diff options
author | Keir Fraser | 2010-11-25 07:08:20 +0100 |
---|---|---|
committer | Konrad Rzeszutek Wilk | 2011-04-15 00:26:15 +0200 |
commit | 313d7b003ceceb797e8c0d18ab085ed0638b4aff (patch) | |
tree | 339506d76bb5850adb1203f2f7fd94784ec7541c /drivers/xen/blkback/xenbus.c | |
parent | xen/blkback: Print additional information when a vbd is resized. (diff) | |
download | kernel-qcow2-linux-313d7b003ceceb797e8c0d18ab085ed0638b4aff.tar.gz kernel-qcow2-linux-313d7b003ceceb797e8c0d18ab085ed0638b4aff.tar.xz kernel-qcow2-linux-313d7b003ceceb797e8c0d18ab085ed0638b4aff.zip |
blkback: Fix CVE-2010-3699
A guest can cause the backend driver to leak a kernel thread. Such
leaked threads hold references to the device, whichmakes the device
impossible to tear down. If shut down, the guest remains a zombie
domain, the xenwatch process hangs, and most xm commands will stop
working.
This patch tries to do the following for blkback:
- identify/extract idempotent teardown operations,
- add/move the invocation of said teardown operation
right before we're about to allocate new resources in the
Connected states.
[ linux-2.6.18-xen.hg 59f097ef181b ]
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Keir Fraser <keir@xen.org>
Signed-off-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
Diffstat (limited to 'drivers/xen/blkback/xenbus.c')
-rw-r--r-- | drivers/xen/blkback/xenbus.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/xen/blkback/xenbus.c b/drivers/xen/blkback/xenbus.c index a0534fc6a428..031bc3d7eec3 100644 --- a/drivers/xen/blkback/xenbus.c +++ b/drivers/xen/blkback/xenbus.c @@ -382,6 +382,11 @@ static void frontend_changed(struct xenbus_device *dev, if (dev->state == XenbusStateConnected) break; + /* Enforce precondition before potential leak point. + * blkif_disconnect() is idempotent. + */ + blkif_disconnect(be->blkif); + err = connect_ring(be); if (err) break; @@ -399,6 +404,7 @@ static void frontend_changed(struct xenbus_device *dev, break; /* fall through if not online */ case XenbusStateUnknown: + /* implies blkif_disconnect() via blkback_remove() */ device_unregister(&dev->dev); break; |