[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] Under the right circumstances, xenconsoled will corrupt its internal

# HG changeset patch
# User kaf24@xxxxxxxxxxxxxxxxxxxx
# Node ID 2c2015c11b498987f1b410540262c4ba29e50de1
# Parent  60d20acf8928665ea3404f0e8cb324082d43c061
Under the right circumstances, xenconsoled will corrupt its internal 
list of domains causing a SEGV.  This is usually characterized by a 
rapid number of creations/destructions.  The attached patch fixes this.

1) Fix uninitialized next pointer.  This could sometimes cause xenconsoled to
   SEGV on an invalid domain pointer
2) Fix race condition in iterating domain list where removing a domain in a
   callback could lead to the iterators becoming invalid.

Signed-off-by: Anthony Liguori <aliguori@xxxxxxxxxx>

diff -r 60d20acf8928 -r 2c2015c11b49 tools/console/daemon/io.c
--- a/tools/console/daemon/io.c Tue Aug 16 01:04:32 2005
+++ b/tools/console/daemon/io.c Tue Aug 16 07:06:10 2005
@@ -87,6 +87,7 @@
 {
        int domid;
        int tty_fd;
+       bool is_dead;
        struct buffer buffer;
        struct domain *next;
 };
@@ -156,10 +157,12 @@
 
        dom->domid = domid;
        dom->tty_fd = domain_create_tty(dom);
+       dom->is_dead = false;
        dom->buffer.data = 0;
        dom->buffer.size = 0;
        dom->buffer.capacity = 0;
        dom->buffer.max_capacity = 0;
+       dom->next = 0;
 
        dolog(LOG_DEBUG, "New domain %d", domid);
 
@@ -206,6 +209,16 @@
        }
 }
 
+static void remove_dead_domains(struct domain *dom)
+{
+       if (dom == NULL) return;
+       remove_dead_domains(dom->next);
+
+       if (dom->is_dead) {
+               remove_domain(dom);
+       }
+}
+
 static void handle_tty_read(struct domain *dom)
 {
        ssize_t len;
@@ -224,7 +237,7 @@
                if (domain_is_valid(dom->domid)) {
                        dom->tty_fd = domain_create_tty(dom);
                } else {
-                       remove_domain(dom);
+                       dom->is_dead = true;
                }
        } else if (domain_is_valid(dom->domid)) {
                msg.u.control.msg.length = len;
@@ -235,7 +248,7 @@
                }
        } else {
                close(dom->tty_fd);
-               remove_domain(dom);
+               dom->is_dead = true;
        }
 }
 
@@ -250,7 +263,7 @@
                if (domain_is_valid(dom->domid)) {
                        dom->tty_fd = domain_create_tty(dom);
                } else {
-                       remove_domain(dom);
+                       dom->is_dead = true;
                }
        } else {
                buffer_advance(&dom->buffer, len);
@@ -333,13 +346,15 @@
                }
 
                for (d = dom_head; d; d = d->next) {
-                       if (FD_ISSET(d->tty_fd, &readfds)) {
+                       if (!d->is_dead && FD_ISSET(d->tty_fd, &readfds)) {
                                handle_tty_read(d);
                        }
 
-                       if (FD_ISSET(d->tty_fd, &writefds)) {
+                       if (!d->is_dead && FD_ISSET(d->tty_fd, &writefds)) {
                                handle_tty_write(d);
                        }
                }
+
+               remove_dead_domains(dom_head);
        } while (ret > -1);
 }

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.