From patchwork Mon Feb  1 17:56:59 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Cooper <andrew.cooper3@citrix.com>
X-Patchwork-Id: 8182371
Return-Path: <xen-devel-bounces@lists.xen.org>
X-Original-To: patchwork-xen-devel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id A26B59F38B
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Mon,  1 Feb 2016 18:00:24 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id D12772034E
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Mon,  1 Feb 2016 18:00:23 +0000 (UTC)
Received: from lists.xen.org (lists.xenproject.org [50.57.142.19])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id E6CD420340
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Mon,  1 Feb 2016 18:00:22 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1aQIit-0007VS-Ay; Mon, 01 Feb 2016 17:57:11 +0000
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <prvs=832ee56b7=Andrew.Cooper3@citrix.com>)
	id 1aQIir-0007VN-LI
	for xen-devel@lists.xen.org; Mon, 01 Feb 2016 17:57:09 +0000
Received: from [85.158.139.211] by server-7.bemta-5.messagelabs.com id
	16/22-29293-47C9FA65; Mon, 01 Feb 2016 17:57:08 +0000
X-Env-Sender: prvs=832ee56b7=Andrew.Cooper3@citrix.com
X-Msg-Ref: server-2.tower-206.messagelabs.com!1454349427!19587799!1
X-Originating-IP: [66.165.176.63]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor:
	VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n,
	received_headers: No Received headers
X-StarScan-Received: 
X-StarScan-Version: 7.35.1; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 30348 invoked from network); 1 Feb 2016 17:57:08 -0000
Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63)
	by server-2.tower-206.messagelabs.com with RC4-SHA encrypted SMTP;
	1 Feb 2016 17:57:08 -0000
X-IronPort-AV: E=Sophos;i="5.22,381,1449532800"; d="scan'208";a="335334975"
From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xen.org>
Date: Mon, 1 Feb 2016 17:56:59 +0000
Message-ID: <1454349419-18430-1-git-send-email-andrew.cooper3@citrix.com>
X-Mailer: git-send-email 2.1.4
MIME-Version: 1.0
X-DLP: MIA2
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
	Jan Beulich <JBeulich@suse.com>, Corneliu ZUZU <czuzu@bitdefender.com>
Subject: [Xen-devel] [PATCH] x86/hvm: Fix use-after-free introduced by c/s
	428607a
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

c/s 428607a "x86: shrink 'struct domain', was already PAGE_SIZE" introduced a
use-after-free error during domain destruction, because of the order in which
timers are torn down.

  (XEN) Xen call trace:
  (XEN)    [<ffff82d08013344e>] spinlock.c#check_lock+0x1e/0x40
  (XEN)    [<ffff82d08013349b>] _spin_lock+0x11/0x52
  (XEN)    [<ffff82d0801e8076>] vpt.c#pt_lock+0x24/0x40
  (XEN)    [<ffff82d0801e88f4>] destroy_periodic_time+0x18/0x81
  (XEN)    [<ffff82d0801e1089>] rtc_deinit+0x53/0x78
  (XEN)    [<ffff82d0801d1e5a>] hvm_domain_destroy+0x52/0x69
  (XEN)    [<ffff82d08016a758>] arch_domain_destroy+0x1a/0x98
  (XEN)    [<ffff82d080107cd5>] domain.c#complete_domain_destroy+0x6f/0x182
  (XEN)    [<ffff82d080126a19>] rcupdate.c#rcu_process_callbacks+0x144/0x1a6
  (XEN)    [<ffff82d080132c52>] softirq.c#__do_softirq+0x82/0x8d
  (XEN)    [<ffff82d080132caa>] do_softirq+0x13/0x15
  (XEN)    [<ffff82d080248ae1>] entry.o#process_softirqs+0x21/0x30
  (XEN)
  (XEN)
  (XEN) ****************************************
  (XEN) Panic on CPU 3:
  (XEN) GENERAL PROTECTION FAULT
  (XEN) [error_code=0000]
  (XEN) ****************************************

Defer the freeing of d->arch.hvm_domain.pl_time until all timers have been
destroyed.

For safety, NULL out the pointers after freeing them, in an attempt to make
mistakes more obvious in the future.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Corneliu ZUZU <czuzu@bitdefender.com>
---
 xen/arch/x86/hvm/hvm.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index f24400d..38c65b3 100644
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -1674,8 +1674,10 @@ void hvm_domain_relinquish_resources(struct domain *d)
 void hvm_domain_destroy(struct domain *d)
 {
     xfree(d->arch.hvm_domain.io_handler);
+    d->arch.hvm_domain.io_handler = NULL;
+
     xfree(d->arch.hvm_domain.params);
-    xfree(d->arch.hvm_domain.pl_time);
+    d->arch.hvm_domain.params = NULL;
 
     hvm_destroy_cacheattr_region_list(d);
 
@@ -1686,6 +1688,9 @@ void hvm_domain_destroy(struct domain *d)
     rtc_deinit(d);
     stdvga_deinit(d);
     vioapic_deinit(d);
+
+    xfree(d->arch.hvm_domain.pl_time);
+    d->arch.hvm_domain.pl_time = NULL;
 }
 
 static int hvm_save_tsc_adjust(struct domain *d, hvm_domain_context_t *h)