On 9/13/25 07:56, Andrew Cooper wrote:
> On 13/09/2025 11:44 am, Oleksii Moisieiev wrote:
>> Remove redundant domid_free() call in the XEN_DOMCTL_createdomain error
>> handling path to prevent a double-free condition.
>>
>> When domain_create() fails, it internally calls _domain_destroy() during
>> its cleanup routine, which already invokes domid_free() to release the
>> allocated domain ID. The additional domid_free() call in the domctl error
>> path creates a double-free scenario, triggering an assertion failure in
>> domid.c:
>>
>> Assertion 'rc' failed at common/domid.c:84
>>
>> The domain creation flow is:
>> 1. domid_alloc() allocates a domain ID
>> 2. domain_create() is called with the allocated ID
>> 3. If domain_create() fails:
>> a) domain_create() calls _domain_destroy() internally
>> b) _domain_destroy() calls domid_free() to release the ID
>> c) domctl incorrectly calls domid_free() again
>>
>> This double-free violates the domain ID management invariants and causes
>> system instability. The fix ensures domid_free() is called exactly once
>> per allocated domain ID, maintaining proper resource cleanup
>> semantics.
>
> Fixes: 2d5065060710 ("xen/domain: unify domain ID allocation")
>
>> Signed-off-by: Oleksii Moisieiev <oleksii_moisie...@epam.com>
>
> Reviewed-by: Andrew Cooper <andrew.coop...@citrix.com>
>
> the tl;dr is that domain_create() either inserts the domain into the
> domlist, or cleans up after itself.
>
> The domid alloc infrastructure is problematic in multiple ways, not
> least because it now means there are two sources of truth for which
> domain's exist, and they are not interlocked.
>
> I would have blocked this from being committed if I'd had any time to
> look at it. It will need remediating one way or another before 4.21
> goes out.
Revert time?
--
Sincerely,
Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
Description: OpenPGP digital signature
