[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.4] libxl: Fix bootloader-related virtual memory leak on pv build failure



commit 62dc4c1a96eb9b40ec23bdd1656ece913f540871
Author:     Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
AuthorDate: Wed Nov 18 15:34:54 2015 +0000
Commit:     Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
CommitDate: Tue Dec 8 15:31:45 2015 +0000

    libxl: Fix bootloader-related virtual memory leak on pv build failure
    
    The bootloader may call libxl__file_reference_map(), which mmap's the
    pv_kernel and pv_ramdisk into process memory.  This was only unmapped,
    however, on the success path of libxl__build_pv().  If there were a
    failure anywhere between libxl_bootloader.c:parse_bootloader_result()
    and the end of libxl__build_pv(), the calls to
    libxl__file_reference_unmap() would be skipped, leaking the mapped
    virtual memory.
    
    Ideally this would be fixed by adding the unmap calls to the
    destruction path for libxl__domain_build_state.  Unfortunately the
    lifetime of the libxl__domain_build_state is opaque, and it doesn't
    have a proper destruction path.  But, the only thing in it that isn't
    from the gc are these bootloader references, and they are only ever
    set for one libxl__domain_build_state, the one which is
    libxl__domain_create_state.build_state.
    
    So we can clean up in the exit path from libxl__domain_create_*, which
    always comes through domcreate_complete.
    
    Remove the now-redundant unmaps in libxl__build_pv's success path.
    
    This is XSA-160.
    
    Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxx>
    Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
    Tested-by: George Dunlap <george.dunlap@xxxxxxxxxx>
    Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
---
 tools/libxl/libxl_create.c |    3 +++
 tools/libxl/libxl_dom.c    |    3 ---
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/tools/libxl/libxl_create.c b/tools/libxl/libxl_create.c
index e3350d5..5292c15 100644
--- a/tools/libxl/libxl_create.c
+++ b/tools/libxl/libxl_create.c
@@ -1295,6 +1295,9 @@ static void domcreate_complete(libxl__egc *egc,
     STATE_AO_GC(dcs->ao);
     libxl_domain_config *const d_config = dcs->guest_config;
 
+    libxl__file_reference_unmap(&dcs->build_state.pv_kernel);
+    libxl__file_reference_unmap(&dcs->build_state.pv_ramdisk);
+
     if (!rc && d_config->b_info.exec_ssidref)
         rc = xc_flask_relabel_domain(CTX->xch, dcs->guest_domid, 
d_config->b_info.exec_ssidref);
 
diff --git a/tools/libxl/libxl_dom.c b/tools/libxl/libxl_dom.c
index 52bc01a..978a1eb 100644
--- a/tools/libxl/libxl_dom.c
+++ b/tools/libxl/libxl_dom.c
@@ -451,9 +451,6 @@ int libxl__build_pv(libxl__gc *gc, uint32_t domid,
         state->store_mfn = xc_dom_p2m_host(dom, dom->xenstore_pfn);
     }
 
-    libxl__file_reference_unmap(&state->pv_kernel);
-    libxl__file_reference_unmap(&state->pv_ramdisk);
-
     ret = 0;
 out:
     xc_dom_release(dom);
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.4

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.