[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen master] xen/domctl: Fix double domid_free in XEN_DOMCTL_createdomain error path

commit 656b9ca03bd340715aecf405da63c515afb344a1
Author:     Oleksii Moisieiev <Oleksii_Moisieiev@xxxxxxxx>
AuthorDate: Sat Sep 13 10:44:39 2025 +0000
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Sat Sep 13 12:59:29 2025 +0100

    xen/domctl: Fix double domid_free in XEN_DOMCTL_createdomain error path
    
    Remove redundant domid_free() call in the XEN_DOMCTL_createdomain error
    handling path to prevent a double-free condition.
    
    When domain_create() fails, it internally calls _domain_destroy() during
    its cleanup routine, which already invokes domid_free() to release the
    allocated domain ID. The additional domid_free() call in the domctl error
    path creates a double-free scenario, triggering an assertion failure in
    domid.c:
    
        Assertion 'rc' failed at common/domid.c:84
    
    The domain creation flow is:
    1. domid_alloc() allocates a domain ID
    2. domain_create() is called with the allocated ID
    3. If domain_create() fails:
       a) domain_create() calls _domain_destroy() internally
       b) _domain_destroy() calls domid_free() to release the ID
       c) domctl incorrectly calls domid_free() again
    
    This double-free violates the domain ID management invariants and causes
    system instability. The fix ensures domid_free() is called exactly once
    per allocated domain ID, maintaining proper resource cleanup
    semantics.
    
    Signed-off-by: Oleksii Moisieiev <oleksii_moisieiev@xxxxxxxx>
    Fixes: 2d5065060710 ("xen/domain: unify domain ID allocation")
    Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
 xen/common/domctl.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/xen/common/domctl.c b/xen/common/domctl.c
index 71e712c1f3..954d790226 100644
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -421,7 +421,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) 
u_domctl)
         d = domain_create(domid, &op->u.createdomain, false);
         if ( IS_ERR(d) )
         {
-            domid_free(domid);
             ret = PTR_ERR(d);
             d = NULL;
             break;
--
generated by git-patchbot for /home/xen/git/xen.git#master

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.