diff mbox

[Xen-devel] xen/arm: domain_vgic_init: Avoid double free on shared_irqs

Message ID 1406297847-23440-1-git-send-email-julien.grall@linaro.org
State Accepted, archived
Headers show

Commit Message

Julien Grall July 25, 2014, 2:17 p.m. UTC 
When the function domain_vgic_init is failing to initialize pending_irqs,
it will free shared_irqs. Few call later, domain_vgic_free will be called
an try to free a second time the same variable. This will result to a double
free.

Remove the free in domain_vgic_init and rely on domain_vgic_free to correctly
release the memory.

Signed-off-by: Julien Grall <julien.grall@linaro.org>

---

This patch should be backported to Xen 4.4.
---
 xen/arch/arm/vgic.c |    3 ---
 1 file changed, 3 deletions(-)

Comments

Julien Grall Sept. 8, 2014, 8:47 p.m. UTC | #1 
Hi Ian and Stefano,

Ping?

On 25/07/14 07:17, Julien Grall wrote:
> When the function domain_vgic_init is failing to initialize pending_irqs,
> it will free shared_irqs. Few call later, domain_vgic_free will be called
> an try to free a second time the same variable. This will result to a double
> free.
>
> Remove the free in domain_vgic_init and rely on domain_vgic_free to correctly
> release the memory.
>
> Signed-off-by: Julien Grall <julien.grall@linaro.org>
>
> ---
>
> This patch should be backported to Xen 4.4.
> ---
>   xen/arch/arm/vgic.c |    3 ---
>   1 file changed, 3 deletions(-)
>
> diff --git a/xen/arch/arm/vgic.c b/xen/arch/arm/vgic.c
> index aba613b..edbb71a 100644
> --- a/xen/arch/arm/vgic.c
> +++ b/xen/arch/arm/vgic.c
> @@ -84,10 +84,7 @@ int domain_vgic_init(struct domain *d, unsigned int nr_spis)
>       d->arch.vgic.pending_irqs =
>           xzalloc_array(struct pending_irq, d->arch.vgic.nr_spis);
>       if ( d->arch.vgic.pending_irqs == NULL )
> -    {
> -        xfree(d->arch.vgic.shared_irqs);
>           return -ENOMEM;
> -    }
>
>       for (i=0; i<d->arch.vgic.nr_spis; i++)
>       {
>
Ian Campbell Sept. 9, 2014, 11:13 a.m. UTC | #2 
Sorry, this one wasn't in my queue foirld for some reason. Acked +
applied.

On Mon, 2014-09-08 at 13:47 -0700, Julien Grall wrote:
> Hi Ian and Stefano,
> 
> Ping?
> 
> On 25/07/14 07:17, Julien Grall wrote:
> > When the function domain_vgic_init is failing to initialize pending_irqs,
> > it will free shared_irqs. Few call later, domain_vgic_free will be called
> > an try to free a second time the same variable. This will result to a double
> > free.
> >
> > Remove the free in domain_vgic_init and rely on domain_vgic_free to correctly
> > release the memory.
> >
> > Signed-off-by: Julien Grall <julien.grall@linaro.org>
> >
> > ---
> >
> > This patch should be backported to Xen 4.4.
> > ---
> >   xen/arch/arm/vgic.c |    3 ---
> >   1 file changed, 3 deletions(-)
> >
> > diff --git a/xen/arch/arm/vgic.c b/xen/arch/arm/vgic.c
> > index aba613b..edbb71a 100644
> > --- a/xen/arch/arm/vgic.c
> > +++ b/xen/arch/arm/vgic.c
> > @@ -84,10 +84,7 @@ int domain_vgic_init(struct domain *d, unsigned int nr_spis)
> >       d->arch.vgic.pending_irqs =
> >           xzalloc_array(struct pending_irq, d->arch.vgic.nr_spis);
> >       if ( d->arch.vgic.pending_irqs == NULL )
> > -    {
> > -        xfree(d->arch.vgic.shared_irqs);
> >           return -ENOMEM;
> > -    }
> >
> >       for (i=0; i<d->arch.vgic.nr_spis; i++)
> >       {
> >
>
Julien Grall Sept. 9, 2014, 6:51 p.m. UTC | #3 
On 9 September 2014 04:13, Ian Campbell <Ian.Campbell@citrix.com> wrote:
> Sorry, this one wasn't in my queue foirld for some reason. Acked +
> applied.

Thanks! The double free is also present on Xen 4.4. Can you put it on
your backport list?

Regards,
Ian Campbell Sept. 10, 2014, 9:27 a.m. UTC | #4 
On Tue, 2014-09-09 at 11:51 -0700, Julien Grall wrote:
> On 9 September 2014 04:13, Ian Campbell <Ian.Campbell@citrix.com> wrote:
> > Sorry, this one wasn't in my queue foirld for some reason. Acked +
> > applied.
> 
> Thanks! The double free is also present on Xen 4.4. Can you put it on
> your backport list?

It's already there, I should have said.

Ian.
Julien Grall Sept. 10, 2014, 7:04 p.m. UTC | #5 
On 10/09/14 02:27, Ian Campbell wrote:
> On Tue, 2014-09-09 at 11:51 -0700, Julien Grall wrote:
>> On 9 September 2014 04:13, Ian Campbell <Ian.Campbell@citrix.com> wrote:
>>> Sorry, this one wasn't in my queue foirld for some reason. Acked +
>>> applied.
>>
>> Thanks! The double free is also present on Xen 4.4. Can you put it on
>> your backport list?
>
> It's already there, I should have said.

Thanks!
diff mbox

Patch

diff --git a/xen/arch/arm/vgic.c b/xen/arch/arm/vgic.c
index aba613b..edbb71a 100644
--- a/xen/arch/arm/vgic.c
+++ b/xen/arch/arm/vgic.c
@@ -84,10 +84,7 @@  int domain_vgic_init(struct domain *d, unsigned int nr_spis)
     d->arch.vgic.pending_irqs =
         xzalloc_array(struct pending_irq, d->arch.vgic.nr_spis);
     if ( d->arch.vgic.pending_irqs == NULL )
-    {
-        xfree(d->arch.vgic.shared_irqs);
         return -ENOMEM;
-    }
 
     for (i=0; i<d->arch.vgic.nr_spis; i++)
     {