vhost: Build temporary section list and deref after commit

Igor spotted that there's a race, where a region that's unref'd in a _del callback might be free'd before the set_mem_table call in the _commit callback, and thus the vhost might end up using free memory. Fix this by building a complete temporary sections list, ref'ing every section (during add and nop) and then unref'ing the whole list right at the end of commit. Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
author: Dr. David Alan Gilbert <dgilbert@redhat.com> 2018-01-19 10:39:18 +0000
committer: Michael S. Tsirkin <mst@redhat.com> 2018-02-08 21:06:40 +0200
commit: c44317efecb240b9b0951ad46ba56eb547114f1d (patch)
tree: 1e4996af2bc8700df5e3bc5d245caceec09ae892 /include/hw/virtio/vhost.h
parent: 710fccf80d787911120145f508f9c4c664cf0e03 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/include/hw/virtio/vhost.h b/include/hw/virtio/vhost.h
index 1dc2d73d76..09854b611b 100644
--- a/include/hw/virtio/vhost.h
+++ b/include/hw/virtio/vhost.h
@@ -60,6 +60,8 @@ struct vhost_dev {
     struct vhost_memory *mem;
     int n_mem_sections;
     MemoryRegionSection *mem_sections;
+    int n_tmp_sections;
+    MemoryRegionSection *tmp_sections;
     struct vhost_virtqueue *vqs;
     int nvqs;
     /* the first virtqueue which would be used by this vhost dev */
author	Dr. David Alan Gilbert <dgilbert@redhat.com>	2018-01-19 10:39:18 +0000
committer	Michael S. Tsirkin <mst@redhat.com>	2018-02-08 21:06:40 +0200
commit	c44317efecb240b9b0951ad46ba56eb547114f1d (patch)
tree	1e4996af2bc8700df5e3bc5d245caceec09ae892 /include/hw/virtio/vhost.h
parent	710fccf80d787911120145f508f9c4c664cf0e03 (diff)