xen-ia64-devel

[Top] [All Lists]

[Xen-ia64-devel] [PATCH] Fix ia64_sal_get_state_info() emulation bug

from [SUZUKI Kazuhiro]

[Permanent Link][Original]

To:	xen-ia64-devel@xxxxxxxxxxxxxxxxxxx
Subject:	[Xen-ia64-devel] [PATCH] Fix ia64_sal_get_state_info() emulation bug
From:	SUZUKI Kazuhiro <kaz@xxxxxxxxxxxxxx>
Date:	Wed, 31 Oct 2007 13:33:05 +0900 (JST)
Delivery-date:	Tue, 30 Oct 2007 21:33:36 -0700
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxx
List-help:	<mailto:xen-ia64-devel-request@lists.xensource.com?subject=help>
List-id:	Discussion of the ia64 port of Xen <xen-ia64-devel.lists.xensource.com>
List-post:	<mailto:xen-ia64-devel@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-ia64-devel>, <mailto:xen-ia64-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-ia64-devel>, <mailto:xen-ia64-devel-request@lists.xensource.com?subject=unsubscribe>
Sender:	xen-ia64-devel-bounces@xxxxxxxxxxxxxxxxxxx

Hi all,

It is possible to double-free the sal queue entry when the multiple
ia64_sal_get_state_info() from Dom0 are called simulteniously.
In the worst case, the kernel might do a panic.

The attached patch fixes it.

Thanks.
KAZ

Signed-off-by: Kazuhiro Suzuki <kaz@xxxxxxxxxxxxxx>

diff -r a07288a84785 xen/arch/ia64/xen/fw_emul.c
--- a/xen/arch/ia64/xen/fw_emul.c       Tue Oct 30 15:34:44 2007 -0600
+++ b/xen/arch/ia64/xen/fw_emul.c       Wed Oct 31 13:22:08 2007 +0900
@@ -242,6 +242,8 @@ sal_emulator (long index, unsigned long 
                        }
                        e = list_entry(sal_queue[in1].next,
                                       sal_queue_entry_t, list);
+
+                       list_del(&e->list);
                        spin_unlock_irqrestore(&sal_queue_lock, flags);
 
                        IA64_SAL_DEBUG("SAL_GET_STATE_INFO(%s <= %s) "
@@ -277,10 +279,12 @@ sal_emulator (long index, unsigned long 
                        r9 = arg.ret;
                        status = arg.status;
                        if (r9 == 0) {
+                               xfree(e);
+                       } else {
+                               /* Re-add the entry to sal_queue */
                                spin_lock_irqsave(&sal_queue_lock, flags);
-                               list_del(&e->list);
+                               list_add(&e->list, &sal_queue[in1]);
                                spin_unlock_irqrestore(&sal_queue_lock, flags);
-                               xfree(e);
                        }
                } else {
                        status = IA64_SAL_NO_INFORMATION_AVAILABLE;
@@ -316,10 +320,10 @@ sal_emulator (long index, unsigned long 
                                       "on CPU#%d.\n",
                                       rec_name[e->sal_info_type],
                                       rec_name[in1], e->cpuid);
-                       
 
                        arg.type = e->sal_info_type;
                        arg.status = 0;
+
                        if (e->cpuid == smp_processor_id()) {
                                IA64_SAL_DEBUG("SAL_CLEAR_STATE_INFO: local\n");
                                clear_state_info_on(&arg);

_______________________________________________
Xen-ia64-devel mailing list
Xen-ia64-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-ia64-devel

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Xen-ia64-devel] [PATCH] Fix ia64_sal_get_state_info() emulation bug, SUZUKI Kazuhiro <=

Previous by Date:	[Xen-ia64-devel] Re: [patch 0/7] Kexec: EFI Mapping: Take III, Simon Horman
Next by Date:	[Xen-ia64-devel] [PATCH] update pal.h and pal.S to linux-2.6.21, Kouya Shimura
Previous by Thread:	[Xen-ia64-devel] [PATCH] make xen relocatable, Xu, Anthony
Next by Thread:	[Xen-ia64-devel] [PATCH] update pal.h and pal.S to linux-2.6.21, Kouya Shimura
Indexes:	[Date] [Thread] [Top] [All Lists]