3568e11940
It's possible for address_space_get_flatview() as it currently stands
to cause a use-after-free for the returned FlatView, if the reference
count is incremented after the FlatView has been replaced by a writer:
thread 1 thread 2 RCU thread
-------------------------------------------------------------
rcu_read_lock
read as->current_map
set as->current_map
flatview_unref
'--> call_rcu
flatview_ref
[ref=1]
rcu_read_unlock
flatview_destroy
<badness>
Since FlatViews are not updated very often, we can just detect the
situation using a new atomic op atomic_fetch_inc_nonzero, similar to
Linux's atomic_inc_not_zero, which performs the refcount increment only if
it hasn't already hit zero. This is similar to Linux commit de09a9771a53
("CRED: Fix get_task_cred() and task_state() to not resurrect dead
credentials", 2010-07-29).
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| atomics.txt | ||
| blkdebug.txt | ||
| blkverify.txt | ||
| build-system.txt | ||
| lockcnt.txt | ||
| memory.txt | ||
| migration.txt | ||
| multi-thread-tcg.txt | ||
| multiple-iothreads.txt | ||
| qapi-code-gen.txt | ||
| rcu.txt | ||
| tracing.txt | ||
| virtio-migration.txt | ||
| writing-qmp-commands.txt | ||