[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen master] xen/cache-col: Fix freeing of colouring information

commit b5e1674cafda8bd1d199662db7f65d0d460725fb
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Thu Jul 24 12:18:13 2025 +0100
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Jul 29 17:25:54 2025 +0100

    xen/cache-col: Fix freeing of colouring information
    
    domain_destroy() is the wrong position to be freeing colouring information,
    which is only used for allocations.
    
    The comment in context identifies how domain_destroy() can be called 
multiple
    times on the same domain, leading to a double free of d->llc_colors as it's
    the wrong side of the atomic_cmpxchg() to be made safe.
    
    Furthermore, by freeing d->llc_colors but leaving d->num_llc_colors nonzero,
    alloc_color_heap_page() can in principle use after free.
    
    Make domain_llc_coloring_free() idempotent, zeroing d->num_llc_colors and
    NULL-ing d->llc_colors after freeing, and call it from domain_teardown().
    
    Fixes: 6985aa5e0c3c ("xen: extend domctl interface for cache coloring")
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
---
 xen/common/domain.c       | 5 +++--
 xen/common/llc-coloring.c | 4 +++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/xen/common/domain.c b/xen/common/domain.c
index 3c65cca5b0..9391f5ad7c 100644
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -634,6 +634,9 @@ static int domain_teardown(struct domain *d)
     case PROG_none:
         BUILD_BUG_ON(PROG_none != 0);
 
+        /* Trivial teardown, not long-running enough to need a preemption 
check. */
+        domain_llc_coloring_free(d);
+
     PROGRESS(gnttab_mappings):
         rc = gnttab_release_mappings(d);
         if ( rc )
@@ -1455,8 +1458,6 @@ void domain_destroy(struct domain *d)
 {
     BUG_ON(!d->is_dying);
 
-    domain_llc_coloring_free(d);
-
     /* May be already destroyed, or get_domain() can race us. */
     if ( atomic_cmpxchg(&d->refcnt, 0, DOMAIN_DESTROYED) != 0 )
         return;
diff --git a/xen/common/llc-coloring.c b/xen/common/llc-coloring.c
index bd1f634f0b..ea3e0ca070 100644
--- a/xen/common/llc-coloring.c
+++ b/xen/common/llc-coloring.c
@@ -309,8 +309,10 @@ int domain_set_llc_colors(struct domain *d,
 
 void domain_llc_coloring_free(struct domain *d)
 {
+    d->num_llc_colors = 0;
+
     if ( d->llc_colors != default_colors )
-        xfree(d->llc_colors);
+        XFREE(d->llc_colors);
 }
 
 int __init domain_set_llc_colors_from_str(struct domain *d, const char *str)
--
generated by git-patchbot for /home/xen/git/xen.git#master

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.