All of lore.kernel.org
 help / color / mirror / Atom feed
From: Ian Jackson <Ian.Jackson@eu.citrix.com>
To: Stefano Stabellini <stefano.stabellini@eu.citrix.com>,
	"xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>
Subject: Re: [PATCH 3/6] libxl, xl: fixes to domain creation cleanup logic (domid values)
Date: Thu, 27 Jan 2011 20:01:36 +0000	[thread overview]
Message-ID: <19777.53024.392960.80045@mariner.uk.xensource.com> (raw)
In-Reply-To: <19777.49322.747849.408538@mariner.uk.xensource.com>

I wrote:
> Hrm.  Perhaps a utility function for testing valid guest domids would
> be a good idea.

How about this.

Ian.

commit 2036fda8474df55879ce8b7dd2b0e20fe7e8e3eb
Author: Ian Jackson <ian.jackson@eu.citrix.com>
Date:   Thu Jan 27 17:22:41 2011 +0000

    libxl, xl: fixes to domain creation cleanup logic (domid values)
    
    libxl__domain_make makes some assumptions about the way its caller
    treats its uint32_t *domid parameter: specifically, if it fails it may
    have partially created the domain and it does not every destroy it.
    But it does not initialise it.  Document this assumption in a comment,
    and assert on entry that domid not a guest domain id, to ensure that
    the caller has properly initialised it.
    
    Introduce a function libxl_domid_valid_guest to help with this.
    
    This is not intended to produce any practical functional change in
    current code.
    
    Secondly, libxl_create_stubdom calls libxl__domain_make and has no
    code to tear down the domain again on error.  This is complicated to
    fix (since it may even be possible for the the domain to be left in a
    state where it's not possible to tell that it was going to be a
    stubdom for some other domain).  So for now simply leave a fixme
    comment.
    
    Finally, in 22739:d839631b6048 we introduced "-1" as a sentinel "no
    such domain" value for domid.  However, domid is a uint32 so testing
    it with "if (domid > 0)" as we do in 22740:ce208811f540 is wrong
    because it always triggers.  Instead use libxl_domid_valid_guest.
    This fix means that that if "xl create" fails, it will not try to
    destroy the domain "-1".  Previously you'd see this message:
      libxl: error: libxl.c:697:libxl_domain_destroy non-existant domain -1
    whose "-1" many readers may have thought was an error code, but which
    is actually supposedly a domain id.
    
    Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

diff --git a/tools/libxl/libxl.h b/tools/libxl/libxl.h
index d608e99..0851e66 100644
--- a/tools/libxl/libxl.h
+++ b/tools/libxl/libxl.h
@@ -554,6 +554,12 @@ int libxl_cpupool_cpuremove(libxl_ctx *ctx, uint32_t poolid, int cpu);
 int libxl_cpupool_cpuremove_node(libxl_ctx *ctx, uint32_t poolid, int node, int *cpus);
 int libxl_cpupool_movedomain(libxl_ctx *ctx, uint32_t poolid, uint32_t domid);
 
+static inline int libxl_domid_valid_guest(uint32_t domid) {
+    /* returns 1 if the value _could_ be a valid guest domid, 0 otherwise
+     * does not check whether the domain actually exists */
+    return domid > 0 && domid < DOMID_FIRST_RESERVED;
+}
+
 /* common paths */
 const char *libxl_sbindir_path(void);
 const char *libxl_bindir_path(void);
diff --git a/tools/libxl/libxl_create.c b/tools/libxl/libxl_create.c
index 0d0c84f..c3da845 100644
--- a/tools/libxl/libxl_create.c
+++ b/tools/libxl/libxl_create.c
@@ -25,6 +25,7 @@
 #include <xenctrl.h>
 #include <xc_dom.h>
 #include <xenguest.h>
+#include <assert.h>
 #include "libxl.h"
 #include "libxl_utils.h"
 #include "libxl_internal.h"
@@ -282,7 +283,8 @@ out:
 }
 
 int libxl__domain_make(libxl_ctx *ctx, libxl_domain_create_info *info,
-                       uint32_t *domid)
+                       uint32_t *domid /* domid 0 or ~0 on entry; on exit
+                                          valid, perhaps >0 (even on error) */)
 {
     libxl__gc gc = LIBXL_INIT_GC(ctx); /* fixme: should be done by caller */
     int flags, ret, i, rc;
@@ -296,6 +298,8 @@ int libxl__domain_make(libxl_ctx *ctx, libxl_domain_create_info *info,
     xs_transaction_t t = 0;
     xen_domain_handle_t handle;
 
+    assert(!libxl_domid_valid_guest(*domid));
+
     uuid_string = libxl__uuid2string(&gc, info->uuid);
     if (!uuid_string) {
         rc = ERROR_NOMEM;
diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
index 3cfebbf..3bef49a 100644
--- a/tools/libxl/libxl_dm.c
+++ b/tools/libxl/libxl_dm.c
@@ -473,6 +473,8 @@ static int libxl_create_stubdom(libxl_ctx *ctx,
     b_info.u.pv.features = "";
     b_info.hvm = 0;
 
+    /* fixme: this function can leak the stubdom if it fails */
+
     ret = libxl__domain_make(ctx, &c_info, &domid);
     if (ret)
         goto out_free;
diff --git a/tools/libxl/xl_cmdimpl.c b/tools/libxl/xl_cmdimpl.c
index 5826755..703bb03 100644
--- a/tools/libxl/xl_cmdimpl.c
+++ b/tools/libxl/xl_cmdimpl.c
@@ -1649,7 +1649,7 @@ start:
 
 error_out:
     release_lock();
-    if (domid > 0)
+    if (libxl_domid_valid_guest(domid))
         libxl_domain_destroy(&ctx, domid, 0);
 
 out:

  reply	other threads:[~2011-01-27 20:01 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-01-27 17:40 [PATCH 0/6] libxl, xl: fix domain name uniqueness check Ian Jackson
2011-01-27 17:40 ` [PATCH 1/6] xl: Revert "xl: avoid creating domains with duplicate names" Ian Jackson
2011-01-27 17:41   ` [PATCH 2/6] libxl: fix error handling (xenstore transaction leak) in libxl__domain_make Ian Jackson
2011-01-27 17:41     ` [PATCH 3/6] libxl, xl: fixes to domain creation cleanup logic (domid values) Ian Jackson
2011-01-27 17:41       ` [PATCH 4/6] libxl: internals: document the error behaviour of various libxl__xs_* functions Ian Jackson
2011-01-27 17:41         ` [PATCH 5/6] libxl: during domain destruction, do not complain if no devices dir to destroy Ian Jackson
2011-01-27 17:41           ` [PATCH 6/6] libxl: prevent creation of domains with duplicate names Ian Jackson
2011-01-27 18:33       ` [PATCH 3/6] libxl, xl: fixes to domain creation cleanup logic (domid values) Stefano Stabellini
2011-01-27 18:59         ` Ian Jackson
2011-01-27 20:01           ` Ian Jackson [this message]
2011-01-27 20:13             ` Gianni Tedesco
2011-01-28 12:22             ` Stefano Stabellini
2011-01-28 12:28               ` Ian Jackson
2011-01-28 13:27                 ` Stefano Stabellini
2011-01-28 17:38                   ` Ian Jackson
2011-01-28 17:52                     ` Stefano Stabellini
2011-01-28 18:39                       ` Ian Jackson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=19777.53024.392960.80045@mariner.uk.xensource.com \
    --to=ian.jackson@eu.citrix.com \
    --cc=stefano.stabellini@eu.citrix.com \
    --cc=xen-devel@lists.xensource.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.