3568e11940
It's possible for address_space_get_flatview() as it currently stands
to cause a use-after-free for the returned FlatView, if the reference
count is incremented after the FlatView has been replaced by a writer:
thread 1 thread 2 RCU thread
-------------------------------------------------------------
rcu_read_lock
read as->current_map
set as->current_map
flatview_unref
'--> call_rcu
flatview_ref
[ref=1]
rcu_read_unlock
flatview_destroy
<badness>
Since FlatViews are not updated very often, we can just detect the
situation using a new atomic op atomic_fetch_inc_nonzero, similar to
Linux's atomic_inc_not_zero, which performs the refcount increment only if
it hasn't already hit zero. This is similar to Linux commit de09a9771a53
("CRED: Fix get_task_cred() and task_state() to not resurrect dead
credentials", 2010-07-29).
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| config | ||
| devel | ||
| interop | ||
| specs | ||
| spin | ||
| COLO-FT.txt | ||
| block-replication.txt | ||
| bootindex.txt | ||
| ccid.txt | ||
| colo-proxy.txt | ||
| generic-loader.txt | ||
| igd-assign.txt | ||
| image-fuzzer.txt | ||
| memory-hotplug.txt | ||
| multi-thread-compression.txt | ||
| multiseat.txt | ||
| nvdimm.txt | ||
| pci_expander_bridge.txt | ||
| pcie.txt | ||
| qcow2-cache.txt | ||
| qdev-device-use.txt | ||
| qemu_logo.pdf | ||
| qemupciserial.inf | ||
| rdma.txt | ||
| replay.txt | ||
| spice-port-fqdn.txt | ||
| throttle.txt | ||
| usb-storage.txt | ||
| usb2.txt | ||
| virtio-balloon-stats.txt | ||
| xbzrle.txt | ||
| xen-save-devices-state.txt | ||