[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-unstable] x86, hvm: Fix double-free of vpmu->context

# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1237457101 0
# Node ID 4b2d8b1c395ad64377f9fc124d806ffa786d280d
# Parent  f0d033f0a319d4ce0b20244cee68998a7afd3317
x86, hvm: Fix double-free of vpmu->context

When `opcontrol --shutdown' is called after xenoprof is used on Dom0,
the vpmu owner becomes PMU_OWNER_NONE. So it is possible to acquire
the owner as PMU_OWNER_HVM and to allocate vpmu->context twice. As a
result, the hypervisor panics because of double-alloc/free of
vpmu->context.

Signed-off-by: Kazuhiro Suzuki <kaz@xxxxxxxxxxxxxx>
---
 xen/arch/x86/hvm/vmx/vpmu_core2.c     |    4 +++-
 xen/arch/x86/oprofile/op_model_ppro.c |    2 ++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff -r f0d033f0a319 -r 4b2d8b1c395a xen/arch/x86/hvm/vmx/vpmu_core2.c
--- a/xen/arch/x86/hvm/vmx/vpmu_core2.c Thu Mar 19 10:04:15 2009 +0000
+++ b/xen/arch/x86/hvm/vmx/vpmu_core2.c Thu Mar 19 10:05:01 2009 +0000
@@ -296,7 +296,8 @@ static int core2_vpmu_msr_common_check(u
         return 0;
 
     if ( unlikely(!(vpmu->flags & VPMU_CONTEXT_ALLOCATED)) &&
-         !core2_vpmu_alloc_resource(current) )
+        (vpmu->context != NULL ||
+         !core2_vpmu_alloc_resource(current)) )
         return 0;
     vpmu->flags |= VPMU_CONTEXT_ALLOCATED;
 
@@ -488,6 +489,7 @@ static void core2_vpmu_destroy(struct vc
     if ( cpu_has_vmx_msr_bitmap )
         core2_vpmu_unset_msr_bitmap(v->arch.hvm_vmx.msr_bitmap);
     release_pmu_ownship(PMU_OWNER_HVM);
+    vpmu->flags &= ~VPMU_CONTEXT_ALLOCATED;
 }
 
 struct arch_vpmu_ops core2_vpmu_ops = {
diff -r f0d033f0a319 -r 4b2d8b1c395a xen/arch/x86/oprofile/op_model_ppro.c
--- a/xen/arch/x86/oprofile/op_model_ppro.c     Thu Mar 19 10:04:15 2009 +0000
+++ b/xen/arch/x86/oprofile/op_model_ppro.c     Thu Mar 19 10:05:01 2009 +0000
@@ -219,6 +219,8 @@ static void ppro_free_msr(struct vcpu *v
 {
        struct vpmu_struct *vpmu = vcpu_vpmu(v);
 
+       if ( !(vpmu->flags & PASSIVE_DOMAIN_ALLOCATED) )
+               return;
        xfree(vpmu->context);
        vpmu->flags &= ~PASSIVE_DOMAIN_ALLOCATED;
 }

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.