With separate control and xenstore domains, the xenstore domain itself
is no longer privileged.  Local socket connections do not have
conn->domain assigned, but domain_chk_quota() will go ahead and
dereference it.  The !domid_is_unprivileged(conn->id) check usually
means the function would have already returned.

Bail out on !conn->domain to avoid faulting.  This adds a similar check
to that in domain_max_chk()

Signed-off-by: Jason Andryuk <jason.andryuk@amd.com>
---
v6:
New
---
 tools/xenstored/domain.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/xenstored/domain.c b/tools/xenstored/domain.c
index 051e3fd164..c74bafa165 100644
--- a/tools/xenstored/domain.c
+++ b/tools/xenstored/domain.c
@@ -1762,7 +1762,7 @@ static bool domain_chk_quota(struct connection *conn, unsigned int mem)
 	time_t now;
 	struct domain *domain;
 
-	if (!conn || !domid_is_unprivileged(conn->id) ||
+	if (!conn || !conn->domain || !domid_is_unprivileged(conn->id) ||
 	    conn->is_ignored)
 		return false;
 
-- 
2.50.1

On 15.08.25 23:35, Jason Andryuk wrote:
> With separate control and xenstore domains, the xenstore domain itself
> is no longer privileged.  Local socket connections do not have
> conn->domain assigned, but domain_chk_quota() will go ahead and
> dereference it.  The !domid_is_unprivileged(conn->id) check usually
> means the function would have already returned.
> 
> Bail out on !conn->domain to avoid faulting.  This adds a similar check
> to that in domain_max_chk()
> 
> Signed-off-by: Jason Andryuk <jason.andryuk@amd.com>

Reviewed-by: Juergen Gross <jgross@suse.com>


Juergen