kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
pkgsrc/sysutils/xentools46/patches/patch-XSA233
bouyer b014cb462c Update xen*46 to 4.6.6, including fixes up to XSA244. 
changes since Xen 4.6.5: mostly bug fixes, including security fixes
for XSA206, XSA211 to XSA244.
PKGREVISION set to 1 to account for the fact that it's not a stock Xen 4.6.6.

Note that, unlike upstream, pv-linear-pt defaults to true, so that
NetBSD PV guests (including dom0) will continue to boot without changes
to boot.cfg
2017-10-17 10:57:34 +00:00

54 lines
1.8 KiB
Text
Raw Blame History

$NetBSD: patch-XSA233,v 1.1 2017/10/17 10:57:34 bouyer Exp $
From: Juergen Gross <jgross@suse.com>
Subject: tools/xenstore: dont unlink connection object twice
A connection object of a domain with associated stubdom has two
parents: the domain and the stubdom. When cleaning up the list of
active domains in domain_cleanup() make sure not to unlink the
connection twice from the same domain. This could happen when the
domain and its stubdom are being destroyed at the same time leading
to the domain loop being entered twice.
Additionally don't use talloc_free() in this case as it will remove
a random parent link, leading eventually to a memory leak. Use
talloc_unlink() instead specifying the context from which the
connection object should be removed.
This is XSA-233.
Reported-by: Eric Chanudet <chanudete@ainfosec.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Ian Jackson <ian.jackson@eu.citrix.com>
--- xenstore/xenstored_domain.c.orig
+++ xenstore/xenstored_domain.c
@@ -221,10 +221,11 @@ static int destroy_domain(void *_domain)
static void domain_cleanup(void)
{
xc_dominfo_t dominfo;
- struct domain *domain, *tmp;
+ struct domain *domain;
int notify = 0;
- list_for_each_entry_safe(domain, tmp, &domains, list) {
+ again:
+ list_for_each_entry(domain, &domains, list) {
if (xc_domain_getinfo(*xc_handle, domain->domid, 1,
&dominfo) == 1 &&
dominfo.domid == domain->domid) {
@@ -236,8 +237,12 @@ static void domain_cleanup(void)
if (!dominfo.dying)
continue;
}
- talloc_free(domain->conn);
- notify = 0; /* destroy_domain() fires the watch */
+ if (domain->conn) {
+ talloc_unlink(talloc_autofree_context(), domain->conn);
+ domain->conn = NULL;
+ notify = 0; /* destroy_domain() fires the watch */
+ goto again;
+ }
}
if (notify)
Reference in a new issue View git blame Copy permalink