Xen project Mailing List

Re: [PATCH v2] xen: rework error handling in vcpu_create

To: Stewart Hildebrand <stewart.hildebrand@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Sun, 3 Aug 2025 14:19:14 +0100

Autocrypt: addr=andrew.cooper3@xxxxxxxxxx; keydata= xsFNBFLhNn8BEADVhE+Hb8i0GV6mihnnr/uiQQdPF8kUoFzCOPXkf7jQ5sLYeJa0cQi6Penp VtiFYznTairnVsN5J+ujSTIb+OlMSJUWV4opS7WVNnxHbFTPYZVQ3erv7NKc2iVizCRZ2Kxn srM1oPXWRic8BIAdYOKOloF2300SL/bIpeD+x7h3w9B/qez7nOin5NzkxgFoaUeIal12pXSR Q354FKFoy6Vh96gc4VRqte3jw8mPuJQpfws+Pb+swvSf/i1q1+1I4jsRQQh2m6OTADHIqg2E ofTYAEh7R5HfPx0EXoEDMdRjOeKn8+vvkAwhviWXTHlG3R1QkbE5M/oywnZ83udJmi+lxjJ5 YhQ5IzomvJ16H0Bq+TLyVLO/VRksp1VR9HxCzItLNCS8PdpYYz5TC204ViycobYU65WMpzWe LFAGn8jSS25XIpqv0Y9k87dLbctKKA14Ifw2kq5OIVu2FuX+3i446JOa2vpCI9GcjCzi3oHV e00bzYiHMIl0FICrNJU0Kjho8pdo0m2uxkn6SYEpogAy9pnatUlO+erL4LqFUO7GXSdBRbw5 gNt25XTLdSFuZtMxkY3tq8MFss5QnjhehCVPEpE6y9ZjI4XB8ad1G4oBHVGK5LMsvg22PfMJ ISWFSHoF/B5+lHkCKWkFxZ0gZn33ju5n6/FOdEx4B8cMJt+cWwARAQABzSlBbmRyZXcgQ29v cGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPsLBegQTAQgAJAIbAwULCQgHAwUVCgkI CwUWAgMBAAIeAQIXgAUCWKD95wIZAQAKCRBlw/kGpdefoHbdD/9AIoR3k6fKl+RFiFpyAhvO 59ttDFI7nIAnlYngev2XUR3acFElJATHSDO0ju+hqWqAb8kVijXLops0gOfqt3VPZq9cuHlh IMDquatGLzAadfFx2eQYIYT+FYuMoPZy/aTUazmJIDVxP7L383grjIkn+7tAv+qeDfE+txL4 SAm1UHNvmdfgL2/lcmL3xRh7sub3nJilM93RWX1Pe5LBSDXO45uzCGEdst6uSlzYR/MEr+5Z JQQ32JV64zwvf/aKaagSQSQMYNX9JFgfZ3TKWC1KJQbX5ssoX/5hNLqxMcZV3TN7kU8I3kjK mPec9+1nECOjjJSO/h4P0sBZyIUGfguwzhEeGf4sMCuSEM4xjCnwiBwftR17sr0spYcOpqET ZGcAmyYcNjy6CYadNCnfR40vhhWuCfNCBzWnUW0lFoo12wb0YnzoOLjvfD6OL3JjIUJNOmJy RCsJ5IA/Iz33RhSVRmROu+TztwuThClw63g7+hoyewv7BemKyuU6FTVhjjW+XUWmS/FzknSi