Re: [PATCH] tools/xenstored: Don't crash xenstored when Live-Update is cancelled

[Julien Grall <julien@xxxxxxx>]

Hi Juergen,

On 22/06/2021 10:46, Juergen Gross wrote:
> On 17.06.21 19:38, Julien Grall wrote:
> > From: Julien GralL <jgrall@xxxxxxxxxx>
> >
> > As Live-Update is asynchronous, it is possible to receive a request to
> > cancel it (either on the same connection or from a different one).
> >
> > Currently, this will crash xenstored because do_lu_start() assumes
> > lu_status will be valid. This is not the case when Live-Update has been
> > cancelled. This will result to dereference a NULL pointer and
> > crash Xenstored.
> Umm, you introduced that bug in "[PATCH 03/10] tools/xenstore: Don't
> assume conn->in points to the LU request".
No. I did reproduced this one without my series. If there are in-flight 
transaction this will crash in lu_check_lu_allowed() otherwise, it will 
crash when calling lu_dump_state().
The easiest way to reproduce is requesting live-update when there are 
long transactions and from a different connection (still in dom0) 
requesting to abort the connection.
In this case, lu_abort() will free lu_status and the destructor will set 
it to NULL. But the actual request is still in the delayed request queue 
for the other connection.
Cheers,

--
Julien Grall