[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] xen/domctl: Fix double domid_free in XEN_DOMCTL_createdomain error path

  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Oleksii Moisieiev <Oleksii_Moisieiev@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx>
  • Date: Mon, 13 Oct 2025 12:43:45 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=citrix.com smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=y3hyAGuYKXHdIyltTIG0zCrXJWunGtE8jaDPWRrTg5M=; b=ALlDhj/beekt6koksfgrt/+euw3LRuH1G/y9N7zpp/dphffSYTAo+z7rDufdiiX6yiwyf7ARNNaVln19tZmnOgY3pUDX3aKp69NmDCboWwhOirO+9x8pbfJ8/RQAWYbRZNmMg4wlarjddfafTAe7MbNlpE8IEL9JiugziH5VCt9iABimgdq2lfKpHggZQJqDLu+MEGiUv8wJ7H/SqhStW0e0WeJWAO1MjeAkITk4sKA+QU/BOX6Ua0ngjmRKFvXzijTiGCXfQmoOoA0qoko9W0svmtDjLnCRt9/Tq3q+Ykf2MZ6JfhsZV1w2naLgodWcO4uwwKUBHF6fNhDBorIZ8w==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=f28le4UyXclV6DRDNk1CY4pTeaDDtUphCdDlaOWzQhumsGEGA8LZhREK4UW7RFUzSp8koBFaPQ21St3PhXpqEuIznCjP4Yft+TXjznq86Fuiczw1XGj1WDGcBPXBt8sS9qwYEbo/r0sXuYEIEPVNh0FO8KdhU4ro8Vswo2JoBNEFs22LRUAOJiB/VouO2tOvzV6vYzZONGrKi/XcS8hn3xbUASdIcd9Nmo5ruPgvdD3GdlfjsH7TKq7rUNb3fisdTNDFemakyxgjmR4wGX4McpriBcreUmnMiCaOGGcmXK0TCYLE2qoHFuhm8HyLVYKIU5BceMObGcoFPuTVaL2B1A==
  • Cc: Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Xen-devel <xen-devel-bounces@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Mon, 13 Oct 2025 10:44:03 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Sat Sep 13, 2025 at 1:56 PM CEST, Andrew Cooper wrote:
> On 13/09/2025 11:44 am, Oleksii Moisieiev wrote:
>> Remove redundant domid_free() call in the XEN_DOMCTL_createdomain error
>> handling path to prevent a double-free condition.
>>
>> When domain_create() fails, it internally calls _domain_destroy() during
>> its cleanup routine, which already invokes domid_free() to release the
>> allocated domain ID. The additional domid_free() call in the domctl error
>> path creates a double-free scenario, triggering an assertion failure in
>> domid.c:
>>
>>     Assertion 'rc' failed at common/domid.c:84
>>
>> The domain creation flow is:
>> 1. domid_alloc() allocates a domain ID
>> 2. domain_create() is called with the allocated ID
>> 3. If domain_create() fails:
>>    a) domain_create() calls _domain_destroy() internally
>>    b) _domain_destroy() calls domid_free() to release the ID
>>    c) domctl incorrectly calls domid_free() again
>>
>> This double-free violates the domain ID management invariants and causes
>> system instability. The fix ensures domid_free() is called exactly once
>> per allocated domain ID, maintaining proper resource cleanup
>> semantics.
>
> Fixes: 2d5065060710 ("xen/domain: unify domain ID allocation")
>
>> Signed-off-by: Oleksii Moisieiev <oleksii_moisieiev@xxxxxxxx>
>
> Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
>
> the tl;dr is that domain_create() either inserts the domain into the
> domlist, or cleans up after itself.
>
> The domid alloc infrastructure is problematic in multiple ways, not
> least because it now means there are two sources of truth for which
> domain's exist, and they are not interlocked.

The source of truth of existing domains is the domlist. The source of truth
of domids is the domid bitmap; and they need not match.

A domid being allocated doesn't mean the domain exists. Merely that the domid
is unavailable for allocation.

This is fairly important to allow fallible boots, where some boot-domains are
allowed to fail construction for one reason or another while preventing their
domids from being hijacked by a later domain, and thus prevent some resources
granted to those domains that failed construction from being usable by others.

The actual problem is that the lifetime of certain resources assigned to domains
extends past the lifetime of the domain, and the mere possesion of a domid
grants authority over resources assigned to the domid, even after its associated
domain died. This is wrong and bad, and has been wrong and bad since before the
time_t was 0.

If it wasn't for this messed up means of resource management we wouldn't have a
need for preventing certain domids from being used. We need saner semantics with
the lifetimes of event channels and grants. And possibly more resources.

Cheers,
Alejandro

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.