dAG+insr0746cTPpSkGl3KAXeWDGJzve7/SBBfyznWCMGaf8E2P1oOdIZRxHgWj0zNr1+ooF /PzgLPiCI4OMUttTlEKChgbUTQ+5o0P080JojqfXwbPAyumbaYcQNiH1/xYbJdOFSiBv9rpt TQTBLzDKXok86M7BTQRS4TZ/ARAAkgqudHsp+hd82UVkvgnlqZjzz2vyrYfz7bkPtXaGb9H4 Rfo7mQsEQavEBdWWjbga6eMnDqtu+FC+qeTGYebToxEyp2lKDSoAsvt8w82tIlP/EbmRbDVn 7bhjBlfRcFjVYw8uVDPptT0TV47vpoCVkTwcyb6OltJrvg/QzV9f07DJswuda1JH3/qvYu0p vjPnYvCq4NsqY2XSdAJ02HrdYPFtNyPEntu1n1KK+gJrstjtw7KsZ4ygXYrsm/oCBiVW/OgU g/XIlGErkrxe4vQvJyVwg6YH653YTX5hLLUEL1NS4TCo47RP+wi6y+TnuAL36UtK/uFyEuPy wwrDVcC4cIFhYSfsO0BumEI65yu7a8aHbGfq2lW251UcoU48Z27ZUUZd2Dr6O/n8poQHbaTd 6bJJSjzGGHZVbRP9UQ3lkmkmc0+XCHmj5WhwNNYjgbbmML7y0fsJT5RgvefAIFfHBg7fTY/i kBEimoUsTEQz+N4hbKwo1hULfVxDJStE4sbPhjbsPCrlXf6W9CxSyQ0qmZ2bXsLQYRj2xqd1 bpA+1o1j2N4/au1R/uSiUFjewJdT/LX1EklKDcQwpk06Af/N7VZtSfEJeRV04unbsKVXWZAk uAJyDDKN99ziC0Wz5kcPyVD1HNf8bgaqGDzrv3TfYjwqayRFcMf7xJaL9xXedMcAEQEAAcLB XwQYAQgACQUCUuE2fwIbDAAKCRBlw/kGpdefoG4XEACD1Qf/er8EA7g23HMxYWd3FXHThrVQ HgiGdk5Yh632vjOm9L4sd/GCEACVQKjsu98e8o3ysitFlznEns5EAAXEbITrgKWXDDUWGYxd pnjj2u+GkVdsOAGk0kxczX6s+VRBhpbBI2PWnOsRJgU2n10PZ3mZD4Xu9kU2IXYmuW+e5KCA vTArRUdCrAtIa1k01sPipPPw6dfxx2e5asy21YOytzxuWFfJTGnVxZZSCyLUO83sh6OZhJkk b9rxL9wPmpN/t2IPaEKoAc0FTQZS36wAMOXkBh24PQ9gaLJvfPKpNzGD8XWR5HHF0NLIJhgg 4ZlEXQ2fVp3XrtocHqhu4UZR4koCijgB8sB7Tb0GCpwK+C4UePdFLfhKyRdSXuvY3AHJd4CP 4JzW0Bzq/WXY3XMOzUTYApGQpnUpdOmuQSfpV9MQO+/jo7r6yPbxT7CwRS5dcQPzUiuHLK9i nvjREdh84qycnx0/6dDroYhp0DFv4udxuAvt1h4wGwTPRQZerSm4xaYegEFusyhbZrI0U9tJ B8WrhBLXDiYlyJT6zOV2yZFuW47VrLsjYnHwn27hmxTC/7tvG3euCklmkn9Sl9IAKFu29RSo d5bD8kMSCYsTqtTfT6W4A3qHGvIDta3ptLYpIAOD2sY3GYq2nf3Bbzx81wZK14JdDDHUX2Rs 6+ahAA==

