[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] x86/hvm: Fix double free from vlapic_init() early error path

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Thu, 1 Apr 2021 14:50:36 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7zwZqYz71LYljQ/uFikr8FzWhvV4VF3i5ow+RwmBpf0=; b=EYDHclIJbNKRwpNDaYlvpZ2Y/2T38/amvEDFYPa+vjdl+Uhp45hoV0ERaIGmFQH9Yt55uo3LRB7+xuzpDKTXSMIbNhyN3mHBGE68y/7zQuzJOfeJLiA6B/GJD+J+QtERYOYgA2s+qd97LsOrGPLjaiu5hAGKsfRrM+ySj6CM0GdVK//HUEUXwDNQ2ZwKeEqG1v0kBYJ8iHndpALNDxd0tmBUiM6PsRRUrKZDH8ueWsw5FOB3B2tzfym0IgWQijteWdGupoUxGLVmfw9Y9pVtB4mJJW7jb2MYA4eq0R4+lIwtG1uawsC49GEJwT6fxc7hhe2soQXMeOLHmN2hFCVUGQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fu4BJv4d/hweqghaY+7fAQSPqlyP3yToD9n+CpB68TeHDi8VjUONzQhrpaKAa2XNxg2dVwI2CH4MnLZ7Bl/Du+zu+lc9kvuOhicFMvICXNYrtoWMQOiS2fwACIPmxqlGuUBt9HU/50UklLpocSrJuH43ZR8xK3gRHMoMESbwoix8zi/9KGWpORbYAjUhqaTFNRdCiO/pjJGVpYRXpc+Nr5BIHMZG4dMHYw1fFSx3M/P4vttqaHPBj0NOb7tuY8Qy7EMKO6nnaZ9PsnshbMOFvvzLJafbUVm3CRyLb6CPwglakpmcrEZ8rhckJEPKQ6tcVk9r1aPPvU2LmmTtI9Ln0g==
  • Authentication-results: esa1.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Thu, 01 Apr 2021 13:50:53 +0000
  • Ironport-hdrordr: A9a23:c3prV6EocDe/9joJpLqFOpHXdLJzesId70hD6mlYVQFVfsuEl8 qngfQc0lvOhCwMXWw78OrsBICrSxrnlaJdy48XILukQU3aqHKlRbsSibfK7h/BP2nF9uBb3b p9aKQWMrfNJHVzkMqS2maFOvk6xt3vys6VrMP/61socg1wcaFn6G5Ce2OmO2l7XhNPC5Z8NL f03LslmxOadX4abtu2CxA+NoCum/TxmI/7ehlDPhY76WC15g+A0qLwEBSTw34lIlFy6IolmF KlryXJop+Nntv+4R/a2m/V4f1t6abc4+oGPuOgoIw4Lj3tjyyheYhuXaaT1QpF3N2H2RIRv/ Tn5zsmIsRv+1PdF1vF3ifF6k3b/xsFr1/k1FOCjnPoraXCNUwHIvsEv611WF/9ySMbzbZB+Z MO5U21nd5rKCmFuyLH693BR3hR5zGJiEtnq8E/pThiS4cEAYUhy7A3zQduP7orOjn104wjGP kGNrCn2N9mNWmXaH3UpQBUsaWRd0V2Gh+HR34LsdCO3w5Xm2hkz1AZyNZ3pAZ5yK4A
  • Ironport-sdr: FIuuEByxvXXqzSTHx6zWX5n3C1J+XpSEZUJbsuwMN3BN43c+JZnDNk5et+/i2M5lB0U6qT5X6T VMl8/pTotN7LkmYBVsvnFXTJOp3hykT0R69DcpFuhK3uxmxaVRXpLYB51h7A6XR9eeu11I2UGa MCeT9LB48wnJZu0MJjzW7kn39ERik03MxDNY1Y7U5QLqA5lOA2vaJXozYJrXYkL/nYrEp8apMs Sq9Q4ktRlDr21IHpSX+zkxdtcJlFiyBObo8nG+8NFIgkZo5D5/+wt5tppsT0aOKLKhxT8SteZu 4Xc=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 01/04/2021 14:45, Jan Beulich wrote:
> On 01.04.2021 15:20, Andrew Cooper wrote:
>> On 31/03/2021 15:03, Jan Beulich wrote:
>>> On 31.03.2021 15:31, Andrew Cooper wrote:
>>>> vlapic_init()'s caller calls vlapic_destroy() on error.  Therefore, the 
>>>> error
>>>> path from __map_domain_page_global() failing would doubly free
>>>> vlapic->regs_page.
>>> I'm having difficulty seeing this. What I find at present is
>>>
>>>     rc = vlapic_init(v);
>>>     if ( rc != 0 ) /* teardown: vlapic_destroy */
>>>         goto fail2;
>>>
>>> and then
>>>
>>>  fail3:
>>>     vlapic_destroy(v);
>>>  fail2:
>>>
>>> Am I missing some important aspect?
>> No - I'm blind.  (although I do blame the code comment for being
>> actively misleading.)
>>
>> I retract the patch at this point.  It needs to be part of a bigger
>> series making changes like this consistently across the callers.
>>
>>>> Rework vlapic_destroy() to be properly idempotent, introducing the 
>>>> necessary
>>>> UNMAP_DOMAIN_PAGE_GLOBAL() and FREE_DOMHEAP_PAGE() wrappers.
>>>>
>>>> Rearrange vlapic_init() to group all trivial initialisation, and leave all
>>>> cleanup to the caller, in line with our longer term plans.
>>> Cleanup functions becoming idempotent is what I understand is the
>>> longer term plan. I didn't think this necessarily included leaving
>>> cleanup after failure in a function to it caller(s).
>> That's literally the point of the exercise.
>>
>>>  At least in the
>>> general case I think it would be quite a bit better if functions
>>> cleaned up after themselves - perhaps (using the example here) by
>>> vlapic_init() calling vlapic_destroy() in such a case.
>> That pattern is the cause of code duplication (not a problem per say),
>> and many bugs (the problem needing solving) caused by the duplicated
>> logic not being equivalent.
>>
>> We've got the start of the top-level pattern in progress, with
>> {domain,vcpu}_create() calling {d,v}_teardown() then {d,v}_destroy() for
>> errors.
> Hmm, in which case you mean to shift the responsibility not to "the
> caller" (many instances) but "the top level caller" (a single
> instance)?

Yes, but the route to managing that needs to move the responsibility up
one level at a time for us not to break things.

i.e. we'd next want to make {pv,hvm}_*_create/initialise() call the
appropriate {pv,hvm}_*_destroy() covering the entire sub-call-tree.

Moving the responsibility across the arch_{d,v}_*() boundaries in
particular needs careful coordination.

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.