[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] tools/xenstore: domain can sometimes disappear when destroying connection

To: Petre Eftime <epetre@xxxxxxxxxx>
From: Wei Liu <wei.liu2@xxxxxxxxxx>
Date: Thu, 29 Nov 2018 12:52:55 +0000
Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Wei Liu <wei.liu2@xxxxxxxxxx>, Amit Shah <aams@xxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, David Woodhouse <dwmw@xxxxxxxxxx>
Delivery-date: Thu, 29 Nov 2018 12:53:12 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, Nov 26, 2018 at 01:22:04PM +0000, Petre Eftime wrote:
> There is a circular link formed between domain and a connection. In certain
> circustances, when conn is freed, domain is also freed, which leads to use
> after free when trying to set the conn field in domain to null.

Actually, can you provide more context on this? When will the circular
link happen?

Wei.

> 
> Signed-off-by: Petre Eftime <epetre@xxxxxxxxxx>
> ---
>  tools/xenstore/xenstored_domain.c | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/tools/xenstore/xenstored_domain.c 
> b/tools/xenstore/xenstored_domain.c
> index fa6655033a..f085d40476 100644
> --- a/tools/xenstore/xenstored_domain.c
> +++ b/tools/xenstore/xenstored_domain.c
> @@ -222,6 +222,7 @@ static void domain_cleanup(void)
>  {
>       xc_dominfo_t dominfo;
>       struct domain *domain;
> +     struct connection *tmp_conn;
>       int notify = 0;
>  
>   again:
> @@ -238,8 +239,14 @@ static void domain_cleanup(void)
>                               continue;
>               }
>               if (domain->conn) {
> -                     talloc_unlink(talloc_autofree_context(), domain->conn);
> +                     /*
> +                      * In certain circumstances conn owns domain and
> +                      * domain will be freed when conn is unlinked.
> +                      */
> +                     tmp_conn = domain->conn;
>                       domain->conn = NULL;
> +
> +                     talloc_unlink(talloc_autofree_context(), tmp_conn);
>                       notify = 0; /* destroy_domain() fires the watch */
>                       goto again;
>               }
> -- 
> 2.16.5
> 
> 
> 
> 
> Amazon Development Center (Romania) S.R.L. registered office: 27A Sf. Lazar 
> Street, UBC5, floor 2, Iasi, Iasi County, 700045, Romania. Registered in 
> Romania. Registration number J22/2621/2005.
> 

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH] tools/xenstore: domain can sometimes disappear when destroying connection
  - From: Eftime, Petre

References:
- [Xen-devel] [PATCH] tools/xenstore: domain can sometimes disappear when destroying connection
  - From: Petre Eftime

Prev by Date: Re: [Xen-devel] [PATCH v6 00/20] xen: add pvh guest support
Next by Date: [Xen-devel] [PATCH v2] tools/xenstore: domain can sometimes disappear when destroying connection
Previous by thread: Re: [Xen-devel] [PATCH] tools/xenstore: domain can sometimes disappear when destroying connection
Next by thread: Re: [Xen-devel] [PATCH] tools/xenstore: domain can sometimes disappear when destroying connection
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.