Cc: Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Dario Faggioli <dfaggioli@xxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, George Dunlap <gwd@xxxxxxxxxxxxxx>

Delivery-date: Sun, 03 Aug 2025 13:19:37 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 01/08/2025 9:24 pm, Stewart Hildebrand wrote: > In vcpu_create after scheduler data is allocated, if > vmtrace_alloc_buffer fails, it will jump to the wrong cleanup label > resulting in a memory leak. > > Move sched_destroy_vcpu and destroy_waitqueue_vcpu to vcpu_teardown. > Make vcpu_teardown idempotent: deal with NULL unit. > > Fix vcpu_runstate_get (called during XEN_SYSCTL_getdomaininfolist post > vcpu_teardown) when v->sched_unit is NULL. This is unfortunate. It feels wrong to be updating stats on a domain that's in the process of being destroyed, especially as a side effect of a get call. But, I wonder if we've uncovered an object lifecycle problem here. Previously any vCPU which was addressable in the system (i.e. domid was addressable, a d->vcpu[x] was not NULL) had a unit. > > Fixes: 217dd79ee292 ("xen/domain: Add vmtrace_size domain creation parameter") > Signed-off-by: Stewart Hildebrand <stewart.hildebrand@xxxxxxx> > --- > v1->v2: > * move cleanup functions to vcpu_teardown > * renamed, was ("xen: fix memory leak on error in vcpu_create") > --- > xen/common/domain.c | 14 ++++++-------- > xen/common/sched/core.c | 5 ++++- > 2 files changed, 10 insertions(+), 9 deletions(-) > > diff --git a/xen/common/domain.c b/xen/common/domain.c > index 5241a1629eeb..9c65c2974ea3 100644 > --- a/xen/common/domain.c > +++ b/xen/common/domain.c > @@ -388,6 +388,8 @@ static int vmtrace_alloc_buffer(struct vcpu *v) > static int vcpu_teardown(struct vcpu *v) > { > vmtrace_free_buffer(v); > + sched_destroy_vcpu(v); > + destroy_waitqueue_vcpu(v); > > return 0; > } Along with this, you want a matching: diff --git a/xen/common/domain.c b/xen/common/domain.c index 5241a1629eeb..3fd75a6d6784 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -1412,8 +1412,6 @@ static void cf_check complete_domain_destroy(struct rcu_head *head) continue; tasklet_kill(&v->continue_hypercall_tasklet); arch_vcpu_destroy(v); - sched_destroy_vcpu(v); - destroy_waitqueue_vcpu(v); } grant_table_destroy(d); > @@ -448,13 +450,13 @@ struct vcpu *vcpu_create(struct domain *d, unsigned int > vcpu_id) > } > > if ( sched_init_vcpu(v) != 0 ) > - goto fail_wq; > + goto fail; > > if ( vmtrace_alloc_buffer(v) != 0 ) > - goto fail_wq; > + goto fail; > > if ( arch_vcpu_create(v) != 0 ) > - goto fail_sched; > + goto fail; > > d->vcpu[vcpu_id] = v; > if ( vcpu_id != 0 ) > @@ -472,11 +474,7 @@ struct vcpu *vcpu_create(struct domain *d, unsigned int > vcpu_id) > > return v; > > - fail_sched: > - sched_destroy_vcpu(v); > - fail_wq: > - destroy_waitqueue_vcpu(v); > - > + fail: > /* Must not hit a continuation in this context. */ > if ( vcpu_teardown(v) ) > ASSERT_UNREACHABLE(); > diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c > index 2ab4313517c3..fb7c99b05360 100644 > --- a/xen/common/sched/core.c > +++ b/xen/common/sched/core.c > @@ -321,7 +321,7 @@ void vcpu_runstate_get(const struct vcpu *v, > */ > unit = is_idle_vcpu(v) ? get_sched_res(v->processor)->sched_unit_idle > : v->sched_unit; > - lock = likely(v == current) ? NULL : unit_schedule_lock_irq(unit); > + lock = likely(v == current || !unit) ? NULL : > unit_schedule_lock_irq(unit); This is obfuscation for obfuscations sake. The normal way of writing it would be: if ( v != current && unit ) lock = unit_schedule_lock_irq(unit); and that is precisely what the compiler emits. Moreover it also matches the pattern for how the lock is released, later in the function. ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.