|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [v8][PATCH 02/17] introduce XEN_DOMCTL_set_rdm
>>> On 08.12.14 at 07:06, <tiejun.chen@xxxxxxxxx> wrote:
> On 2014/12/4 23:33, Jan Beulich wrote:
>>>>> On 01.12.14 at 10:24, <tiejun.chen@xxxxxxxxx> wrote:
> Looks this could be fine,
>
> d->arch.hvm_domain.pci_force = xdsr->flags & PCI_DEV_RDM_CHECK;
Which is correct only because PCI_DEV_RDM_CHECK happens to be
1. Such hidden dependencies shouldn't be introduced though, in
particular to avoid others then cloning the code for a flag that's not
1. The canonical form (found in many places throughout the treei
d->arch.hvm_domain.pci_force = !!(xdsr->flags & PCI_DEV_RDM_CHECK);
>>> + d->arch.hvm_domain.pcidevs = NULL;
>>> +
>>> + if ( xdsr->num_pcidevs )
>>> + {
>>> + pcidevs = xmalloc_array(xen_guest_pcidev_info_t,
>>> + xdsr->num_pcidevs);
>>
>> New domctl-s must not represent security risks: xdsr->num_pcidevs
>> can be (almost) arbitrarily large - do you really want to allow such
>> huge allocations? A reasonable upper bound could for example be
>
> Sorry, as you know this num_pcidevs is from tools, and actually it share
> that result from that existing hypercall, assign_device, while parsing
> 'pci=[]', so I couldn't understand why this can be (almost" arbitrarily
> large.
You imply well behaved tools, which you shouldn't when viewing
things from a security perspective.
>> the total number of PCI devices the hypervisor knows about.
>
> I take a quick look at this but looks we have no this exact value that
> we can get directly.
You need some upper bound. Whether you introduce a properly
maintained count or a suitable estimate thereof doesn't matter.
>>> --- a/xen/include/asm-x86/hvm/domain.h
>>> +++ b/xen/include/asm-x86/hvm/domain.h
>>> @@ -90,6 +90,10 @@ struct hvm_domain {
>>> /* Cached CF8 for guest PCI config cycles */
>>> uint32_t pci_cf8;
>>>
>>> + bool_t pci_force;
>>> + uint32_t num_pcidevs;
>>> + struct xen_guest_pcidev_info *pcidevs;
>>
>> Without a comment all these field names are pretty questionable.
>
> Yeah, I try to add some comments,
>
> /* A global flag, we need to check/reserve all Reserved Device
> Memory. */
> bool_t pci_force;
> /*
> * If pci_force is 0, this represents how many pci devices we need
> * to check/reserve Reserved Device Memory.
> * If pci_force is 1, this is always 0.
> */
> uint32_t num_pcidevs;
> /* This represents those pci devices instances when num_pcidevs !=
> 0. */
> struct xen_guest_pcidev_info *pcidevs;
I really didn't necessarily mean individual comments - one for the whole
group would suffice.
Also I don't think pci_force is really the right name - all_pcidevs or
some such would seem more suitable following the entire series.
And finally, I'm generally advocating for avoiding redundant data
items - I'm sure this "all" notion can be encoded reasonable with
just the other two field (and a suitable checking macro).
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |