From mboxrd@z Thu Jan  1 00:00:00 1970
From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Subject: Re: [PATCH v5 2/2] allow hardware domain != dom0
Date: Wed, 16 Apr 2014 15:13:29 -0400
Message-ID: <534ED659.7030704@tycho.nsa.gov>
References: <1397674562-3444-1-git-send-email-dgdegra@tycho.nsa.gov>
	<1397674562-3444-2-git-send-email-dgdegra@tycho.nsa.gov>
	<534ED4D0.6070906@citrix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <534ED4D0.6070906@citrix.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Keir Fraser <keir@xen.org>, Ian Campbell <ian.campbell@citrix.com>, Tim Deegan <tim@xen.org>, Ian Jackson <ian.jackson@eu.citrix.com>, xen-devel@lists.xen.org, Jan Beulich <jbeulich@suse.com>
List-Id: xen-devel@lists.xenproject.org

On 04/16/2014 03:06 PM, Andrew Cooper wrote:
> On 16/04/14 19:56, Daniel De Graaf wrote:
>>   static unsigned int __read_mostly extra_dom0_irqs = 256;
>>   static unsigned int __read_mostly extra_domU_irqs = 32;
>>   static void __init parse_extra_guest_irqs(const char *s)
>> @@ -192,7 +242,7 @@ custom_param("extra_guest_irqs", parse_extra_guest_irqs);
>>   struct domain *domain_create(
>>       domid_t domid, unsigned int domcr_flags, uint32_t ssidref)
>>   {
>> -    struct domain *d, **pd;
>> +    struct domain *d, **pd, *old_hwdom = NULL;
>>       enum { INIT_xsm = 1u<<0, INIT_watchdog = 1u<<1, INIT_rangeset = 1u<<2,
>>              INIT_evtchn = 1u<<3, INIT_gnttab = 1u<<4, INIT_arch = 1u<<5 };
>>       int err, init_status = 0;
>> @@ -237,10 +287,12 @@ struct domain *domain_create(
>>       else if ( domcr_flags & DOMCRF_pvh )
>>           d->guest_type = guest_type_pvh;
>>
>> -    if ( domid == 0 )
>> +    if ( domid == 0 || domid == hardware_domid )
>>       {
>> +        BUG_ON(domid >= DOMID_FIRST_RESERVED);
>
> Domid is a signed type.
>
> You also need ensure it is not negative, as assign_integer_param() from
> the command line parsing writes all values as unsigned.
>
> ~Andrew

While this is true, the domain ID has already been validated by the caller
of domain_create and so there is no need to check for domid < 0 here.  If
someone assigns an out-of-range domain ID to the hardware_domid field, the
system will act the same as if any other unused domain ID is specified: a
technically working but realistically unusable system.

-- 
Daniel De Graaf
National Security Agency