Message ID | 1406297847-23440-1-git-send-email-julien.grall@linaro.org |
---|---|
State | Accepted, archived |
Headers | show |
Hi Ian and Stefano, Ping? On 25/07/14 07:17, Julien Grall wrote: > When the function domain_vgic_init is failing to initialize pending_irqs, > it will free shared_irqs. Few call later, domain_vgic_free will be called > an try to free a second time the same variable. This will result to a double > free. > > Remove the free in domain_vgic_init and rely on domain_vgic_free to correctly > release the memory. > > Signed-off-by: Julien Grall <julien.grall@linaro.org> > > --- > > This patch should be backported to Xen 4.4. > --- > xen/arch/arm/vgic.c | 3 --- > 1 file changed, 3 deletions(-) > > diff --git a/xen/arch/arm/vgic.c b/xen/arch/arm/vgic.c > index aba613b..edbb71a 100644 > --- a/xen/arch/arm/vgic.c > +++ b/xen/arch/arm/vgic.c > @@ -84,10 +84,7 @@ int domain_vgic_init(struct domain *d, unsigned int nr_spis) > d->arch.vgic.pending_irqs = > xzalloc_array(struct pending_irq, d->arch.vgic.nr_spis); > if ( d->arch.vgic.pending_irqs == NULL ) > - { > - xfree(d->arch.vgic.shared_irqs); > return -ENOMEM; > - } > > for (i=0; i<d->arch.vgic.nr_spis; i++) > { >
Sorry, this one wasn't in my queue foirld for some reason. Acked + applied. On Mon, 2014-09-08 at 13:47 -0700, Julien Grall wrote: > Hi Ian and Stefano, > > Ping? > > On 25/07/14 07:17, Julien Grall wrote: > > When the function domain_vgic_init is failing to initialize pending_irqs, > > it will free shared_irqs. Few call later, domain_vgic_free will be called > > an try to free a second time the same variable. This will result to a double > > free. > > > > Remove the free in domain_vgic_init and rely on domain_vgic_free to correctly > > release the memory. > > > > Signed-off-by: Julien Grall <julien.grall@linaro.org> > > > > --- > > > > This patch should be backported to Xen 4.4. > > --- > > xen/arch/arm/vgic.c | 3 --- > > 1 file changed, 3 deletions(-) > > > > diff --git a/xen/arch/arm/vgic.c b/xen/arch/arm/vgic.c > > index aba613b..edbb71a 100644 > > --- a/xen/arch/arm/vgic.c > > +++ b/xen/arch/arm/vgic.c > > @@ -84,10 +84,7 @@ int domain_vgic_init(struct domain *d, unsigned int nr_spis) > > d->arch.vgic.pending_irqs = > > xzalloc_array(struct pending_irq, d->arch.vgic.nr_spis); > > if ( d->arch.vgic.pending_irqs == NULL ) > > - { > > - xfree(d->arch.vgic.shared_irqs); > > return -ENOMEM; > > - } > > > > for (i=0; i<d->arch.vgic.nr_spis; i++) > > { > > >
On 9 September 2014 04:13, Ian Campbell <Ian.Campbell@citrix.com> wrote: > Sorry, this one wasn't in my queue foirld for some reason. Acked + > applied. Thanks! The double free is also present on Xen 4.4. Can you put it on your backport list? Regards,
On Tue, 2014-09-09 at 11:51 -0700, Julien Grall wrote: > On 9 September 2014 04:13, Ian Campbell <Ian.Campbell@citrix.com> wrote: > > Sorry, this one wasn't in my queue foirld for some reason. Acked + > > applied. > > Thanks! The double free is also present on Xen 4.4. Can you put it on > your backport list? It's already there, I should have said. Ian.
On 10/09/14 02:27, Ian Campbell wrote: > On Tue, 2014-09-09 at 11:51 -0700, Julien Grall wrote: >> On 9 September 2014 04:13, Ian Campbell <Ian.Campbell@citrix.com> wrote: >>> Sorry, this one wasn't in my queue foirld for some reason. Acked + >>> applied. >> >> Thanks! The double free is also present on Xen 4.4. Can you put it on >> your backport list? > > It's already there, I should have said. Thanks!
diff --git a/xen/arch/arm/vgic.c b/xen/arch/arm/vgic.c index aba613b..edbb71a 100644 --- a/xen/arch/arm/vgic.c +++ b/xen/arch/arm/vgic.c @@ -84,10 +84,7 @@ int domain_vgic_init(struct domain *d, unsigned int nr_spis) d->arch.vgic.pending_irqs = xzalloc_array(struct pending_irq, d->arch.vgic.nr_spis); if ( d->arch.vgic.pending_irqs == NULL ) - { - xfree(d->arch.vgic.shared_irqs); return -ENOMEM; - } for (i=0; i<d->arch.vgic.nr_spis; i++) {
When the function domain_vgic_init is failing to initialize pending_irqs, it will free shared_irqs. Few call later, domain_vgic_free will be called an try to free a second time the same variable. This will result to a double free. Remove the free in domain_vgic_init and rely on domain_vgic_free to correctly release the memory. Signed-off-by: Julien Grall <julien.grall@linaro.org> --- This patch should be backported to Xen 4.4. --- xen/arch/arm/vgic.c | 3 --- 1 file changed, 3 deletions(-)