Xen project Mailing List

Re: [PATCH] x86/hvm: Fix double free from vlapic_init() early error path

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Wed, 31 Mar 2021 16:03:03 +0200

Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Wed, 31 Mar 2021 14:03:10 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 31.03.2021 15:31, Andrew Cooper wrote: > vlapic_init()'s caller calls vlapic_destroy() on error. Therefore, the error > path from __map_domain_page_global() failing would doubly free > vlapic->regs_page. I'm having difficulty seeing this. What I find at present is rc = vlapic_init(v); if ( rc != 0 ) /* teardown: vlapic_destroy */ goto fail2; and then fail3: vlapic_destroy(v); fail2: Am I missing some important aspect? > Rework vlapic_destroy() to be properly idempotent, introducing the necessary > UNMAP_DOMAIN_PAGE_GLOBAL() and FREE_DOMHEAP_PAGE() wrappers. > > Rearrange vlapic_init() to group all trivial initialisation, and leave all > cleanup to the caller, in line with our longer term plans. Cleanup functions becoming idempotent is what I understand is the longer term plan. I didn't think this necessarily included leaving cleanup after failure in a function to it caller(s). At least in the general case I think it would be quite a bit better if functions cleaned up after themselves - perhaps (using the example here) by vlapic_init() calling vlapic_destroy() in such a case. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.