[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] xen/arm: check max_init_domid validity

  • To: Michal Orzel <michal.orzel@xxxxxxx>
  • From: Bertrand Marquis <Bertrand.Marquis@xxxxxxx>
  • Date: Tue, 28 Feb 2023 12:48:34 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cSfSJaQlVvT4XH7JtAFqHsJc7TufrDdXZ9LPhMAnd4c=; b=NiLHLZB/vgrPg4eEzCoi+NExY1RxyeWzNb6BnQz1LYRoXSKRUhan8i3QEGPL3QvohG4jemiia37JRc6HHrakKWovw36v1enr1m8bldP55aJbCroKHKZGV9+V2RDVxLCHHVfJgnqVkgnSRBM9wUh0Iaqzc1Ls+1b49vDA5Ol8yRBHm32mN/dC+kguAN7wGNGiW44QcQmIzN4TbEy2q1TbbbilSdfk9Qd8JrH9uXxHykvPvXsHR7/B6g94egRUiQVxF7WeC3E2U4M4DWgxyfQ/7AI6lpXhodq0LclapenZUTjfx4yS2JwyYAGBCGbie/GitQciFefolUWxCq1wCyhcUA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RE3zxZD/wWWPxheukBtA4w3GadYj2v9qkIkyIGvJAwHnDPAZ5PlwXf6NPZXM1DPgR8yv/gHGYwlRJI+fEy1e1CpLXkV++i8bJOzZRJDVJn0NKODLvmr7tNxV/oSDhlAy3BxA0Xd9+3xWKWiF9fQW7UnKK3F2x1L1fEVH5FifJJfSB+jJB+Aq1ueDCU3foP5wJPa9tXG46iM/Q64NXQ/NXM1oeEotMIZjBOlO1Z3hGT7GBzhxmrq6c5gZ7qAcNTZTEySEtH6VrvtfwGTA3HegD/7okmLFp573EmQi9XGpteiRbhuBFTzY2joo07SWFDTxDK+PedTpp8bIc4p3Brwa2A==
  • Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
  • Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>
  • Delivery-date: Tue, 28 Feb 2023 12:49:07 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Nodisclaimer: true
  • Original-authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
  • Thread-index: AQHZS0viJcxXSoqTp0W5BFLJDCsX267kNAcAgAAbRAA=
  • Thread-topic: [PATCH] xen/arm: check max_init_domid validity
Hi MIchal,

> On 28 Feb 2023, at 12:10, Michal Orzel <michal.orzel@xxxxxxx> wrote:
> 
> Hi Bertrand,
> 
> On 28/02/2023 09:08, Bertrand Marquis wrote:
>> 
>> 
>> Before trying to create a dom0less guest, check that max_init_domid
>> increment will generate a valid domain ID, lower than
>> DOMID_FIRST_RESERVED.
>> 
>> Signed-off-by: Bertrand Marquis <bertrand.marquis@xxxxxxx>
>> ---
>> xen/arch/arm/domain_build.c | 3 +++
>> 1 file changed, 3 insertions(+)
>> 
>> diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c
>> index edca23b986d2..9707eb7b1bb1 100644
>> --- a/xen/arch/arm/domain_build.c
>> +++ b/xen/arch/arm/domain_build.c
>> @@ -3879,6 +3879,9 @@ void __init create_domUs(void)
>>         if ( !dt_device_is_compatible(node, "xen,domain") )
>>             continue;
>> 
>> +        if ( (max_init_domid + 1) >= DOMID_FIRST_RESERVED )
>> +            panic("No more domain IDs available\n");
> Here are some of my thoughts:
> 1. The check if domid is >= DOMID_FIRST_RESERVED is used in quite a lot of
> places in the Xen code. We might want to introduce a global function for that 
> purpose
> instead of repeating this check all over the codebase.

We could introduce something but looking at the code i think that the first 
thing to do
would be to use is_system_domain where possible (ie when there is a domain 
structure)
and then cleanup a bit domctl.c where there are some double check of
DOMID_FIRST_RESERVED (in the hypercall code and in is_free_domid).
Once that is done, there would be a lot less usage of this.

> 
> 2. This check is something that could be moved to be generic. At the moment 
> we do have
> an ASSERT with is_system_domain in domain_create. I know domain_create can be 
> called for
> domids in special range so this would need to be thought through.

I do not think that domain_create is the right place to have this check as it 
is correct to call it to
create system domains.

> 
> 3. The placement of this check at the top of the function before starting to 
> parse dt properties
> might be problematic in the future if we decide to allow specifying static 
> domids for dom0less domUs.
> In a static configuration, most of the time, we do not have xenstore (either 
> because of lack of xenstore
> support or because of lack of dom0). AFAIKT, in Xen a domain can get to know 
> its domid only through xenstore
> (DOMID_SELF is not working in all the cases). Also, in a static 
> configuration, it makes the life of an integrator
> easy to know all the domids upfront to easily set up some communication, 
> grant tables, etc.

Right now the idea is to fail as early as possible to prevent doing any 
operation that is not needed.
Having a way to statically define the dom id in configuration does make sense 
and the check will have
to be modified once the support for this will be added.

> 
> Let me know your thoughts.

There is some improvement possible in the overall code but the goal here is 
just to solve a possible issue so this
patch could be merged and other changes could be done in a following patch if 
wanted.

Cheers
Bertrand

> 
> ~Michal

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.