 Home |
Products |
Support |
Community |
News |
xen-changelog
[Xen-changelog] [xen-unstable] [IA64] Fix ia64_sal_get_state_info() emul
| To: | xen-changelog@xxxxxxxxxxxxxxxxxxx |
|---|---|
| Subject: | [Xen-changelog] [xen-unstable] [IA64] Fix ia64_sal_get_state_info() emulation bug |
| From: | Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx> |
| Date: | Fri, 09 Nov 2007 04:20:24 -0800 |
| Delivery-date: | Fri, 09 Nov 2007 04:22:09 -0800 |
| Envelope-to: | www-data@xxxxxxxxxxxxxxxxxx |
| List-help: | <mailto:xen-changelog-request@lists.xensource.com?subject=help> |
| List-id: | BK change log <xen-changelog.lists.xensource.com> |
| List-post: | <mailto:xen-changelog@lists.xensource.com> |
| List-subscribe: | <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe> |
| List-unsubscribe: | <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe> |
| Reply-to: | xen-devel@xxxxxxxxxxxxxxxxxxx |
| Sender: | xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx |
# HG changeset patch
# User Alex Williamson <alex.williamson@xxxxxx>
# Date 1193928603 21600
# Node ID 42e032f52371c2ba1bb048a6215381d7b5ba53ff
# Parent a07288a8478521002c2302ad18fac52eb6600055
[IA64] Fix ia64_sal_get_state_info() emulation bug
It is possible to double-free the sal queue entry when multiple
ia64_sal_get_state_info() from Dom0 are called simultaniously.
In the worst case, the kernel might panic.
Signed-off-by: Kazuhiro Suzuki <kaz@xxxxxxxxxxxxxx>
---
xen/arch/ia64/xen/fw_emul.c | 10 +++++++---
1 files changed, 7 insertions(+), 3 deletions(-)
diff -r a07288a84785 -r 42e032f52371 xen/arch/ia64/xen/fw_emul.c
--- a/xen/arch/ia64/xen/fw_emul.c Tue Oct 30 15:34:44 2007 -0600
+++ b/xen/arch/ia64/xen/fw_emul.c Thu Nov 01 08:50:03 2007 -0600
@@ -242,6 +242,8 @@ sal_emulator (long index, unsigned long
}
e = list_entry(sal_queue[in1].next,
sal_queue_entry_t, list);
+
+ list_del(&e->list);
spin_unlock_irqrestore(&sal_queue_lock, flags);
IA64_SAL_DEBUG("SAL_GET_STATE_INFO(%s <= %s) "
@@ -277,10 +279,12 @@ sal_emulator (long index, unsigned long
r9 = arg.ret;
status = arg.status;
if (r9 == 0) {
+ xfree(e);
+ } else {
+ /* Re-add the entry to sal_queue */
spin_lock_irqsave(&sal_queue_lock, flags);
- list_del(&e->list);
+ list_add(&e->list, &sal_queue[in1]);
spin_unlock_irqrestore(&sal_queue_lock, flags);
- xfree(e);
}
} else {
status = IA64_SAL_NO_INFORMATION_AVAILABLE;
@@ -316,10 +320,10 @@ sal_emulator (long index, unsigned long
"on CPU#%d.\n",
rec_name[e->sal_info_type],
rec_name[in1], e->cpuid);
-
arg.type = e->sal_info_type;
arg.status = 0;
+
if (e->cpuid == smp_processor_id()) {
IA64_SAL_DEBUG("SAL_CLEAR_STATE_INFO: local\n");
clear_state_info_on(&arg);
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | [Xen-changelog] [xen-unstable] merge with xen-unstable.hg (staging), Xen patchbot-unstable |
|---|---|
| Next by Date: | [Xen-changelog] [xen-unstable] [IA64] Add support for 4 & 8 byte buffered io, Xen patchbot-unstable |
| Previous by Thread: | [Xen-changelog] [xen-unstable] merge with xen-unstable.hg (staging), Xen patchbot-unstable |
| Next by Thread: | [Xen-changelog] [xen-unstable] [IA64] Add support for 4 & 8 byte buffered io, Xen patchbot-unstable |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
