Xen project Mailing List

Re: [PATCH 1/6] xen/dt-overlay: fix double-free of rangesets on attach failure

From: Luca Fancellu <Luca.Fancellu@xxxxxxx>

Date: Wed, 15 Apr 2026 14:37:32 +0000

Accept-language: en-GB, en-US

Arc-authentication-results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 4.158.2.129) smtp.rcpttodomain=amd.com smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=arm.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arm.com] dkim=[1,1,header.d=arm.com] dmarc=[1,1,header.from=arm.com])

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none

Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LIjIk0BIWkQiU0lB0x4GGC4TSeNBWSaXMuHu4P0Zo6o=; b=VskQSJNCF+CgrKRSqKKw6M5o7EY3ZUyb441VI139nfKgK0jWQP3WXbJxRoUVTmhnMOCKqez5sWr+HKh8h/ENlryxR1kJ9Xybczdh9KK1x28f8wkOej9z7O1iX5BPsQ/0ieFF/7qReWCdO9iaIveforXTYZFfcC3vu9gyRxN/SPB50mK3Rd2xdYZupOwB1mA2j6bcYHi/XStwL5nifTNRSbdwtJega/WImPksIcruk3CMDfBwmNL1LgKy/BYQFZKfPFjAvxgREdGeWvZlmTNDgZVJNeSmI2jziuB51cdzG3yQx6fW1Wt/TReq37JNzTiaXuGJN1dTV7FUZ+1VxE/oqQ==

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LIjIk0BIWkQiU0lB0x4GGC4TSeNBWSaXMuHu4P0Zo6o=; b=cHm2BZb6vJgslavzgWAK8NZh+OOchvkjwKz09qy9fXFxEdQjeDq8vhLdq9hxDCP3kwpubltUFAwkVQCOn0mPaK+/d2ofhfwJh98yn1nvlYtauk+FUnTDJcD8cVg3Mi3+WdHBwvfeQiEHA5LblURpVBMs8XO3HH3lO98mzJBXI8dJUcpqSqyBTptEptOWaxnxpP/h3F2G1pyk10zPlHj4rLZ86luPt78fMbEs9uSvpPb6gEFdZkFfH/VtyH6yYgyd6AP6SkWzIvGVuAISg4JqEbdK5Cbe2ZWIyO7IRSbA6RWPjpiJ8WEDI37YAjqdFB34to/1C7qDxFl3r9uZC2frEQ==

Arc-seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=R8pYzF9LXXWUsEFJFvu5jgZDnvVj6gSuYKdPFxUa3kXLl7wKJvxQISIRkllzCBVR+oHXh/ARYhrbUGUThN1Z4r2AxSCrHTU7y9MdgKDlUlODg95oSwC+AyBDQfgXUXNP9NMcvJJrJC6Y9us14F058F4BtLaShAdjPhK0edywKLnBx6uUu//s7xyQQTbRL4J8DNXMPYmxIZ8+I17NfvOMIs60te4uxtCmvy9BuFtkymwAOR8XnYiULjfrIEN+cUKSoJviWitUM2xtqXrIEGdLkgjzeu+5YX5gzW4GGVmWwAZ7zskmpK2oiQherm47P/jzvioB9+sND1yWEszQ2kbnVw==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=U28r+XVociOAtmMMOQhmyy8EirPqW2kLX97Ul32tf2/s3WEaK0HZvNmyEEcS7cDkMIObW/SjVqB2imtCfbwPAvb8REZ+csyfJ3KXehA7f7jFbHwyUhRRh8SaIoJSrueDgblkuEf566wiiaFiOASXcUVQxLS5wk+/ipTdSdKrZlA1ttZxsQEPnWkD/npVyCpToikx2NbmThrhBGRQz9WruTFM3TMkrVu97GXNeT6Yg3jfKEECK+WUNcG0WVh/KI3q7peCl5PIlynEw+ePnAXIE0K/ea9yIzwiwzkSDzVHXOPTxgWhyhVU6x7ij8KUKsxGgE+lLmf/uRjbgNs3dhwKrQ==

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=arm.com header.i="@arm.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"; dkim=pass header.s=selector1 header.d=arm.com header.i="@arm.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"

Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <Bertrand.Marquis@xxxxxxx>, Gyujeong Jin <wlsrbwjd7232@xxxxxxxxx>

Delivery-date: Wed, 15 Apr 2026 14:38:51 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Nodisclaimer: true

Thread-index: AQHczMxJvMmkK2xs/ECWEgYirLYt+bXgMQwA

Thread-topic: [PATCH 1/6] xen/dt-overlay: fix double-free of rangesets on attach failure

Hi Michal, > On 15 Apr 2026, at 12:36, Michal Orzel <michal.orzel@xxxxxxx> wrote: > > handle_attach_overlay_nodes() destroys the IRQ and IOMEM rangesets on > failure but leaves the pointers dangling in the tracker entry. A > subsequent handle_remove_overlay_nodes() for the same overlay will call > rangeset_consume_ranges() on freed memory followed by a second > rangeset_destroy(), resulting in use-after-free and double-free. > > NULL the pointers after rangeset_destroy() so that remove_nodes() and > handle_remove_overlay_nodes() skip the stale entries. > > Fixes: 4c733873b5c2 ("xen/arm: Add XEN_DOMCTL_dt_overlay and device > attachment to domains") > Reported-by: Gyujeong Jin <wlsrbwjd7232@xxxxxxxxx> > Signed-off-by: Michal Orzel <michal.orzel@xxxxxxx> > --- Looks ok to me Reviewed-by: Luca Fancellu <luca.fancellu@xxxxxxx> Cheers, Luca

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.