Xen project Mailing List

Re: [BUG v2] common/domctl: xsm update for get_domain_state access

From: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>

Date: Thu, 19 Feb 2026 09:30:46 -0500

Arc-authentication-results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@xxxxxxxxxxxxxxxxxxxx; dmarc=pass header.from=<dpsmith@xxxxxxxxxxxxxxxxxxxx>

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1771511451; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=NuQEVgW+Cs/2UnJ66xPuD9vx/rd7t25ZlXFCPYDmSXM=; b=nkJvI7eGo8/dsrb5RDZB8fs2M/iVj8Z/koYQBSleBmPD6S80tzA9dcJklNrXaM5qhkC+G+/VyHqIuh98UZ4b+0MVAq8ejmH4dOSN08K+27lDBvgWyCY4jMtzOwjNYo17Ip3Z4xaHR5Gef17NfZvmAot0SCoEoIVqV1+If11f/6E=

Arc-seal: i=1; a=rsa-sha256; t=1771511451; cv=none; d=zohomail.com; s=zohoarc; b=Ld8iQeYgCRzeSf+KTh+NG/ziwDFZnCHoUjv0arW86dzXFKLSdwulzJTmVkz1Ee3QksRbJDp0hpAfW7WB9YQnJO/7PEjffgNFfeI0TgVpCwlI0zShyHTgU+GxTv0qXYufLCZCFgbslhYd2SGx2l5MpIoCgUUBPjMRhVty+A04C7Y=

Autocrypt: addr=dpsmith@xxxxxxxxxxxxxxxxxxxx; keydata= xsJuBFYrueARCACPWL3r2bCSI6TrkIE/aRzj4ksFYPzLkJbWLZGBRlv7HQLvs6i/K4y/b4fs JDq5eL4e9BdfdnZm/b+K+Gweyc0Px2poDWwKVTFFRgxKWq9R7McwNnvuZ4nyXJBVn7PTEn/Z G7D08iZg94ZsnUdeXfgYdJrqmdiWA6iX9u84ARHUtb0K4r5WpLUMcQ8PVmnv1vVrs/3Wy/Rb foxebZNWxgUiSx+d02e3Ad0aEIur1SYXXv71mqKwyi/40CBSHq2jk9eF6zmEhaoFi5+MMMgX X0i+fcBkvmT0N88W4yCtHhHQds+RDbTPLGm8NBVJb7R5zbJmuQX7ADBVuNYIU8hx3dF3AQCm 601w0oZJ0jGOV1vXQgHqZYJGHg5wuImhzhZJCRESIwf+PJxik7TJOgBicko1hUVOxJBZxoe0 x+/SO6tn+s8wKlR1Yxy8gYN9ZRqV2I83JsWZbBXMG1kLzV0SAfk/wq0PAppA1VzrQ3JqXg7T MZ3tFgxvxkYqUP11tO2vrgys+InkZAfjBVMjqXWHokyQPpihUaW0a8mr40w9Qui6DoJj7+Gg DtDWDZ7Zcn2hoyrypuht88rUuh1JuGYD434Q6qwQjUDlY+4lgrUxKdMD8R7JJWt38MNlTWvy rMVscvZUNc7gxcmnFUn41NPSKqzp4DDRbmf37Iz/fL7i01y7IGFTXaYaF3nEACyIUTr/xxi+ MD1FVtEtJncZNkRn7WBcVFGKMAf+NEeaeQdGYQ6mGgk++i/vJZxkrC/a9ZXme7BhWRP485U5 sXpFoGjdpMn4VlC7TFk2qsnJi3yF0pXCKVRy1ukEls8o+4PF2JiKrtkCrWCimB6jxGPIG3lk 3SuKVS/din3RHz+7Sr1lXWFcGYDENmPd/jTwr1A1FiHrSj+u21hnJEHi8eTa9029F1KRfocp ig+k0zUEKmFPDabpanI323O5Tahsy7hwf2WOQwTDLvQ+eqQu40wbb6NocmCNFjtRhNZWGKJS b5GrGDGu/No5U6w73adighEuNcCSNBsLyUe48CE0uTO7eAL6Vd+2k28ezi6XY4Y0mgASJslb NwW54LzSSM0uRGFuaWVsIFAuIFNtaXRoIDxkcHNtaXRoQGFwZXJ0dXNzb2x1dGlvbnMuY29t PsJ6BBMRCAAiBQJWK7ngAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBTc6WbYpR8 KrQ9AP94+xjtFfJ8gj5c7PVx06Zv9rcmFUqQspZ5wSEkvxOuQQEAg6qEsPYegI7iByLVzNEg 7B7fUG7pqWIfMqFwFghYhQzOwU0EViu54BAIAL6MXXNlrJ5tRUf+KMBtVz1LJQZRt/uxWrCb T06nZjnbp2UcceuYNbISOVHGXTzu38r55YzpkEA8eURQf+5hjtvlrOiHxvpD+Z6WcpV6rrMB kcAKWiZTQihW2HoGgVB3gwG9dCh+n0X5OzliAMiGK2a5iqnIZi3o0SeW6aME94bSkTkuj6/7 OmH9KAzK8UnlhfkoMg3tXW8L6/5CGn2VyrjbB/rcrbIR4mCQ+yCUlocuOjFCJhBd10AG1IcX OXUa/ux+/OAV9S5mkr5Fh3kQxYCTcTRt8RY7+of9RGBk10txi94dXiU2SjPbassvagvu/hEi twNHms8rpkSJIeeq0/cAAwUH/jV3tXpaYubwcL2tkk5ggL9Do+/Yo2WPzXmbp8vDiJPCvSJW rz2NrYkd/RoX+42DGqjfu8Y04F9XehN1zZAFmCDUqBMa4tEJ7kOT1FKJTqzNVcgeKNBGcT7q 27+wsqbAerM4A0X/F/ctjYcKwNtXck1Bmd/T8kiw2IgyeOC+cjyTOSwKJr2gCwZXGi5g+2V8 NhJ8n72ISPnOh5KCMoAJXmCF+SYaJ6hIIFARmnuessCIGw4ylCRIU/TiXK94soilx5aCqb1z ke943EIUts9CmFAHt8cNPYOPRd20pPu4VFNBuT4fv9Ys0iv0XGCEP+sos7/pgJ3gV3pCOric p15jV4PCYQQYEQgACQUCViu54AIbDAAKCRBTc6WbYpR8Khu7AP9NJrBUn94C/3PeNbtQlEGZ NV46Mx5HF0P27lH3sFpNrwD/dVdZ5PCnHQYBZ287ZxVfVr4Zuxjo5yJbRjT93Hl0vMY=

