[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 05/32] memory: avoid "resurrection" of dead FlatViews
From: |
Paolo Bonzini |
Subject: |
[Qemu-devel] [PULL 05/32] memory: avoid "resurrection" of dead FlatViews |
Date: |
Fri, 22 Sep 2017 01:16:13 +0200 |
It's possible for address_space_get_flatview() as it currently stands
to cause a use-after-free for the returned FlatView, if the reference
count is incremented after the FlatView has been replaced by a writer:
thread 1 thread 2 RCU thread
-------------------------------------------------------------
rcu_read_lock
read as->current_map
set as->current_map
flatview_unref
'--> call_rcu
flatview_ref
[ref=1]
rcu_read_unlock
flatview_destroy
<badness>
Since FlatViews are not updated very often, we can just detect the
situation using a new atomic op atomic_fetch_inc_nonzero, similar to
Linux's atomic_inc_not_zero, which performs the refcount increment only if
it hasn't already hit zero. This is similar to Linux commit de09a9771a53
("CRED: Fix get_task_cred() and task_state() to not resurrect dead
credentials", 2010-07-29).
Signed-off-by: Paolo Bonzini <address@hidden>
---
docs/devel/atomics.txt | 1 +
include/qemu/atomic.h | 8 ++++++++
memory.c | 12 ++++++++----
3 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/docs/devel/atomics.txt b/docs/devel/atomics.txt
index 048e5f2..10c5fa3 100644
--- a/docs/devel/atomics.txt
+++ b/docs/devel/atomics.txt
@@ -64,6 +64,7 @@ operations:
typeof(*ptr) atomic_fetch_and(ptr, val)
typeof(*ptr) atomic_fetch_or(ptr, val)
typeof(*ptr) atomic_fetch_xor(ptr, val)
+ typeof(*ptr) atomic_fetch_inc_nonzero(ptr)
typeof(*ptr) atomic_xchg(ptr, val)
typeof(*ptr) atomic_cmpxchg(ptr, old, new)
diff --git a/include/qemu/atomic.h b/include/qemu/atomic.h
index b6b62fb..d73c9e1 100644
--- a/include/qemu/atomic.h
+++ b/include/qemu/atomic.h
@@ -442,4 +442,12 @@
} while(0)
#endif
+#define atomic_fetch_inc_nonzero(ptr) ({ \
+ typeof_strip_qual(*ptr) _oldn = atomic_read(ptr); \
+ while (_oldn && atomic_cmpxchg(ptr, _oldn, _oldn + 1) != _oldn) { \
+ _oldn = atomic_read(ptr); \
+ } \
+ _oldn; \
+})
+
#endif /* QEMU_ATOMIC_H */
diff --git a/memory.c b/memory.c
index 2b90117..51f54ab 100644
--- a/memory.c
+++ b/memory.c
@@ -294,9 +294,9 @@ static void flatview_destroy(FlatView *view)
g_free(view);
}
-static void flatview_ref(FlatView *view)
+static bool flatview_ref(FlatView *view)
{
- atomic_inc(&view->ref);
+ return atomic_fetch_inc_nonzero(&view->ref) > 0;
}
static void flatview_unref(FlatView *view)
@@ -773,8 +773,12 @@ static FlatView *address_space_get_flatview(AddressSpace
*as)
FlatView *view;
rcu_read_lock();
- view = atomic_rcu_read(&as->current_map);
- flatview_ref(view);
+ do {
+ view = atomic_rcu_read(&as->current_map);
+ /* If somebody has replaced as->current_map concurrently,
+ * flatview_ref returns false.
+ */
+ } while (!flatview_ref(view));
rcu_read_unlock();
return view;
}
--
1.8.3.1
- [Qemu-devel] [PULL 00/32] Misc changes for 2017-09-22, Paolo Bonzini, 2017/09/21
- [Qemu-devel] [PULL 04/32] atomic: update documentation, Paolo Bonzini, 2017/09/21
- [Qemu-devel] [PULL 06/32] exec: Explicitly export target AS from address_space_translate_internal, Paolo Bonzini, 2017/09/21
- [Qemu-devel] [PULL 08/32] memory: Move FlatView allocation to a helper, Paolo Bonzini, 2017/09/21
- [Qemu-devel] [PULL 07/32] memory: Open code FlatView rendering, Paolo Bonzini, 2017/09/21
- [Qemu-devel] [PULL 01/32] virtio-serial: add enable_backend callback, Paolo Bonzini, 2017/09/21
- [Qemu-devel] [PULL 02/32] kvm: drop wrong assertion creating problems with pflash, Paolo Bonzini, 2017/09/21
- [Qemu-devel] [PULL 03/32] memory: avoid a name clash with access macro, Paolo Bonzini, 2017/09/21
- [Qemu-devel] [PULL 05/32] memory: avoid "resurrection" of dead FlatViews,
Paolo Bonzini <=
- [Qemu-devel] [PULL 10/32] memory: Remove AddressSpace pointer from AddressSpaceDispatch, Paolo Bonzini, 2017/09/21
- [Qemu-devel] [PULL 09/32] memory: Move AddressSpaceDispatch from AddressSpace to FlatView, Paolo Bonzini, 2017/09/21
- [Qemu-devel] [PULL 13/32] memory: Rename mem_begin/mem_commit/mem_add helpers, Paolo Bonzini, 2017/09/21
- [Qemu-devel] [PULL 12/32] memory: Cleanup after switching to FlatView, Paolo Bonzini, 2017/09/21
- [Qemu-devel] [PULL 14/32] memory: Store physical root MR in FlatView, Paolo Bonzini, 2017/09/21
- [Qemu-devel] [PULL 15/32] memory: Alloc dispatch tree where topology is generared, Paolo Bonzini, 2017/09/21
- [Qemu-devel] [PULL 11/32] memory: Switch memory from using AddressSpace to FlatView, Paolo Bonzini, 2017/09/21
- [Qemu-devel] [PULL 16/32] memory: Move address_space_update_ioeventfds, Paolo Bonzini, 2017/09/21
- [Qemu-devel] [PULL 17/32] memory: Share FlatView's and dispatch trees between address spaces, Paolo Bonzini, 2017/09/21
- [Qemu-devel] [PULL 18/32] memory: Do not allocate FlatView in address_space_init, Paolo Bonzini, 2017/09/21