If domain_soft_reset_cb can't rename the save file, it doesn't call
initiate_domain_create() and calls domcreate_complete().
Skipping initiate_domain_create() means dcs->console_wait is
uninitialized and all 0s.
We have:
domcreate_complete()
libxl__xswait_stop()
libxl__ev_xswatch_deregister().
The uninitialized slotnum 0 is considered valid (-1 is the invalid
sentinel), so the NULL pointer path to passed to xs_unwatch() which
segfaults.
libxl__ev_xswatch_deregister:watch w=0x12bc250 wpath=(null) token=0/0: deregister slotnum=0
Move dcs->console_xswait initialization into the callers of
initiate_domain_create, do_domain_create() and do_domain_soft_reset(),
so it is initialized along with the other dcs state.
Fixes: c57e6ebd8c3e ("(lib)xl: soft reset support")
Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
---
v2:
Add Fixes
Drop NULL check
Re-position libxl__xswait_init in callers
tools/libs/light/libxl_create.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/libs/light/libxl_create.c b/tools/libs/light/libxl_create.c
index 15ed021f41..885675591f 100644
--- a/tools/libs/light/libxl_create.c
+++ b/tools/libs/light/libxl_create.c
@@ -1255,8 +1255,6 @@ static void initiate_domain_create(libxl__egc *egc,
libxl_domain_config *const d_config = dcs->guest_config;
libxl__domain_build_state *dbs = &dcs->build_state;
- libxl__xswait_init(&dcs->console_xswait);
-
domid = dcs->domid;
libxl__domain_build_state_init(dbs);
dbs->restore = dcs->restore_fd >= 0;
@@ -2072,6 +2070,7 @@ static int do_domain_create(libxl_ctx *ctx, libxl_domain_config *d_config,
cdcs->dcs.callback = domain_create_cb;
cdcs->dcs.domid = INVALID_DOMID;
cdcs->dcs.soft_reset = false;
+ libxl__xswait_init(&cdcs->dcs.console_xswait);
if (cdcs->dcs.restore_params.checkpointed_stream ==
LIBXL_CHECKPOINTED_STREAM_COLO) {
@@ -2172,6 +2171,7 @@ static int do_domain_soft_reset(libxl_ctx *ctx,
cdcs->dcs.domid = domid;
cdcs->dcs.soft_reset = true;
cdcs->dcs.callback = domain_create_cb;
+ libxl__xswait_init(&cdcs->dcs.console_xswait);
libxl__ao_progress_gethow(&srs->cdcs.dcs.aop_console_how,
aop_console_how);
cdcs->domid_out = &domid_out;
--
2.35.1On Fri, Apr 01, 2022 at 10:32:56AM -0400, Jason Andryuk wrote:
> If domain_soft_reset_cb can't rename the save file, it doesn't call
> initiate_domain_create() and calls domcreate_complete().
>
> Skipping initiate_domain_create() means dcs->console_wait is
> uninitialized and all 0s.
>
> We have:
> domcreate_complete()
> libxl__xswait_stop()
> libxl__ev_xswatch_deregister().
>
> The uninitialized slotnum 0 is considered valid (-1 is the invalid
> sentinel), so the NULL pointer path to passed to xs_unwatch() which
> segfaults.
>
> libxl__ev_xswatch_deregister:watch w=0x12bc250 wpath=(null) token=0/0: deregister slotnum=0
>
> Move dcs->console_xswait initialization into the callers of
> initiate_domain_create, do_domain_create() and do_domain_soft_reset(),
> so it is initialized along with the other dcs state.
>
> Fixes: c57e6ebd8c3e ("(lib)xl: soft reset support")
> Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
Thanks,
--
Anthony PERARD
© 2016 - 2026 Red Hat, Inc.