On 09.01.2025 11:59, Juergen Gross wrote:
> There is a possible race scenario between set_global_virq_handler()
> and clear_global_virq_handlers() targeting the same domain, which
> might result in that domain ending as a zombie domain.
>
> In case set_global_virq_handler() is being called for a domain which
> is just dying, it might happen that clear_global_virq_handlers() is
> running first, resulting in set_global_virq_handler() taking a new
> reference for that domain and entering in the global_virq_handlers[]
> array afterwards. The reference will never be dropped, thus the domain
> will never be freed completely.
>
> This can be fixed by checking the is_dying state of the domain inside
> the region guarded by global_virq_handlers_lock. In case the domain is
> dying, handle it as if the domain wouldn't exist, which will be the
> case in near future anyway.
>
> Fixes: 87521589aa6a ("xen: allow global VIRQ handlers to be delegated to
> other domains")
> Signed-off-by: Juergen Gross <[email protected]>
Reviewed-by: Jan Beulich <[email protected]>
