On Mon, Jun 10, 2024 at 1:21 PM Jan Beulich <jbeul...@suse.com> wrote:
>
> On 10.06.2024 12:34, Petr Beneš wrote:
> > On Mon, Jun 10, 2024 at 12:16 PM Jan Beulich <jbeul...@suse.com> wrote:
> >>
> >> On 10.06.2024 11:10, Petr Beneš wrote:
> >>> On Mon, Jun 10, 2024 at 9:30 AM Jan Beulich <jbeul...@suse.com> wrote:
> >>>>
> >>>> On 09.06.2024 01:06, Petr Beneš wrote:
> >>>>> On Thu, Jun 6, 2024 at 9:24 AM Jan Beulich <jbeul...@suse.com> wrote:
> >>>>>>> @@ -122,7 +131,12 @@ int p2m_init_altp2m(struct domain *d)
> >>>>>>> struct p2m_domain *hostp2m = p2m_get_hostp2m(d);
> >>>>>>>
> >>>>>>> mm_lock_init(&d->arch.altp2m_list_lock);
> >>>>>>> - for ( i = 0; i < MAX_ALTP2M; i++ )
> >>>>>>> + d->arch.altp2m_p2m = xzalloc_array(struct p2m_domain *,
> >>>>>>> d->nr_altp2m);
> >>>>>>> +
> >>>>>>> + if ( !d->arch.altp2m_p2m )
> >>>>>>> + return -ENOMEM;
> >>>>>>
> >>>>>> This isn't really needed, is it? Both ...
> >>>>>>
> >>>>>>> + for ( i = 0; i < d->nr_altp2m; i++ )
> >>>>>>
> >>>>>> ... this and ...
> >>>>>>
> >>>>>>> {
> >>>>>>> d->arch.altp2m_p2m[i] = p2m = p2m_init_one(d);
> >>>>>>> if ( p2m == NULL )
> >>>>>>> @@ -143,7 +157,10 @@ void p2m_teardown_altp2m(struct domain *d)
> >>>>>>> unsigned int i;
> >>>>>>> struct p2m_domain *p2m;
> >>>>>>>
> >>>>>>> - for ( i = 0; i < MAX_ALTP2M; i++ )
> >>>>>>> + if ( !d->arch.altp2m_p2m )
> >>>>>>> + return;
> >>>>
> >>>> I'm sorry, the question was meant to be on this if() instead.
> >>>>
> >>>>>>> + for ( i = 0; i < d->nr_altp2m; i++ )
> >>>>>>> {
> >>>>>>> if ( !d->arch.altp2m_p2m[i] )
> >>>>>>> continue;
> >>>>>>> @@ -151,6 +168,8 @@ void p2m_teardown_altp2m(struct domain *d)
> >>>>>>> d->arch.altp2m_p2m[i] = NULL;
> >>>>>>> p2m_free_one(p2m);
> >>>>>>> }
> >>>>>>> +
> >>>>>>> + XFREE(d->arch.altp2m_p2m);
> >>>>>>> }
> >>>>>>
> >>>>>> ... this ought to be fine without?
> >>>>>
> >>>>> Could you, please, elaborate? I honestly don't know what you mean here
> >>>>> (by "this isn't needed").
> >>>>
> >>>> I hope the above correction is enough?
> >>>
> >>> I'm sorry, but not really? I feel like I'm blind but I can't see
> >>> anything I could remove without causing (or risking) crash.
> >>
> >> The loop is going to do nothing when d->nr_altp2m == 0, and the XFREE() is
> >> going to do nothing when d->arch.altp2m_p2m == NULL. Hence what does the
> >> if() guard against? IOW what possible crashes are you seeing that I don't
> >> see?
> >
> > I see now. I was seeing ghosts - my thinking was that if
> > p2m_init_altp2m fails to allocate altp2m_p2m, it will call
> > p2m_teardown_altp2m - which, without the if(), would start to iterate
> > through an array that is not allocated. It doesn't happen, it just
> > returns -ENOMEM.
> >
> > So to reiterate:
> >
> > if ( !d->arch.altp2m_p2m )
> > return;
> >
> > ... are we talking that this condition inside p2m_teardown_altp2m
> > isn't needed?
>
> I'm not sure about "isn't" vs "shouldn't". The call from p2m_final_teardown()
> also needs to remain safe to make. Which may require that upon allocation
> failure you zap d->nr_altp2m. Or which alternatively may mean that the if()
> actually needs to stay.
True, p2m_final_teardown is called whenever p2m_init (and by extension
p2m_init_altp2m) fails. Which means that condition must stay - or, as
you suggested, reset nr_altp2m to 0.
I would rather leave the code as is. