libxl: avoid freeing an uninitialised bitmap

If vm->def->cputune.nvcpupin is 0 in libxlDomainSetVcpuAffinities (as seems to be the case on arm) then the VIR_FREE after cleanup: would be operating on an uninitialised pointer in map.map. Fix this by using libxl_bitmap_init and libxl_bitmap_dispose in the appropriate places (like VIR_FREE, libxl_bitmap_dispose is also idempotent, so there is no double free on exit from the loop). libxl_bitmap_dispose is slightly preferable since it also sets map.size back to 0, avoiding a potential source of confusion. This fixes the crashes we've been seeing in the Xen automated tests on ARM. I had a glance at the handful of other users of libxl_bitmap and none of them looked to have a similar issue. Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
2025-02-22 19:32:19 +00:00 · 2015-06-19 17:33:30 +01:00 · 2015-06-19 17:33:30 +01:00 · cc99d240f5
commit cc99d240f5
parent ee4d2908dd
1 changed files with 4 additions and 2 deletions
--- a/src/libxl/libxl_domain.c
+++ b/src/libxl/libxl_domain.c
@ -791,6 +791,8 @@ libxlDomainSetVcpuAffinities(libxlDriverPrivatePtr driver, virDomainObjPtr vm)
    size_t i;
    int ret = -1;

+    libxl_bitmap_init(&map);
+
    for (i = 0; i < vm->def->cputune.nvcpupin; ++i) {
        pin = vm->def->cputune.vcpupin[i];
        cpumask = pin->cpumask;
@ -804,13 +806,13 @@ libxlDomainSetVcpuAffinities(libxlDriverPrivatePtr driver, virDomainObjPtr vm)
            goto cleanup;
        }

-        VIR_FREE(map.map);
+        libxl_bitmap_dispose(&map); /* Also returns to freshly-init'd state */
    }

    ret = 0;

 cleanup:
-    VIR_FREE(map.map);
+    libxl_bitmap_dispose(&map);
    virObjectUnref(cfg);
    return ret;
 }