[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] tools/xenstored: Don't crash xenstored when Live-Update is cancelled

Hi Juergen,

On 22/06/2021 10:46, Juergen Gross wrote:

On 17.06.21 19:38, Julien Grall wrote:

From: Julien GralL <jgrall@xxxxxxxxxx>

As Live-Update is asynchronous, it is possible to receive a request to
cancel it (either on the same connection or from a different one).

Currently, this will crash xenstored because do_lu_start() assumes
lu_status will be valid. This is not the case when Live-Update has been
cancelled. This will result to dereference a NULL pointer and
crash Xenstored.

Umm, you introduced that bug in "[PATCH 03/10] tools/xenstore: Don't
assume conn->in points to the LU request".

No. I did reproduced this one without my series. If there are in-flight 
transaction this will crash in lu_check_lu_allowed() otherwise, it will 
crash when calling lu_dump_state().

The easiest way to reproduce is requesting live-update when there are 
long transactions and from a different connection (still in dom0) 
requesting to abort the connection.

In this case, lu_abort() will free lu_status and the destructor will set 
it to NULL. But the actual request is still in the delayed request queue 
for the other connection.

Cheers,

--
Julien Grall





















    
    		
  




 




    

    	
©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved. 

    Linux Foundation is a registered trademark of The Linux Foundation. 

    Xen Project is a trademark of The Linux Foundation.
		 
    
 








  

    Rackspace
            
        
Lists.xenproject.org is hosted with RackSpace, monitoring our

           servers 24x7x365 and backed by RackSpace's Fanatical Support®.