qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ASan reports use-after-free when running munmap-pthread

From: Richard Henderson
Subject: Re: ASan reports use-after-free when running munmap-pthread
Date: Fri, 3 Feb 2023 08:08:12 -1000
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2 
On 2/3/23 07:34, Richard Henderson wrote:

On 2/3/23 01:23, Alex Bennée wrote:


Anton Johansson <anjo@rev.ng> writes:


Hi,

I was running check-tcg with ASan enabled on master, and ran into
the following use-after-free. There appears to be a race between
jump cache invalidation and thread destruction (?)

I thought I'd post here since I noticed some previous discussion on the
topic, and I'm not sure myself what a proper fix would look like.


Something like:

modified   accel/tcg/tb-maint.c
@@ -858,9 +858,7 @@ static void tb_jmp_cache_inval_tb(TranslationBlock *tb)
          CPU_FOREACH(cpu) {
              CPUJumpCache *jc = cpu->tb_jmp_cache;
-            if (qatomic_read(&jc->array[h].tb) == tb) {
-                qatomic_set(&jc->array[h].tb, NULL);
-            }
+            qatomic_cmpxchg(&jc->array[h].tb, tb, NULL);
          }
      }


No, this doesn't affect the use-after-free of jc itself.
I think CPUJumpCache needs to be freed with RCU.


Bah, we already do that.


r~
reply via email to
[Prev in Thread] Current Thread [Next in Thread]