From eeb445c7184ff78b420814589d34e3cf71618380 Mon Sep 17 00:00:00 2001
From: caijian <caijian11@h-partners.com>
Date: Tue, 9 Dec 2025 11:54:06 +0800
Subject: [PATCH] system/physmem: Fix possible double free when destroy cpu
 address space

address_space_destroy() and g_free_rcu() both operate cpuas->as
at rcu thread context asynchronously, each one is a rcu task
that have different callback (the first callback is do_address_
space_destroy() and the second callback is g_free()).

It's possible that while the first task is pending and the second
task overwrites the rcu callback (as the second task operates on
the same object). Then the g_free will be called twice on cpuas->as.

Have a fix as the commit "5f7464524d system/physmem: Fix possible
double free when destroy cpu as".

Signed-off-by: caijian <caijian11@h-partners.com>
---
 system/physmem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/system/physmem.c b/system/physmem.c
index e862f99ff6..9ccf195f6e 100644
--- a/system/physmem.c
+++ b/system/physmem.c
@@ -797,8 +797,8 @@ void cpu_address_space_destroy(CPUState *cpu, int asidx)
         memory_listener_unregister(&cpuas->tcg_as_listener);
     }
 
+    cpuas->as->free_in_rcu = true;
     address_space_destroy(cpuas->as);
-    g_free_rcu(cpuas->as, rcu);
 
     if (asidx == 0) {
         /* reset the convenience alias for address space 0 */
-- 
Gitee