From: Keir Fraser Date: Thu, 19 Mar 2009 10:05:01 +0000 (+0000) Subject: x86, hvm: Fix double-free of vpmu->context X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~13992^2~35 X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/cgi/%22https:/%22bookmarks://%22/%22http:/www.example.com/cgi/%22https:/%22bookmarks:/%22?a=commitdiff_plain;h=d532e54c26d054c9ba97ecb0429ddfb7842e2f52;p=xen.git x86, hvm: Fix double-free of vpmu->context When `opcontrol --shutdown' is called after xenoprof is used on Dom0, the vpmu owner becomes PMU_OWNER_NONE. So it is possible to acquire the owner as PMU_OWNER_HVM and to allocate vpmu->context twice. As a result, the hypervisor panics because of double-alloc/free of vpmu->context. Signed-off-by: Kazuhiro Suzuki --- diff --git a/xen/arch/x86/hvm/vmx/vpmu_core2.c b/xen/arch/x86/hvm/vmx/vpmu_core2.c index 240f1bf7ba..37054f22eb 100644 --- a/xen/arch/x86/hvm/vmx/vpmu_core2.c +++ b/xen/arch/x86/hvm/vmx/vpmu_core2.c @@ -296,7 +296,8 @@ static int core2_vpmu_msr_common_check(u32 msr_index, int *type, int *index) return 0; if ( unlikely(!(vpmu->flags & VPMU_CONTEXT_ALLOCATED)) && - !core2_vpmu_alloc_resource(current) ) + (vpmu->context != NULL || + !core2_vpmu_alloc_resource(current)) ) return 0; vpmu->flags |= VPMU_CONTEXT_ALLOCATED; @@ -488,6 +489,7 @@ static void core2_vpmu_destroy(struct vcpu *v) if ( cpu_has_vmx_msr_bitmap ) core2_vpmu_unset_msr_bitmap(v->arch.hvm_vmx.msr_bitmap); release_pmu_ownship(PMU_OWNER_HVM); + vpmu->flags &= ~VPMU_CONTEXT_ALLOCATED; } struct arch_vpmu_ops core2_vpmu_ops = { diff --git a/xen/arch/x86/oprofile/op_model_ppro.c b/xen/arch/x86/oprofile/op_model_ppro.c index 90b5d2887a..0dc962dfe6 100644 --- a/xen/arch/x86/oprofile/op_model_ppro.c +++ b/xen/arch/x86/oprofile/op_model_ppro.c @@ -219,6 +219,8 @@ static void ppro_free_msr(struct vcpu *v) { struct vpmu_struct *vpmu = vcpu_vpmu(v); + if ( !(vpmu->flags & PASSIVE_DOMAIN_ALLOCATED) ) + return; xfree(vpmu->context); vpmu->flags &= ~PASSIVE_DOMAIN_ALLOCATED; }