On 2/3/23 01:23, Alex Bennée wrote:
Anton Johansson <a...@rev.ng> writes:
Hi,
I was running check-tcg with ASan enabled on master, and ran into
the following use-after-free. There appears to be a race between
jump cache invalidation and thread destruction (?)
I thought I'd post here since I noticed some previous discussion on the
topic, and I'm not sure myself what a proper fix would look like.
Something like:
modified accel/tcg/tb-maint.c
@@ -858,9 +858,7 @@ static void tb_jmp_cache_inval_tb(TranslationBlock *tb)
CPU_FOREACH(cpu) {
CPUJumpCache *jc = cpu->tb_jmp_cache;
- if (qatomic_read(&jc->array[h].tb) == tb) {
- qatomic_set(&jc->array[h].tb, NULL);
- }
+ qatomic_cmpxchg(&jc->array[h].tb, tb, NULL);
}
}
No, this doesn't affect the use-after-free of jc itself.
I think CPUJumpCache needs to be freed with RCU.
r~
