[PATCH] Fix double-free of vpmu->context

[PATCH] Fix double-free of vpmu->context

[SUZUKI, Kazuhiro]

[-- Attachment #1: Type: Text/Plain, Size: 377 bytes --]

Hi,

When `opcontrol --shutdown' is called after xenoprof is used on Dom0,
the vpmu owner becomes PMU_OWNER_NONE. So it is possible to acquire
the owner as PMU_OWNER_HVM and to allocate vpmu->context twice. As a
result, the hypervisor panics because of double-alloc/free of
vpmu->context.

This patch fixes it.

Thanks,
KAZ

Signed-off-by: Kazuhiro Suzuki <kaz@jp.fujitsu.com>

[-- Attachment #2: fix_double_free_vpmu.patch --]
[-- Type: Text/X-Patch, Size: 1149 bytes --]

diff -r 2039e8271051 xen/arch/x86/hvm/vmx/vpmu_core2.c
--- a/xen/arch/x86/hvm/vmx/vpmu_core2.c	Wed Mar 18 17:30:13 2009 +0000
+++ b/xen/arch/x86/hvm/vmx/vpmu_core2.c	Thu Mar 19 12:40:01 2009 +0900
@@ -296,7 +296,8 @@
         return 0;
 
     if ( unlikely(!(vpmu->flags & VPMU_CONTEXT_ALLOCATED)) &&
-         !core2_vpmu_alloc_resource(current) )
+	 (vpmu->context != NULL ||
+	  !core2_vpmu_alloc_resource(current)) )
         return 0;
     vpmu->flags |= VPMU_CONTEXT_ALLOCATED;
 
@@ -488,6 +489,7 @@
     if ( cpu_has_vmx_msr_bitmap )
         core2_vpmu_unset_msr_bitmap(v->arch.hvm_vmx.msr_bitmap);
     release_pmu_ownship(PMU_OWNER_HVM);
+    vpmu->flags &= ~VPMU_CONTEXT_ALLOCATED;
 }
 
 struct arch_vpmu_ops core2_vpmu_ops = {
diff -r 2039e8271051 xen/arch/x86/oprofile/op_model_ppro.c
--- a/xen/arch/x86/oprofile/op_model_ppro.c	Wed Mar 18 17:30:13 2009 +0000
+++ b/xen/arch/x86/oprofile/op_model_ppro.c	Thu Mar 19 12:40:01 2009 +0900
@@ -219,6 +219,8 @@
 {
 	struct vpmu_struct *vpmu = vcpu_vpmu(v);
 
+	if ( !(vpmu->flags & PASSIVE_DOMAIN_ALLOCATED) )
+		return;
 	xfree(vpmu->context);
 	vpmu->flags &= ~PASSIVE_DOMAIN_ALLOCATED;
 }

[-- Attachment #3: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel