Skip to content

xtensa: ptables: fix dangling memory domains#106923

Merged
nashif merged 1 commit intozephyrproject-rtos:mainfrom
lyakh:deinit
Apr 15, 2026
Merged

xtensa: ptables: fix dangling memory domains#106923
nashif merged 1 commit intozephyrproject-rtos:mainfrom
lyakh:deinit

Conversation

@lyakh
Copy link
Copy Markdown
Contributor

@lyakh lyakh commented Apr 7, 2026

When a memory domain is freed on Xtensa, it also has to be removed from the global domain list. Leaving it on the list can cause use-after-free exceptions.

@lyakh lyakh requested review from Copilot and dcpleung April 7, 2026 14:24
@lyakh lyakh added the bug The issue is a bug, or the PR is fixing a bug label Apr 7, 2026
@zephyrbot zephyrbot added the area: Xtensa Xtensa Architecture label Apr 7, 2026
@zephyrbot zephyrbot requested review from andyross, ceolin and nashif April 7, 2026 14:25
Copilot AI reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes an Xtensa memory-domain lifecycle issue where deinitialized domains could remain in the global Xtensa domain list, leading to potential use-after-free when the list is traversed later.

Changes:

  • Remove the deinitialized domain’s list node from xtensa_domain_list during arch_mem_domain_deinit().

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread arch/xtensa/core/ptables.c Outdated
Comment thread arch/xtensa/core/ptables.c Outdated
Comment on lines 1382 to 1384
sys_slist_find_and_remove(&xtensa_domain_list, &domain->arch.node);

k_spin_unlock(&xtensa_mmu_lock, key);
Copy link

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Potential lock-order inversion: k_mem_domain_deinit() holds z_mem_domain_lock while calling arch_mem_domain_deinit(), which takes xtensa_mmu_lock; meanwhile arch_mem_map()/arch_mem_unmap() take xtensa_mmu_lock and then z_mem_domain_lock while iterating xtensa_domain_list. This can deadlock on SMP. Consider removing the inner z_mem_domain_lock usage in __arch_mem_map/__arch_mem_unmap (xtensa_mmu_lock already serializes xtensa_domain_list), or otherwise standardize acquisition order to z_mem_domain_lock -> xtensa_mmu_lock across all paths.

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Contributor Author

@lyakh lyakh Apr 7, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is a problem indeed, but it was there before this commit too. Let me open a bug. #106925

@lyakh
xtensa: ptables: fix dangling memory domains
56a8e75 
When a memory domain is freed on Xtensa, it also has to be removed
from the global domain list. Leaving it on the list can cause
use-after-free exceptions.

Signed-off-by: Guennadi Liakhovetski <guennadi.liakhovetski@linux.intel.com>
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 7, 2026
edited
Loading

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@lyakh lyakh mentioned this pull request Apr 7, 2026
Open
1 task
@lyakh
Copy link
Copy Markdown
Contributor Author

lyakh commented Apr 8, 2026
edited
Loading

@nashif @dcpleung do I understand it correctly that the SonarCloud failure https://github.com/zephyrproject-rtos/zephyr/pull/106923/checks?check_run_id=70263251619 is a false positive, since it only complains about lines in the file that this PR isn't touching?

@dcpleung
Copy link
Copy Markdown
Member

dcpleung commented Apr 8, 2026

I would say so.

@nashif nashif added this to the v4.4.0 milestone Apr 10, 2026
@MaureenHelm MaureenHelm modified the milestones: v4.4.0, v4.4.1 Apr 13, 2026
@MaureenHelm MaureenHelm added the backport v4.4-branch Request backport to the v4.4-branch label Apr 13, 2026
@MaureenHelm MaureenHelm modified the milestones: v4.4.1, v4.5.0 Apr 13, 2026
@nashif nashif merged commit 33d43d0 into zephyrproject-rtos:main Apr 15, 2026
34 checks passed
@lyakh lyakh deleted the deinit branch April 17, 2026 06:40
@lyakh lyakh mentioned this pull request Apr 30, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ceolin ceolin ceolin approved these changes

@sylvioalves sylvioalves sylvioalves approved these changes

@dcpleung dcpleung dcpleung approved these changes

@andyross andyross Awaiting requested review from andyross

@nashif nashif Awaiting requested review from nashif

Assignees

@dcpleung dcpleung

Labels

area: Xtensa Xtensa Architecture backport v4.4-branch Request backport to the v4.4-branch bug The issue is a bug, or the PR is fixing a bug

Projects

None yet

Milestone

v4.5.0

Development

Successfully merging this pull request may close these issues.

8 participants

@lyakh @dcpleung @ceolin @sylvioalves @nashif @MaureenHelm @zephyrbot