On Thu, Mar 16, 2023 at 2:15 PM Michal Orzel <michal.orzel@amd.com> wrote:

>
>
> On 16/03/2023 12:11, Jan Beulich wrote:
> > Caution: This message originated from an External Source. Use proper
> caution when opening attachments, clicking links, or responding.
> >
> >
> > On 16.03.2023 11:26, Michal Orzel wrote:
> >> --- a/xen/drivers/char/console.c
> >> +++ b/xen/drivers/char/console.c
> >> @@ -490,7 +490,24 @@ static void switch_serial_input(void)
> >>      }
> >>      else
> >>      {
> >> -        console_rx++;
> >> +        unsigned int next_rx = console_rx + 1;
> >> +
> >> +        /* Skip switching serial input to non existing domains */
> >> +        while ( next_rx < max_init_domid + 1 )
> >> +        {
> >> +            struct domain *d = rcu_lock_domain_by_id(next_rx - 1);
> >> +
> >> +            if ( d )
> >> +            {
> >> +                rcu_unlock_domain(d);
> >> +                break;
> >> +            }
> >> +
> >> +            next_rx++;
> >> +        }
> >> +
> >> +        console_rx = next_rx;
> >> +
> >>          printk("*** Serial input to DOM%d", console_rx - 1);
> >>      }
> >
> > While at the first glance (when you sent it in reply to v1) it looked
> okay,
> > I'm afraid it really isn't: Please consider what happens when the last of
> > the DomU-s doesn't exist anymore. (You don't really check whether it
> still
> > exists, because the range check comes ahead of the existence one.) In
> that
> > case you want to move from second-to-last to Xen. I expect the entire
> > if/else construct wants to be inside the loop.
> I did this deliberately because I do not think the situation you describe
> is possible
> (i.e. no domains at all - Xen still usable). With hardware domain in
> place, we can e.g. destroy the domain
> which would invoke domain_kill() -> domain_destroy() that would free
> domain struct.
> Without hwdom, the domain cannot kill/destroy itself. It can do the
> shutdown but it will not
> destroy it (at least this is what I tested). So I do not think there can
> be a scenario where
> there is not a single domain while Xen running and be usable.


We've actually been discussing something like this.  Consider if someone
wanted to use Xen as part of a system architected like Amazon's Nitro: You
could have a DPU that ran the "toolstack", and gave Xen commands to create
or destroy domains.  It could dynamically create SRIOV PCI devices to be
passed directly through to guests.  In this case, you might run into a
situation where no VMs existed, and yet the system was not dead.

 -George