - system/cpus: Fix pause_all_vcpus() under concurrent environment - acpi/cpu: Fix cpu_hotplug_hw_init() - arm/cpu: Some fixes for arm_cpu_unrealizefn() - system/physmem: Fix possible double free when destroy cpu as - hw/arm/virt: Expose cold-booted CPUs as MADT GICC Enabled - tcg/mttcg: enable threads to unregister in tcg_ctxs[] - hw/arm: Support hotplug capability check using _OSC method - target/arm/kvm,tcg: Register/Handle SMCCC hypercall exits to VMM/Qemu - target/arm/kvm: Write CPU state back to KVM on reset - target/arm: Add support of *unrealize* ARMCPU during vCPU Hot-unplug - physmem,gdbstub: Common helping funcs/changes to *unrealize* vCPU - hw/arm: Changes required for reset and to support next boot - arm/virt: Update the guest(via GED) about CPU hot-(un)plug events - hw/intc/arm-gicv3*: Changes required to (re)init the vCPU register info - hw/arm,gicv3: Changes to update GIC with vCPU hot-plug notification - arm/virt: Changes to (un)wire GICC<->vCPU IRQs during hot-(un)plug - arm/virt: Add/update basic hot-(un)plug framework - hw/acpi: Update ACPI GED framework to support vCPU Hotplug - arm/virt: Release objects for *disabled* possible vCPUs after init - hw/acpi: Make _MAT method optional - hw/arm: MADT Tbl change to size the guest with possible vCPUs - hw/acpi: Update GED _EVT method AML with cpu scan - hw/acpi: ACPI/AML Changes to reflect the correct _STA.{PRES,ENA} Bits to Guest - arm/virt: Make ARM vCPU *present* status ACPI *persistent* - arm/virt/acpi: Build CPUs AML with CPU Hotplug support - tests/acpi/bios-tables-test: Allow changes to virt/DSDT file - acpi/cpu: Add cpu_cppc building support - arm/virt/acpi: Factor out CPPC building from DSDT CPU aml - hw/acpi: Update CPUs AML with cpu-(ctrl)dev change - arm/virt: Create GED dev before *disabled* CPU Objs are destroyed - arm/virt: Add cpu hotplug events to GED during creation - hw/acpi: Init GED framework with cpu hotplug events - hw/acpi: Use qemu_present_cpu() API in ACPI CPU hotplug init - hw/acpi: Add ACPI CPU hotplug init stub - arm/acpi: Enable ACPI support for vcpu hotplug - hw/acpi: Move CPU ctrl-dev MMIO region len macro to common header file - arm/virt: Init PMU at host for all possible vcpus - arm/virt,gicv3: Changes to pre-size GIC with possible vcpus @machine init - arm/virt,kvm: Pre-create disabled possible vCPUs @machine init - accel/kvm: Extract common KVM vCPU {creation,parking} code - arm/virt,target/arm: Machine init time change common to vCPU {cold|hot}-plug - hw/arm/virt: Move setting of common CPU properties in a function - cpus-common: Add common CPU utility for possible vCPUs - arm/virt,target/arm: Add new ARMCPU {socket,cluster,core,thread}-id property Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
2024-04-10 20:59:57 +08:00
From 5f7464524d0fb2c25c9bacfb550df92bef9bb3bf Mon Sep 17 00:00:00 2001
From: Keqian Zhu <zhukeqian1@huawei.com>
Date: Tue, 26 Mar 2024 14:11:05 +0800
Subject: [PATCH] system/physmem: Fix possible double free when destroy cpu as
address_space_destroy() and g_free_rcu() both operate cpuas->as
at rcu thread context asynchronously, each one is a rcu task
that have different callback (the first callback is do_address_
space_destroy() and the second callback is g_free()).
It's possible that while the first task is pending and the second
task overwrites the rcu callback (as the second task operates on
the same object). Then the g_free will be called twice on cpuas->as.
Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
---
include/exec/memory.h | 1 +
system/memory.c | 3 +++
system/physmem.c | 2 +-
3 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/include/exec/memory.h b/include/exec/memory.h
index e131c2682c..91c42c9a6a 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -1114,6 +1114,7 @@ struct AddressSpace {
struct rcu_head rcu;
char *name;
MemoryRegion *root;
+ bool free_in_rcu;
/* Accessed via RCU. */
struct FlatView *current_map;
diff --git a/system/memory.c b/system/memory.c
index 798b6c0a17..fb817e54bc 100644
--- a/system/memory.c
+++ b/system/memory.c
@@ -3130,6 +3130,9 @@ static void do_address_space_destroy(AddressSpace *as)
g_free(as->name);
g_free(as->ioeventfds);
memory_region_unref(as->root);
+ if (as->free_in_rcu) {
+ g_free(as);
+ }
}
void address_space_destroy(AddressSpace *as)
diff --git a/system/physmem.c b/system/physmem.c
index 299174ad91..cbe838f203 100644
--- a/system/physmem.c
+++ b/system/physmem.c
@@ -788,8 +788,8 @@ void cpu_address_space_destroy(CPUState *cpu, int asidx)
memory_listener_unregister(&cpuas->tcg_as_listener);
}
+ cpuas->as->free_in_rcu = true;
address_space_destroy(cpuas->as);
- g_free_rcu(cpuas->as, rcu);
if (cpu->cpu_ases_ref_count == 1) {
g_free(cpu->cpu_ases);
--
2.27.0
Reference in New Issue Copy Permalink