diff options
| author | Keir Fraser <keir@xen.org> | 2010-11-24 22:08:20 -0800 |
|---|---|---|
| committer | Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> | 2011-04-14 18:26:15 -0400 |
| commit | 313d7b003ceceb797e8c0d18ab085ed0638b4aff (patch) | |
| tree | 339506d76bb5850adb1203f2f7fd94784ec7541c | |
| parent | a81135d90bf176e6139c352c7b96c03d00131836 (diff) | |
| download | op-kernel-dev-313d7b003ceceb797e8c0d18ab085ed0638b4aff.zip op-kernel-dev-313d7b003ceceb797e8c0d18ab085ed0638b4aff.tar.gz | |
blkback: Fix CVE-2010-3699
A guest can cause the backend driver to leak a kernel thread. Such
leaked threads hold references to the device, whichmakes the device
impossible to tear down. If shut down, the guest remains a zombie
domain, the xenwatch process hangs, and most xm commands will stop
working.
This patch tries to do the following for blkback:
- identify/extract idempotent teardown operations,
- add/move the invocation of said teardown operation
right before we're about to allocate new resources in the
Connected states.
[ linux-2.6.18-xen.hg 59f097ef181b ]
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Keir Fraser <keir@xen.org>
Signed-off-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
| -rw-r--r-- | drivers/xen/blkback/xenbus.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/xen/blkback/xenbus.c b/drivers/xen/blkback/xenbus.c index a0534fc..031bc3d 100644 --- a/drivers/xen/blkback/xenbus.c +++ b/drivers/xen/blkback/xenbus.c @@ -382,6 +382,11 @@ static void frontend_changed(struct xenbus_device *dev, if (dev->state == XenbusStateConnected) break; + /* Enforce precondition before potential leak point. + * blkif_disconnect() is idempotent. + */ + blkif_disconnect(be->blkif); + err = connect_ring(be); if (err) break; @@ -399,6 +404,7 @@ static void frontend_changed(struct xenbus_device *dev, break; /* fall through if not online */ case XenbusStateUnknown: + /* implies blkif_disconnect() via blkback_remove() */ device_unregister(&dev->dev); break; |
