From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:44623) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UulFN-0000dm-MG for qemu-devel@nongnu.org; Thu, 04 Jul 2013 11:15:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1UulFM-000511-Oc for qemu-devel@nongnu.org; Thu, 04 Jul 2013 11:15:01 -0400 Received: from mail-wi0-x232.google.com ([2a00:1450:400c:c05::232]:65072) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UulFM-00050v-Ja for qemu-devel@nongnu.org; Thu, 04 Jul 2013 11:15:00 -0400 Received: by mail-wi0-f178.google.com with SMTP id k10so1341011wiv.11 for ; Thu, 04 Jul 2013 08:15:00 -0700 (PDT) Received: from playground.station (net-37-117-148-210.cust.dsl.vodafone.it. [37.117.148.210]) by mx.google.com with ESMTPSA id d8sm4212546wiz.0.2013.07.04.08.14.58 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Thu, 04 Jul 2013 08:14:59 -0700 (PDT) Sender: Paolo Bonzini From: Paolo Bonzini Date: Thu, 4 Jul 2013 17:13:15 +0200 Message-Id: <1372950842-32422-20-git-send-email-pbonzini@redhat.com> In-Reply-To: <1372950842-32422-1-git-send-email-pbonzini@redhat.com> References: <1372950842-32422-1-git-send-email-pbonzini@redhat.com> Subject: [Qemu-devel] [PATCH 19/66] memory: destroy phys_sections one by one List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org phys_sections_clear is invoked after the dispatch tree has been destroyed. This leaves a window where phys_sections_nb > 0 but the subpages are not valid anymore, which is a recipe for use-after-free bugs. Move the destruction of subpages in phys_sections_clear. We will still destroy the subpages when an address space is cleaned up, because address_space_destroy will clear as->root and commit the change before it calls address_space_destroy_dispatch. Signed-off-by: Paolo Bonzini --- exec.c | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/exec.c b/exec.c index 5094746..78be4f5 100644 --- a/exec.c +++ b/exec.c @@ -754,17 +754,6 @@ hwaddr memory_region_section_get_iotlb(CPUArchState *env, static int subpage_register (subpage_t *mmio, uint32_t start, uint32_t end, uint16_t section); static subpage_t *subpage_init(AddressSpace *as, hwaddr base); -static void destroy_page_desc(uint16_t section_index) -{ - MemoryRegionSection *section = &phys_sections[section_index]; - MemoryRegion *mr = section->mr; - - if (mr->subpage) { - subpage_t *subpage = container_of(mr, subpage_t, iomem); - memory_region_destroy(&subpage->iomem); - g_free(subpage); - } -} static void destroy_l2_mapping(PhysPageEntry *lp, unsigned level) { @@ -779,8 +768,6 @@ static void destroy_l2_mapping(PhysPageEntry *lp, unsigned level) for (i = 0; i < L2_SIZE; ++i) { if (!p[i].is_leaf) { destroy_l2_mapping(&p[i], level - 1); - } else { - destroy_page_desc(p[i].ptr); } } lp->is_leaf = 0; @@ -810,9 +797,21 @@ static uint16_t phys_section_add(MemoryRegionSection *section) return phys_sections_nb++; } +static void phys_section_destroy(MemoryRegion *mr) +{ + if (mr->subpage) { + subpage_t *subpage = container_of(mr, subpage_t, iomem); + memory_region_destroy(&subpage->iomem); + g_free(subpage); + } +} + static void phys_sections_clear(void) { - phys_sections_nb = 0; + while (phys_sections_nb > 0) { + MemoryRegionSection *section = &phys_sections[--phys_sections_nb]; + phys_section_destroy(section->mr); + } } static void register_subpage(AddressSpaceDispatch *d, MemoryRegionSection *section) -- 1.8.1.4