gnt: Avoid double unmapping on domain cleanup

Oxenstored itself, when cleaning up domains and connections, can call Gnt.unmap transitively several times. Under certain conditions, this can later result in a segfault bringing oxenstored down when it tries to use a freed grant. Set the mmap_interface pointer to NULL after the first attempt so that it can be detected on the subsequent ones. Since we are already at it, bring out accesses to OCaml fields out of the critical section. Signed-off-by: Andrii Sultanov <[email protected]>
xapi-project · Jan 23, 2025 · ab12662 · ab12662
1 parent 41e311b
commit ab12662
Showing 1 changed file with 20 additions and 10 deletions.
diff --git a/gnt/gnttab_stubs.c b/gnt/gnttab_stubs.c
@@ -73,16 +73,26 @@ stub_gnttab_unmap (value xgh, value array)
 {
         CAMLparam2 (xgh, array);
         int result;
-
-        caml_enter_blocking_section ();
-        result = xengnttab_unmap (_G (xgh), _M (array)->addr,
-                                  _M (array)->len >> XEN_PAGE_SHIFT);
-        caml_leave_blocking_section ();
-
-        if (result != 0)
-          {
-                  caml_failwith ("Failed to unmap grant");
-          }
+	xengnttab_handle* xgt = _G(xgh);
+	void* start_address = _M(array)->addr;
+	uint32_t count = _M(array)->len >> XEN_PAGE_SHIFT;
+	char s[64];
+
+	/* Check if this grant hasn't already been unmapped before */
+	if (start_address) {
+		caml_enter_blocking_section ();
+		result = xengnttab_unmap (xgt, start_address, count);
+		caml_leave_blocking_section ();
+		/* Avoid double unmapping by NULL-ing the pointer */
+		_M(array)->addr = NULL;
+		_M(array)->len = 0;
+
+		if (result != 0)
+		{
+			  int r = snprintf(s, 64, "Failed to unmap grant (errno %d, rc %d)", errno, result);
+			  caml_failwith(s);
+		}
+	}
 
         CAMLreturn (Val_unit);
 }