[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/6] xen/dt-overlay: fix double-free of rangesets on attach failure

To: Luca Fancellu <Luca.Fancellu@xxxxxxx>
From: Stefano Stabellini <sstabellini@xxxxxxxxxx>
Date: Tue, 21 Apr 2026 15:17:20 -0700 (PDT)
Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=k20201202 header.d=kernel.org header.i="@kernel.org" header.h="Date:From:To:cc:Subject:In-Reply-To:References"
Cc: Michal Orzel <michal.orzel@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <Bertrand.Marquis@xxxxxxx>, Gyujeong Jin <wlsrbwjd7232@xxxxxxxxx>
Delivery-date: Tue, 21 Apr 2026 22:17:28 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Wed, 15 Apr 2026, Luca Fancellu wrote:
> Hi Michal,
> 
> > On 15 Apr 2026, at 12:36, Michal Orzel <michal.orzel@xxxxxxx> wrote:
> > 
> > handle_attach_overlay_nodes() destroys the IRQ and IOMEM rangesets on
> > failure but leaves the pointers dangling in the tracker entry. A
> > subsequent handle_remove_overlay_nodes() for the same overlay will call
> > rangeset_consume_ranges() on freed memory followed by a second
> > rangeset_destroy(), resulting in use-after-free and double-free.
> > 
> > NULL the pointers after rangeset_destroy() so that remove_nodes() and
> > handle_remove_overlay_nodes() skip the stale entries.
> > 
> > Fixes: 4c733873b5c2 ("xen/arm: Add XEN_DOMCTL_dt_overlay and device 
> > attachment to domains")
> > Reported-by: Gyujeong Jin <wlsrbwjd7232@xxxxxxxxx>
> > Signed-off-by: Michal Orzel <michal.orzel@xxxxxxx>
> > ---
> 
> Looks ok to me
> 
> Reviewed-by: Luca Fancellu <luca.fancellu@xxxxxxx>

Acked-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>

References:
- [PATCH 0/6] dt-overlay: some fixes and improvements
  - From: Michal Orzel
- [PATCH 1/6] xen/dt-overlay: fix double-free of rangesets on attach failure
  - From: Michal Orzel
- Re: [PATCH 1/6] xen/dt-overlay: fix double-free of rangesets on attach failure
  - From: Luca Fancellu

Prev by Date: Re: [PATCH] xen/arm: Replace __ASSEMBLY__ with __ASSEMBLER__ in interface.h
Next by Date: Re: [PATCH 2/6] xen/dt-overlay: fix rangeset leak and dead code in domctl path
Previous by thread: Re: [PATCH 1/6] xen/dt-overlay: fix double-free of rangesets on attach failure
Next by thread: [PATCH 3/6] xen/dt-overlay: check overlay size before memcmp in tracker lookup
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.