From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: Re: [PATCH 4/7] xen: sched: get rid of the per domain
 vCPU list in RTDS
Date: Thu, 8 Oct 2015 14:47:55 +0100
Message-ID: <5616740B.6010907@citrix.com>
References: <20151008124027.12522.42552.stgit@Solace.station>
	<20151008125258.12522.94232.stgit@Solace.station>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <prvs=71687dc37=Andrew.Cooper3@citrix.com>)
	id 1ZkBYF-0006sE-HZ
	for xen-devel@lists.xenproject.org; Thu, 08 Oct 2015 13:48:07 +0000
In-Reply-To: <20151008125258.12522.94232.stgit@Solace.station>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Dario Faggioli <dario.faggioli@citrix.com>, xen-devel@lists.xenproject.org
Cc: George Dunlap <george.dunlap@eu.citrix.com>, Meng Xu <mengxu@cis.upenn.edu>
List-Id: xen-devel@lists.xenproject.org

On 08/10/15 13:52, Dario Faggioli wrote:
> @@ -319,14 +317,16 @@ rt_dump(const struct scheduler *ops)
>      }
>  
>      printk("Domain info:\n");
> -    list_for_each( iter_sdom, &prv->sdom )
> +    list_for_each( iter, &prv->sdom )
>      {
> -        sdom = list_entry(iter_sdom, struct rt_dom, sdom_elem);
> +        struct vcpu *vc;
> +
> +        sdom = list_entry(iter, struct rt_dom, sdom_elem);
>          printk("\tdomain: %d\n", sdom->dom->domain_id);
>  
> -        list_for_each( iter_svc, &sdom->vcpu )
> +        for_each_vcpu( sdom->dom, vc )

Space before bracket, as you are already changing the line.

>          {
> -            svc = list_entry(iter_svc, struct rt_vcpu, sdom_elem);
> +            svc = rt_vcpu(vc);
>              rt_dump_vcpu(ops, svc);
>          }
>      }
>
> @@ -1145,7 +1135,7 @@ rt_dom_cntl(
>      {
>      case XEN_DOMCTL_SCHEDOP_getinfo:
>          spin_lock_irqsave(&prv->lock, flags);
> -        svc = list_entry(sdom->vcpu.next, struct rt_vcpu, sdom_elem);
> +        svc = rt_vcpu(sdom->dom->vcpu[0]);

This change swaps one potential bad pointer for another.

In the former case, there was no guarantee that sdom->vcpu had any
entries in it, potentially making svc a wild pointer.

In the latter case, there is no guarantee that dom->vcpu has been
allocated yet.  You must check d->max_vcpus > 0 before dereferencing
d->vcpu[].

~Andrew