packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
qemu/system-physmem-Fix-possible-double-free-when-destroy.patch
Jiabo Feng c025e9059a QEMU update to version 8.2.0-6: 
- coro: support live patch for libcare
- tests/acpi: Update expected ACPI tables for vcpu hotplug(update BinDir)
- arm/virt: Require mc->has_hotpluggable_cpus for cold-plugged vcpu
- arm/virt: Consider has_ged when set mc->has_hotpluggable_cpus
- arm/virt-acpi: Require possible_cpu_arch_ids for build_cpus_aml()
- acpi/ged: Remove cpuhp field of ged
- acpi/ged: Init cpu hotplug only when machine support it
- intc/gicv3: Fixes for vcpu hotplug
- arm/kvm: Set psci smccc filter only with vcpu hotplug
- accel/kvm: Use correct id for parked vcpu
- arm/virt: Fix adjudgement of core_id for vcpu hotplugged
- arm/virt.c: Convey local_err when set psci-conduit
- system/cpus: Fix resume_all_vcpus() under vCPU hotplug condition
- system/cpus: Fix pause_all_vcpus() under concurrent environment
- acpi/cpu: Fix cpu_hotplug_hw_init()
- arm/cpu: Some fixes for arm_cpu_unrealizefn()
- system/physmem: Fix possible double free when destroy cpu as
- hw/arm/virt: Expose cold-booted CPUs as MADT GICC Enabled
- tcg/mttcg: enable threads to unregister in tcg_ctxs[]
- hw/arm: Support hotplug capability check using _OSC method
- target/arm/kvm,tcg: Register/Handle SMCCC hypercall exits to VMM/Qemu
- target/arm/kvm: Write CPU state back to KVM on reset
- target/arm: Add support of *unrealize* ARMCPU during vCPU Hot-unplug
- physmem,gdbstub: Common helping funcs/changes to *unrealize* vCPU
- hw/arm: Changes required for reset and to support next boot
- arm/virt: Update the guest(via GED) about CPU hot-(un)plug events
- hw/intc/arm-gicv3*: Changes required to (re)init the vCPU register info
- hw/arm,gicv3: Changes to update GIC with vCPU hot-plug notification
- arm/virt: Changes to (un)wire GICC<->vCPU IRQs during hot-(un)plug
- arm/virt: Add/update basic hot-(un)plug framework
- hw/acpi: Update ACPI GED framework to support vCPU Hotplug
- arm/virt: Release objects for *disabled* possible vCPUs after init
- hw/acpi: Make _MAT method optional
- hw/arm: MADT Tbl change to size the guest with possible vCPUs
- hw/acpi: Update GED _EVT method AML with cpu scan
- hw/acpi: ACPI/AML Changes to reflect the correct _STA.{PRES,ENA} Bits to Guest
- arm/virt: Make ARM vCPU *present* status ACPI *persistent*
- arm/virt/acpi: Build CPUs AML with CPU Hotplug support
- tests/acpi/bios-tables-test: Allow changes to virt/DSDT file
- acpi/cpu: Add cpu_cppc building support
- arm/virt/acpi: Factor out CPPC building from DSDT CPU aml
- hw/acpi: Update CPUs AML with cpu-(ctrl)dev change
- arm/virt: Create GED dev before *disabled* CPU Objs are destroyed
- arm/virt: Add cpu hotplug events to GED during creation
- hw/acpi: Init GED framework with cpu hotplug events
- hw/acpi: Use qemu_present_cpu() API in ACPI CPU hotplug init
- hw/acpi: Add ACPI CPU hotplug init stub
- arm/acpi: Enable ACPI support for vcpu hotplug
- hw/acpi: Move CPU ctrl-dev MMIO region len macro to common header file
- arm/virt: Init PMU at host for all possible vcpus
- arm/virt,gicv3: Changes to pre-size GIC with possible vcpus @machine init
- arm/virt,kvm: Pre-create disabled possible vCPUs @machine init
- accel/kvm: Extract common KVM vCPU {creation,parking} code
- arm/virt,target/arm: Machine init time change common to vCPU {cold|hot}-plug
- hw/arm/virt: Move setting of common CPU properties in a function
- cpus-common: Add common CPU utility for possible vCPUs
- arm/virt,target/arm: Add new ARMCPU {socket,cluster,core,thread}-id property

Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
2024-04-10 21:01:15 +08:00

65 lines
2.0 KiB
Diff
Raw Blame History

From 5f7464524d0fb2c25c9bacfb550df92bef9bb3bf Mon Sep 17 00:00:00 2001
From: Keqian Zhu <zhukeqian1@huawei.com>
Date: Tue, 26 Mar 2024 14:11:05 +0800
Subject: [PATCH] system/physmem: Fix possible double free when destroy cpu as
address_space_destroy() and g_free_rcu() both operate cpuas->as
at rcu thread context asynchronously, each one is a rcu task
that have different callback (the first callback is do_address_
space_destroy() and the second callback is g_free()).
It's possible that while the first task is pending and the second
task overwrites the rcu callback (as the second task operates on
the same object). Then the g_free will be called twice on cpuas->as.
Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
---
include/exec/memory.h | 1 +
system/memory.c | 3 +++
system/physmem.c | 2 +-
3 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/include/exec/memory.h b/include/exec/memory.h
index e131c2682c..91c42c9a6a 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -1114,6 +1114,7 @@ struct AddressSpace {
struct rcu_head rcu;
char *name;
MemoryRegion *root;
+ bool free_in_rcu;
/* Accessed via RCU. */
struct FlatView *current_map;
diff --git a/system/memory.c b/system/memory.c
index 798b6c0a17..fb817e54bc 100644
--- a/system/memory.c
+++ b/system/memory.c
@@ -3130,6 +3130,9 @@ static void do_address_space_destroy(AddressSpace *as)
g_free(as->name);
g_free(as->ioeventfds);
memory_region_unref(as->root);
+ if (as->free_in_rcu) {
+ g_free(as);
+ }
}
void address_space_destroy(AddressSpace *as)
diff --git a/system/physmem.c b/system/physmem.c
index 299174ad91..cbe838f203 100644
--- a/system/physmem.c
+++ b/system/physmem.c
@@ -788,8 +788,8 @@ void cpu_address_space_destroy(CPUState *cpu, int asidx)
memory_listener_unregister(&cpuas->tcg_as_listener);
}
+ cpuas->as->free_in_rcu = true;
address_space_destroy(cpuas->as);
- g_free_rcu(cpuas->as, rcu);
if (cpu->cpu_ases_ref_count == 1) {
g_free(cpu->cpu_ases);
--
2.27.0
Reference in New Issue View Git Blame Copy Permalink