Cc: Chris Rogers <rogersc@xxxxxxxxxxxx>, Dmytro Firsov <dmytro_firsov@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

Delivery-date: Thu, 19 Feb 2026 14:31:26 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 2/19/26 08:23, Jan Beulich wrote:

On 19.02.2026 13:34, Daniel P. Smith wrote:

On 2/19/26 06:11, Jan Beulich wrote:

On 18.02.2026 20:08, Daniel P. Smith wrote:

@@ -238,28 +242,39 @@ int get_domain_state(struct xen_domctl_get_domain_state 
*info, struct domain *d,

while ( dom_state_changed )

       {
-        dom = find_first_bit(dom_state_changed, DOMID_MASK + 1);
+        dom = find_next_bit(dom_state_changed, DOMID_MASK + 1, dom + 1);
           if ( dom >= DOMID_FIRST_RESERVED )
               break;
+
+        d = rcu_lock_domain_by_id(dom);
+        if ( d && xsm_get_domain_state(XSM_XS_PRIV, d) )
+        {
+            rcu_unlock_domain(d);
+            d = NULL;


This looks unnecessary; the next loop iteration will set d unconditionally,
and d isn't (and wasn't) used past the loop. Plus there is also no such
clearing after the other rcu_unlock_domain().


If the src domain didn't have the permission on any of the target
domains, then *d will leak the last domain checked back to the caller.
While I didn't see it being used after the call site, it's a good
principle not to leak from a function an object for which access was denied.


I don't follow: What do you mean by "*d will leak"? d is local to this function;
no domain pointer is being returned.

My bad, you are correct, will drop.

+            continue;
+        }


This cleanup here also is redundant with the one done further down. Imo where
possible we should prefer to have only a single such instance, which looks to
be easily possible by using ...

           if ( test_and_clear_bit(dom, dom_state_changed) )



          if ( (!d || !xsm_get_domain_state(XSM_XS_PRIV, d)) &&
               test_and_clear_bit(dom, dom_state_changed) )

or

          if ( (d && xsm_get_domain_state(XSM_XS_PRIV, d)) ||
               !test_and_clear_bit(dom, dom_state_changed) )
          {
               ...
               continue;
          }

albeit then the reduction of indentation of the subsequent code would cause
quite a bit more code churn.


I would prefer the latter to keep the clearing of d to NULL only when
access was denied.


I again don't understand, as ...

           {
               *domid = dom;

- d = rcu_lock_domain_by_id(dom);

-
               if ( d )
               {
                   set_domain_state_info(info, d);
-
                   rcu_unlock_domain(d);
               }
               else
                   memset(info, 0, sizeof(*info));

rc = 0;

-
               break;


... this code would remain unchanged apart from the reduced indentation.

I don't think the blank lines need dropping for the purpose of the patch?
Yes, they may seem excessive, but nevertheless some prefer to have rather
too many of them than too few. (Personally I don't mind their removal,
but that really doesn't look to belong here.)


Okay, but as you state above, with the compounding of the if statement,
the indentation will go away and the whole section will a remove/add
section to the diff. Would you still want the line spacing maintained?


As said, I don't mind those particular blank lines being dropped (if that's
because adjacent lines are touched anyway).

ack.

--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -860,12 +860,9 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) 
u_domctl)
           break;

case XEN_DOMCTL_get_domain_state:

-        ret = xsm_get_domain_state(XSM_XS_PRIV, d);
-        if ( ret )
-            break;
-
-        copyback = 1;
           ret = get_domain_state(&op->u.get_domain_state, d, &op->domain);
+        if ( !ret )
+            copyback = 1;


Nit: As you need to touch this, please switch to using "true".


Just to be clear, you mean switching to a conditional statement vs
testing for not zero?


No. I mean using "true" in place of "1", since copyback is of type "bool".

ack.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.