Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix crash when mapping a big memory and calling uc_close
  • Loading branch information
wtdcode committed Apr 16, 2022
1 parent cf18982 commit 3d3deac
Show file tree
Hide file tree
Showing 5 changed files with 353 additions and 8 deletions.
21 changes: 15 additions & 6 deletions qemu/exec.c
Expand Up @@ -42,7 +42,7 @@
#include "exec/ram_addr.h"

#include "qemu/range.h"

#include "qemu/rcu_queue.h"
#include "uc_priv.h"

typedef struct PhysPageEntry PhysPageEntry;
Expand Down Expand Up @@ -966,7 +966,7 @@ static ram_addr_t find_ram_offset(struct uc_struct *uc, ram_addr_t size)

assert(size != 0); /* it would hand out same offset multiple times */

if (QLIST_EMPTY(&uc->ram_list.blocks)) {
if (QLIST_EMPTY_RCU(&uc->ram_list.blocks)) {
return 0;
}

Expand Down Expand Up @@ -1043,6 +1043,8 @@ static void ram_block_add(struct uc_struct *uc, RAMBlock *new_block)
new_block->host = phys_mem_alloc(uc, new_block->max_length,
&new_block->mr->align);
if (!new_block->host) {
// mmap fails.
uc->invalid_error = UC_ERR_NOMEM;
// error_setg_errno(errp, errno,
// "cannot set up guest memory '%s'",
// memory_region_name(new_block->mr));
Expand All @@ -1062,11 +1064,11 @@ static void ram_block_add(struct uc_struct *uc, RAMBlock *new_block)
}
}
if (block) {
QLIST_INSERT_BEFORE(block, new_block, next);
QLIST_INSERT_BEFORE_RCU(block, new_block, next);
} else if (last_block) {
QLIST_INSERT_AFTER(last_block, new_block, next);
QLIST_INSERT_AFTER_RCU(last_block, new_block, next);
} else { /* list is empty */
QLIST_INSERT_HEAD(&uc->ram_list.blocks, new_block, next);
QLIST_INSERT_HEAD_RCU(&uc->ram_list.blocks, new_block, next);
}
uc->ram_list.mru_block = NULL;

Expand Down Expand Up @@ -1099,8 +1101,15 @@ RAMBlock *qemu_ram_alloc_from_ptr(struct uc_struct *uc, ram_addr_t size, void *h
if (host) {
new_block->flags |= RAM_PREALLOC;
}

uc->invalid_addr = UC_ERR_OK;
ram_block_add(mr->uc, new_block);

if (uc->invalid_error != UC_ERR_OK) {
g_free(new_block);
return NULL;
}

return new_block;
}

Expand Down Expand Up @@ -1130,7 +1139,7 @@ void qemu_ram_free(struct uc_struct *uc, RAMBlock *block)
// ram_block_notify_remove(block->host, block->max_length);
//}

QLIST_REMOVE(block, next);
QLIST_REMOVE_RCU(block, next);
uc->ram_list.mru_block = NULL;
/* Write list before version */
//smp_wmb();
Expand Down
53 changes: 53 additions & 0 deletions qemu/include/qemu/atomic.h
Expand Up @@ -115,6 +115,19 @@
atomic_set__nocheck(ptr, i); \
} while(0)

#define atomic_rcu_read(ptr) \
({ \
QEMU_BUILD_BUG_ON(sizeof(*ptr) > ATOMIC_REG_SIZE); \
typeof_strip_qual(*ptr) _val; \
atomic_rcu_read__nocheck(ptr, &_val); \
_val; \
})

#define atomic_rcu_set(ptr, i) do { \
QEMU_BUILD_BUG_ON(sizeof(*ptr) > ATOMIC_REG_SIZE); \
__atomic_store_n(ptr, i, __ATOMIC_RELEASE); \
} while(0)

/* All the remaining operations are fully sequentially consistent */

#define atomic_xchg__nocheck(ptr, i) ({ \
Expand Down Expand Up @@ -192,6 +205,46 @@
#define atomic_read(ptr) atomic_read__nocheck(ptr)
#define atomic_set(ptr, i) atomic_set__nocheck(ptr,i)

/**
* atomic_rcu_read - reads a RCU-protected pointer to a local variable
* into a RCU read-side critical section. The pointer can later be safely
* dereferenced within the critical section.
*
* This ensures that the pointer copy is invariant thorough the whole critical
* section.
*
* Inserts memory barriers on architectures that require them (currently only
* Alpha) and documents which pointers are protected by RCU.
*
* atomic_rcu_read also includes a compiler barrier to ensure that
* value-speculative optimizations (e.g. VSS: Value Speculation
* Scheduling) does not perform the data read before the pointer read
* by speculating the value of the pointer.
*
* Should match atomic_rcu_set(), atomic_xchg(), atomic_cmpxchg().
*/
#define atomic_rcu_read(ptr) ({ \
typeof(*ptr) _val = atomic_read(ptr); \
smp_read_barrier_depends(); \
_val; \
})

/**
* atomic_rcu_set - assigns (publicizes) a pointer to a new data structure
* meant to be read by RCU read-side critical sections.
*
* Documents which pointers will be dereferenced by RCU read-side critical
* sections and adds the required memory barriers on architectures requiring
* them. It also makes sure the compiler does not reorder code initializing the
* data structure before its publication.
*
* Should match atomic_rcu_read().
*/
#define atomic_rcu_set(ptr, i) do { \
smp_wmb(); \
atomic_set(ptr, i); \
} while (0)

#define atomic_xchg__nocheck atomic_xchg

/* Provide shorter names for GCC atomic builtins. */
Expand Down

0 comments on commit 3d3deac

Please sign in to comment.