ia64/xen-unstable

changeset 19396:4b2d8b1c395a

x86, hvm: Fix double-free of vpmu->context

When `opcontrol --shutdown' is called after xenoprof is used on Dom0,
the vpmu owner becomes PMU_OWNER_NONE. So it is possible to acquire
the owner as PMU_OWNER_HVM and to allocate vpmu->context twice. As a
result, the hypervisor panics because of double-alloc/free of
vpmu->context.

Signed-off-by: Kazuhiro Suzuki <kaz@jp.fujitsu.com>
author Keir Fraser <keir.fraser@citrix.com>
date Thu Mar 19 10:05:01 2009 +0000 (2009-03-19)
parents f0d033f0a319
children 1b27263038b5
files xen/arch/x86/hvm/vmx/vpmu_core2.c xen/arch/x86/oprofile/op_model_ppro.c
line diff
     1.1 --- a/xen/arch/x86/hvm/vmx/vpmu_core2.c	Thu Mar 19 10:04:15 2009 +0000
     1.2 +++ b/xen/arch/x86/hvm/vmx/vpmu_core2.c	Thu Mar 19 10:05:01 2009 +0000
     1.3 @@ -296,7 +296,8 @@ static int core2_vpmu_msr_common_check(u
     1.4          return 0;
     1.5  
     1.6      if ( unlikely(!(vpmu->flags & VPMU_CONTEXT_ALLOCATED)) &&
     1.7 -         !core2_vpmu_alloc_resource(current) )
     1.8 +	 (vpmu->context != NULL ||
     1.9 +	  !core2_vpmu_alloc_resource(current)) )
    1.10          return 0;
    1.11      vpmu->flags |= VPMU_CONTEXT_ALLOCATED;
    1.12  
    1.13 @@ -488,6 +489,7 @@ static void core2_vpmu_destroy(struct vc
    1.14      if ( cpu_has_vmx_msr_bitmap )
    1.15          core2_vpmu_unset_msr_bitmap(v->arch.hvm_vmx.msr_bitmap);
    1.16      release_pmu_ownship(PMU_OWNER_HVM);
    1.17 +    vpmu->flags &= ~VPMU_CONTEXT_ALLOCATED;
    1.18  }
    1.19  
    1.20  struct arch_vpmu_ops core2_vpmu_ops = {
     2.1 --- a/xen/arch/x86/oprofile/op_model_ppro.c	Thu Mar 19 10:04:15 2009 +0000
     2.2 +++ b/xen/arch/x86/oprofile/op_model_ppro.c	Thu Mar 19 10:05:01 2009 +0000
     2.3 @@ -219,6 +219,8 @@ static void ppro_free_msr(struct vcpu *v
     2.4  {
     2.5  	struct vpmu_struct *vpmu = vcpu_vpmu(v);
     2.6  
     2.7 +	if ( !(vpmu->flags & PASSIVE_DOMAIN_ALLOCATED) )
     2.8 +		return;
     2.9  	xfree(vpmu->context);
    2.10  	vpmu->flags &= ~PASSIVE_DOMAIN_ALLOCATED;
    2.11  }