From patchwork Fri Sep 27 16:17:46 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Olaf Hering <olaf@aepfle.de>
X-Patchwork-Id: 11164829
Return-Path: <SRS0=1d2Y=XW=lists.xenproject.org=xen-devel-bounces@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BE972112B
	for <patchwork-xen-devel@patchwork.kernel.org>;
 Fri, 27 Sep 2019 16:19:32 +0000 (UTC)
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 9A378217D9
	for <patchwork-xen-devel@patchwork.kernel.org>;
 Fri, 27 Sep 2019 16:19:32 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=fail reason="signature verification failed" (2048-bit key)
 header.d=aepfle.de header.i=@aepfle.de header.b="aUOJ5uvr"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9A378217D9
Authentication-Results: mail.kernel.org;
 dmarc=none (p=none dis=none) header.from=aepfle.de
Authentication-Results: mail.kernel.org;
 spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.89)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1iDswa-0002U3-0U; Fri, 27 Sep 2019 16:18:08 +0000
Received: from us1-rack-iad1.inumbo.com ([172.99.69.81])
 by lists.xenproject.org with esmtp (Exim 4.89)
 (envelope-from <SRS0=qPq4=XW=aepfle.de=olaf@srs-us1.protection.inumbo.net>)
 id 1iDswY-0002T7-87
 for xen-devel@lists.xenproject.org; Fri, 27 Sep 2019 16:18:07 +0000
X-Inumbo-ID: 5fe1c1ac-e142-11e9-b588-bc764e2007e4
Received: from mo6-p00-ob.smtp.rzone.de (unknown [2a01:238:20a:202:5300::6])
 by localhost (Halon) with ESMTPS
 id 5fe1c1ac-e142-11e9-b588-bc764e2007e4;
 Fri, 27 Sep 2019 16:18:01 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1569601080;
 s=strato-dkim-0002; d=aepfle.de;
 h=Message-Id:Date:Subject:Cc:To:From:X-RZG-CLASS-ID:X-RZG-AUTH:From:
 Subject:Sender;
 bh=+LqA3RdCHozXgYfWDdpeb4PStAKTCTOLXtoCcFUJKVM=;
 b=aUOJ5uvreCBzXSm/N6HoUaFFOEu17Cy+2nX8hefl635A0562qwZbKtl3Tq8/C9DGEj
 ve/rMFN4QQurGjhRXMoM4r0Z+CTS6BuoHvBfaUY2JwPd+TyKIjRuBereZagH9rzN+0Rq
 6nJkxRqDgHcg7WKi2j81V2r5mk+QOROERkjbQxyXjxFrkgv1l3U1qh0upBVUoJgeySfj
 P0reHKkDxxWS7rs3ijAs/cg5Jo0DgxyZs3x5aNdO8OueyAn3NhylBKQ7Kau2+8CsUX4a
 4/B5hUCy3GZYJNh6AEUJzRt2trysUPod/rHR8amJE+uU9g7cVRTO2FKxI6SZ2fnqzduk
 UWkA==
X-RZG-AUTH: ":P2EQZWCpfu+qG7CngxMFH1J+3q8wa/QXkBR9MXjAuznLRsvz6zGrN/JP2665"
X-RZG-CLASS-ID: mo00
Received: from sender by smtp.strato.de (RZmta 44.28.0 AUTH)
 with ESMTPSA id j06a90v8RGHnEU3
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp521r1 with
 521 ECDH bits, eq. 15360 bits RSA))
 (Client did not present a certificate);
 Fri, 27 Sep 2019 18:17:49 +0200 (CEST)
From: Olaf Hering <olaf@aepfle.de>
To: xen-devel@lists.xenproject.org
Date: Fri, 27 Sep 2019 18:17:46 +0200
Message-Id: <20190927161746.25902-1-olaf@aepfle.de>
X-Mailer: git-send-email 2.16.4
MIME-Version: 1.0
Subject: [Xen-devel] [PATCH v1] libxl: fix crash in helper_done due to
 uninitialized data
X-BeenThere: xen-devel@lists.xenproject.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Cc: Anthony PERARD <anthony.perard@citrix.com>, Olaf Hering <olaf@aepfle.de>,
 Ian Jackson <ian.jackson@eu.citrix.com>, Wei Liu <wl@xen.org>
Errors-To: xen-devel-bounces@lists.xenproject.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>

A crash in helper_done, called from libxl_domain_suspend, was reported,
triggered by 'virsh migrate --live xen+ssh://host':

 #1 helper_done (...) at libxl_save_callout.c:371
  helper_failed
  helper_stop
  libxl__save_helper_abort
 #2 check_all_finished (..., rc=-3) at libxl_stream_write.c:671
  stream_done
  stream_complete
  write_done
  dc->callback == write_done
  efd->func == datacopier_writable
 #3 afterpoll_internal (...) at libxl_event.c:1269

This is triggered by a failed poll, the actual error was:

libxl_aoutils.c:328:datacopier_writable: unexpected poll event 0x1c on fd 37 (should be POLLOUT) writing libxc header during copy of save v2 stream

In this case revents in datacopier_writable is POLLHUP|POLLERR|POLLOUT,
which triggers datacopier_callback. In helper_done,
shs->completion_callback is still zero. libxl__xc_domain_save fills
dss.sws.shs. But that function is only called after stream_header_done.
Any error before that will leave dss partly uninitialized.

Fix this crash by checking if ->completion_callback is valid.

Signed-off-by: Olaf Hering <olaf@aepfle.de>
---
 tools/libxl/libxl_save_callout.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/tools/libxl/libxl_save_callout.c b/tools/libxl/libxl_save_callout.c
index 6452d70036..89a2f6ecf0 100644
--- a/tools/libxl/libxl_save_callout.c
+++ b/tools/libxl/libxl_save_callout.c
@@ -366,8 +366,9 @@ static void helper_done(libxl__egc *egc, libxl__save_helper_state *shs)
     assert(!libxl__save_helper_inuse(shs));
 
     shs->egc = egc;
-    shs->completion_callback(egc, shs->caller_state,
-                             shs->rc, shs->retval, shs->errnoval);
+    if (shs->completion_callback)
+        shs->completion_callback(egc, shs->caller_state,
+                                 shs->rc, shs->retval, shs->errnoval);
     shs->egc = 0;
 }