From mboxrd@z Thu Jan 1 00:00:00 1970 From: Nathan Studer Subject: [PATCH 2/2] Fix NULL pointer dereference in ARINC653 free_vdata. Date: Thu, 31 Oct 2013 16:47:53 -0400 Message-ID: <1383252473-3067-3-git-send-email-nate.studer@dornerworks.com> References: <1383252473-3067-1-git-send-email-nate.studer@dornerworks.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1383252473-3067-1-git-send-email-nate.studer@dornerworks.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: xen-devel@lists.xen.org Cc: george.dunlap@eu.citrix.com, smartin@milliways.cl, Nathan Studer , robert.vanvossen@dornerworks.com List-Id: xen-devel@lists.xenproject.org From: Nathan Studer The ARINC653 scheduler alloc_vdata function does not add the idle cpu to its internal vcpu_list, but when the free_vdata function is called, the scheduler attempted to remove the vcpu from its internal vcpu_list, regardless of whether or not the vcpu was the idle vcpu. Since the idle vcpu's list field was never initialized, a NULL pointer was passed to list_del. When using cpupools, this resulted in a crash when moving a cpu from an arinc653 scheduler pool. Signed-off-by: Nathan Studer --- xen/common/sched_arinc653.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/xen/common/sched_arinc653.c b/xen/common/sched_arinc653.c index a1d9443..8a5bd9c 100644 --- a/xen/common/sched_arinc653.c +++ b/xen/common/sched_arinc653.c @@ -418,7 +418,9 @@ a653sched_free_vdata(const struct scheduler *ops, void *priv) if (av == NULL) return; - list_del(&av->list); + if ( !is_idle_vcpu(av->vc) ) + list_del(&av->list); + xfree(av); update_schedule_vcpus(ops); } -- 1.7.9.5