From: Manuel Bouyer <bouyer@antioche.eu.org>
To: xen-devel@lists.xen.org
Subject: xenstored file descriptor leak
Date: Tue, 2 Feb 2021 19:37:35 +0100 [thread overview]
Message-ID: <20210202183735.GA25046@mail.soc.lip6.fr> (raw)
Hello,
on NetBSD I'm tracking down an issue where xenstored never closes its
file descriptor to /var/run/xenstored/socket and instead loops at 100%
CPU on these descriptors.
xenstored loops because poll(2) returns a POLLIN event for these
descriptors but they are marked is_ignored = true.
I'm seeing this with xen 4.15, 4.13 and has also been reported with 4.11
with latest security patches.
It seems to have started with patches for XSA-115 (A user reported this
for 4.11)
I've tracked it down to a difference in poll(2) implementation; it seems
that linux will return something that is not (POLLIN|POLLOUT) when a
socket if closed; while NetBSD returns POLLIN (this matches the NetBSD's
man page).
First I think there may be a security issue here, as, even on linux it should
be possible for a client to cause a socket to go to the is_ignored state,
while still sending data and cause xenstored to go to a 100% CPU loop.
I think this is needed anyway:
--- xenstored_core.c.orig 2021-02-02 18:06:33.389316841 +0100
+++ xenstored_core.c 2021-02-02 19:27:43.761877371 +0100
@@ -397,9 +397,12 @@
!list_empty(&conn->out_list)))
*ptimeout = 0;
} else {
- short events = POLLIN|POLLPRI;
- if (!list_empty(&conn->out_list))
- events |= POLLOUT;
+ short events = 0;
+ if (!conn->is_ignored) {
+ events |= POLLIN|POLLPRI;
+ if (!list_empty(&conn->out_list))
+ events |= POLLOUT;
+ }
conn->pollfd_idx = set_fd(conn->fd, events);
}
}
Now I wonder if, on NetBSD at last, a read error or short read shouldn't
cause the socket to be closed, as with:
@@ -1561,6 +1565,8 @@
bad_client:
ignore_connection(conn);
+ /* we don't want to keep this connection alive */
+ talloc_free(conn);
}
static void handle_output(struct connection *conn)
what do you think ?
--
Manuel Bouyer <bouyer@antioche.eu.org>
NetBSD: 26 ans d'experience feront toujours la difference
--
next reply other threads:[~2021-02-02 18:37 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-02 18:37 Manuel Bouyer [this message]
2021-02-03 6:18 ` xenstored file descriptor leak Jürgen Groß
2021-02-03 7:57 ` Manuel Bouyer
2021-02-03 8:05 ` Jürgen Groß
2021-02-03 8:16 ` Manuel Bouyer
2021-02-03 8:21 ` Jürgen Groß
2021-02-03 11:48 ` Manuel Bouyer
2021-02-03 11:54 ` Jürgen Groß
2021-02-03 12:03 ` Manuel Bouyer
2021-02-03 12:13 ` Jürgen Groß
2021-02-03 12:17 ` Manuel Bouyer
2021-02-03 12:21 ` Jürgen Groß
2021-02-03 12:33 ` Manuel Bouyer
2021-02-03 12:42 ` Jürgen Groß
2021-02-03 12:47 ` Manuel Bouyer
2021-02-03 12:58 ` Jürgen Groß
2021-02-03 13:03 ` Manuel Bouyer
2021-02-03 13:11 ` Jürgen Groß
2021-02-03 13:24 ` Manuel Bouyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210202183735.GA25046@mail.soc.lip6.fr \
--to=bouyer@antioche.eu.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.