git.proxmox.com Git - mirror

author	Paolo Bonzini <pbonzini@redhat.com>
	Thu, 21 Sep 2017 12:32:47 +0000 (14:32 +0200)
committer	Paolo Bonzini <pbonzini@redhat.com>
	Thu, 21 Sep 2017 21:19:37 +0000 (23:19 +0200)
commit	447b0d0b9ee8a0ac216c3186e0f3c427a1001f0c
tree	a12f837b91bfb553f70beef57e6170b0ba386aa3	tree
parent	db81b9953761cac71906728fb3dfefce661ab903	commit \| diff

memory: avoid "resurrection" of dead FlatViews

It's possible for address_space_get_flatview() as it currently stands
to cause a use-after-free for the returned FlatView, if the reference
count is incremented after the FlatView has been replaced by a writer:

   thread 1             thread 2             RCU thread
  -------------------------------------------------------------
   rcu_read_lock
   read as->current_map
                        set as->current_map
                        flatview_unref
                           '--> call_rcu
   flatview_ref
     [ref=1]
   rcu_read_unlock
                                             flatview_destroy
   <badness>

Since FlatViews are not updated very often, we can just detect the
situation using a new atomic op atomic_fetch_inc_nonzero, similar to
Linux's atomic_inc_not_zero, which performs the refcount increment only if
it hasn't already hit zero.  This is similar to Linux commit de09a9771a53
("CRED: Fix get_task_cred() and task_state() to not resurrect dead
credentials", 2010-07-29).

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

docs/devel/atomics.txt		diff \| blob \| blame \| history
include/qemu/atomic.h		diff \| blob \| blame \| history
memory.c		diff \| blob \| blame \| history