[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 1/6] xen/dt-overlay: fix double-free of rangesets on attach failure

  • To: <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Michal Orzel <michal.orzel@xxxxxxx>
  • Date: Wed, 15 Apr 2026 13:36:55 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=lists.xenproject.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=HcZupUjCihrhH4fumGKyczgJktfm1ndcrphTiFO0/vw=; b=TN1btHVWbTXJ1+HDdQAds2PAafw5JW+MCYc/ACQpFx7Ga8W+3/QX3tBYzPTO8vPX5IZSrMOcMo2Y6y8RD49haW6ImrYj9VwKZP58qVNtCB9yfamHlNCEU4BdIN+AupzfEBl3Z+hbw6fbMkfoRSiMdKHRCPaM5JIVkWm0Rp8kyr8k422C9VsXqruJQ7ZD3B9qzphTsT0OLnStIr2XAyZwqYohYRxgyX0IxXXUbb+F++i1eqXYFphtRquBFUHPD/rHzTg0K/BJzdiYp4y0z/m5eJoNfGRpvtbZb1XvWhGqzzw9sOo1e0WzrlLzVZYiPcgx2nrMcs96h2JQkb66kREnqw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=kfYRO1QDCIAK590ECS1om9S1rrzkEjLTM8KKSsIzns9qKslHklP8Sb2QI0yJa2d99a5IHhIooB7OudHmRKyH5JOMa3j4SBNHpzERziuvb2Cdq4ayLT6akMXowpjhFZAs+/X9UD5BEq9+kz/8EyP+ZHCNz0sNyZo/3/XXyaZNRWWddZd7TwjGFNP3L5KdMNWTNq0hPs/kSox6K05RdVWGIHXjwW3OTFEUMcR+I0vzi6ozlhfcdo1CyqLksHknl4YGSDiIFJXahEqxe7Eiqfef8iIuRpduk2XnxbjtvznM6CzH7FgWVYqsYPacvfh5ekG2dEVqmJUoEfTQzPTQgdt5WQ==
  • Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=amd.com header.i="@amd.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"
  • Cc: Michal Orzel <michal.orzel@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Gyujeong Jin <wlsrbwjd7232@xxxxxxxxx>
  • Delivery-date: Wed, 15 Apr 2026 11:37:31 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
handle_attach_overlay_nodes() destroys the IRQ and IOMEM rangesets on
failure but leaves the pointers dangling in the tracker entry. A
subsequent handle_remove_overlay_nodes() for the same overlay will call
rangeset_consume_ranges() on freed memory followed by a second
rangeset_destroy(), resulting in use-after-free and double-free.

NULL the pointers after rangeset_destroy() so that remove_nodes() and
handle_remove_overlay_nodes() skip the stale entries.

Fixes: 4c733873b5c2 ("xen/arm: Add XEN_DOMCTL_dt_overlay and device attachment 
to domains")
Reported-by: Gyujeong Jin <wlsrbwjd7232@xxxxxxxxx>
Signed-off-by: Michal Orzel <michal.orzel@xxxxxxx>
---
 xen/common/device-tree/dt-overlay.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/xen/common/device-tree/dt-overlay.c 
b/xen/common/device-tree/dt-overlay.c
index d184186c015e..6fa07dbf42a5 100644
--- a/xen/common/device-tree/dt-overlay.c
+++ b/xen/common/device-tree/dt-overlay.c
@@ -910,7 +910,9 @@ static long handle_attach_overlay_nodes(struct domain *d,
     if ( entry )
     {
         rangeset_destroy(entry->irq_ranges);
+        entry->irq_ranges = NULL;
         rangeset_destroy(entry->iomem_ranges);
+        entry->iomem_ranges = NULL;
     }
 
     return rc;
-- 
2.43.0

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.