Xen project Mailing List

Re: [Xen-devel] [PATCH v1] libxl: fix crash in helper_done due to uninitialized data

To: Olaf Hering <olaf@xxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>

From: Ian Jackson <ian.jackson@xxxxxxxxxx>

Date: Fri, 27 Sep 2019 18:17:12 +0100

Authentication-results: esa3.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=ian.jackson@xxxxxxxxxx; spf=Pass smtp.mailfrom=Ian.Jackson@xxxxxxxxxx; spf=None smtp.helo=postmaster@xxxxxxxxxxxxxxx

Cc: Anthony Perard <anthony.perard@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>

Delivery-date: Fri, 27 Sep 2019 17:17:32 +0000

Ironport-sdr: 8aXoAxvfBzQlTGoOsce651zcCwYNT0VnfKeuHZt3NpZ0jfi3vqTtGwpdv3WiuFIVDi2hruiuWw J/geEJCMcalBE2p1P07DnPJbkJFg4uQkllKUcLbDdFsPEANDC9m9o1VXQKSi0gxdZS2js3ZjEx kW9OP7/tXB3xdg8EDtG4ACU34R1euKBL9Xfwtt/gg/gV1yveFgIOB0A6s7wCHogWDXFw0KBYMo Y53BK4RHJhFgZD4iJ+RyA8tGr+uKZ8xESd4M/dkQ2+qBuOE5wB79ZZ67ZGnB6+v/oylNQOrw5P hu8=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Olaf Hering writes ("[PATCH v1] libxl: fix crash in helper_done due to uninitialized data"): > A crash in helper_done, called from libxl_domain_suspend, was reported, > triggered by 'virsh migrate --live xen+ssh://host': ... > This is triggered by a failed poll, the actual error was: > > libxl_aoutils.c:328:datacopier_writable: unexpected poll event 0x1c on fd 37 > (should be POLLOUT) writing libxc header during copy of save v2 stream > > In this case revents in datacopier_writable is POLLHUP|POLLERR|POLLOUT, > which triggers datacopier_callback. In helper_done, > shs->completion_callback is still zero. libxl__xc_domain_save fills > dss.sws.shs. But that function is only called after stream_header_done. > Any error before that will leave dss partly uninitialized. Thanks for the diagnosis. And sorry for the inconvenience of this bug. > Fix this crash by checking if ->completion_callback is valid. But I don't think this fix is right. The bug is that libxl__save_helper_abort is called on a blank shs. (You say "uninitialised" but actually this is all zeroed at some point, so it it's not reading uninitialised memory.) I think it is in fact a bug that this error path if (!stream->rc && rc) { /* First reported failure. Tear everything down. */ stream->rc = rc; stream->sync_teardown = true; libxl__stream_read_abort(egc, stream, rc); libxl__save_helper_abort(egc, &stream->shs); libxl__conversion_helper_abort(egc, &stream->chs, rc); stream->sync_teardown = false; } calls libxl__save_helper_abort when it hasn't ever called anything other than libxl__save_helper_init. Because _abort naturally wants to call the failure callback. I suggest that we add a check for _inuse to this bit of check_all_finished. Ross and Andrew, you wrote much of this stream read stuff, what do you think ? Part of the difficulty is that the possible states and transitions of a libxl__save_helper_state are not formatlly documented. That's my fault - sorry. Thanks, Ian. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.