[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v5 2/2] allow hardware domain != dom0



>>> On 16.04.14 at 21:13, <dgdegra@xxxxxxxxxxxxx> wrote:
> On 04/16/2014 03:06 PM, Andrew Cooper wrote:
>> On 16/04/14 19:56, Daniel De Graaf wrote:
>>>   static unsigned int __read_mostly extra_dom0_irqs = 256;
>>>   static unsigned int __read_mostly extra_domU_irqs = 32;
>>>   static void __init parse_extra_guest_irqs(const char *s)
>>> @@ -192,7 +242,7 @@ custom_param("extra_guest_irqs", 
>>> parse_extra_guest_irqs);
>>>   struct domain *domain_create(
>>>       domid_t domid, unsigned int domcr_flags, uint32_t ssidref)
>>>   {
>>> -    struct domain *d, **pd;
>>> +    struct domain *d, **pd, *old_hwdom = NULL;
>>>       enum { INIT_xsm = 1u<<0, INIT_watchdog = 1u<<1, INIT_rangeset = 1u<<2,
>>>              INIT_evtchn = 1u<<3, INIT_gnttab = 1u<<4, INIT_arch = 1u<<5 };
>>>       int err, init_status = 0;
>>> @@ -237,10 +287,12 @@ struct domain *domain_create(
>>>       else if ( domcr_flags & DOMCRF_pvh )
>>>           d->guest_type = guest_type_pvh;
>>>
>>> -    if ( domid == 0 )
>>> +    if ( domid == 0 || domid == hardware_domid )
>>>       {
>>> +        BUG_ON(domid >= DOMID_FIRST_RESERVED);
>>
>> Domid is a signed type.
>>
>> You also need ensure it is not negative, as assign_integer_param() from
>> the command line parsing writes all values as unsigned.
> 
> While this is true, the domain ID has already been validated by the caller
> of domain_create and so there is no need to check for domid < 0 here.  If
> someone assigns an out-of-range domain ID to the hardware_domid field, the
> system will act the same as if any other unused domain ID is specified: a
> technically working but realistically unusable system.

The thing is that you check the wrong entity: domid is always valid
(as it is being picked by the caller) - you really want to BUG_ON() or
panic() upon seeing hardware_domid >= DOMID_FIRST_RESERVED (and
indeed I think in this case panic() would be the better option, as it
gives a descriptive message for bad user input rather than a crash
the reason for which one needs to look up in sources).

As that's the only (non-cosmetic) change request, I'd be fine doing
that change while committing, unless I hear to the contrary.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.