Xen project Mailing List

Re: [Xen-devel] [PATCH v5 2/2] allow hardware domain != dom0

To: Jan Beulich <JBeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

Date: Thu, 17 Apr 2014 10:19:04 -0400

Cc: Keir Fraser <keir@xxxxxxx>, Tim Deegan <tim@xxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Ian Campbell <ian.campbell@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxx

Delivery-date: Thu, 17 Apr 2014 14:20:05 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 04/17/2014 03:24 AM, Jan Beulich wrote:

On 16.04.14 at 21:13, <dgdegra@xxxxxxxxxxxxx> wrote:

On 04/16/2014 03:06 PM, Andrew Cooper wrote:

On 16/04/14 19:56, Daniel De Graaf wrote:

   static unsigned int __read_mostly extra_dom0_irqs = 256;
   static unsigned int __read_mostly extra_domU_irqs = 32;
   static void __init parse_extra_guest_irqs(const char *s)
@@ -192,7 +242,7 @@ custom_param("extra_guest_irqs", parse_extra_guest_irqs);
   struct domain *domain_create(
       domid_t domid, unsigned int domcr_flags, uint32_t ssidref)
   {
-    struct domain *d, **pd;
+    struct domain *d, **pd, *old_hwdom = NULL;
       enum { INIT_xsm = 1u<<0, INIT_watchdog = 1u<<1, INIT_rangeset = 1u<<2,
              INIT_evtchn = 1u<<3, INIT_gnttab = 1u<<4, INIT_arch = 1u<<5 };
       int err, init_status = 0;
@@ -237,10 +287,12 @@ struct domain *domain_create(
       else if ( domcr_flags & DOMCRF_pvh )
           d->guest_type = guest_type_pvh;

-    if ( domid == 0 )
+    if ( domid == 0 || domid == hardware_domid )
       {
+        BUG_ON(domid >= DOMID_FIRST_RESERVED);


Domid is a signed type.

You also need ensure it is not negative, as assign_integer_param() from
the command line parsing writes all values as unsigned.


While this is true, the domain ID has already been validated by the caller
of domain_create and so there is no need to check for domid < 0 here.  If
someone assigns an out-of-range domain ID to the hardware_domid field, the
system will act the same as if any other unused domain ID is specified: a
technically working but realistically unusable system.


The thing is that you check the wrong entity: domid is always valid
(as it is being picked by the caller) - you really want to BUG_ON() or
panic() upon seeing hardware_domid >= DOMID_FIRST_RESERVED (and
indeed I think in this case panic() would be the better option, as it
gives a descriptive message for bad user input rather than a crash
the reason for which one needs to look up in sources).

As that's the only (non-cosmetic) change request, I'd be fine doing
that change while committing, unless I hear to the contrary.

Jan

That change is fine with me. -- Daniel De Graaf National Security Agency _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.