From mboxrd@z Thu Jan 1 00:00:00 1970 From: Anthony Liguori Subject: [PATCH] Fix SEGVs in xenconsoled Date: Mon, 15 Aug 2005 15:07:19 -0500 Message-ID: <4300F5F7.9060401@us.ibm.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="------------010904090607050301090307" Return-path: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: xen-devel List-Id: xen-devel@lists.xenproject.org This is a multi-part message in MIME format. --------------010904090607050301090307 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Under the right circumstances, xenconsoled will corrupt its internal list of domains causing a SEGV. This is usually characterized by a rapid number of creations/destructions. The attached patch fixes this. Regards, Anthony Liguori --------------010904090607050301090307 Content-Type: text/x-patch; name="consoled_segv.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="consoled_segv.diff" # HG changeset patch # User Anthony Liguori # Node ID f8e21ceb6820b6bdb48a161c5f401f3577a14fde # Parent a5e3caa6efbf3a46515c8b4f39219eaed75b2b6c 1) Fix uninitialized next pointer. This could sometimes cause xenconsoled to SEGV on an invalid domain pointer 2) Fix race condition in iterating domain list where removing a domain in a callback could lead to the iterators becoming invalid. Signed-off-by: Anthony Liguori diff -r a5e3caa6efbf -r f8e21ceb6820 tools/console/daemon/io.c --- a/tools/console/daemon/io.c Sat Aug 13 19:31:13 2005 +++ b/tools/console/daemon/io.c Mon Aug 15 20:11:29 2005 @@ -87,6 +87,7 @@ { int domid; int tty_fd; + bool is_dead; struct buffer buffer; struct domain *next; }; @@ -156,10 +157,12 @@ dom->domid = domid; dom->tty_fd = domain_create_tty(dom); + dom->is_dead = false; dom->buffer.data = 0; dom->buffer.size = 0; dom->buffer.capacity = 0; dom->buffer.max_capacity = 0; + dom->next = 0; dolog(LOG_DEBUG, "New domain %d", domid); @@ -206,6 +209,16 @@ } } +static void remove_dead_domains(struct domain *dom) +{ + if (dom == NULL) return; + remove_dead_domains(dom->next); + + if (dom->is_dead) { + remove_domain(dom); + } +} + static void handle_tty_read(struct domain *dom) { ssize_t len; @@ -224,7 +237,7 @@ if (domain_is_valid(dom->domid)) { dom->tty_fd = domain_create_tty(dom); } else { - remove_domain(dom); + dom->is_dead = true; } } else if (domain_is_valid(dom->domid)) { msg.u.control.msg.length = len; @@ -235,7 +248,7 @@ } } else { close(dom->tty_fd); - remove_domain(dom); + dom->is_dead = true; } } @@ -250,7 +263,7 @@ if (domain_is_valid(dom->domid)) { dom->tty_fd = domain_create_tty(dom); } else { - remove_domain(dom); + dom->is_dead = true; } } else { buffer_advance(&dom->buffer, len); @@ -333,13 +346,15 @@ } for (d = dom_head; d; d = d->next) { - if (FD_ISSET(d->tty_fd, &readfds)) { + if (!d->is_dead && FD_ISSET(d->tty_fd, &readfds)) { handle_tty_read(d); } - if (FD_ISSET(d->tty_fd, &writefds)) { + if (!d->is_dead && FD_ISSET(d->tty_fd, &writefds)) { handle_tty_write(d); } } + + remove_dead_domains(dom_head); } while (ret > -1); } --------------010904090607050301090307 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel --------------010904090607050301090307--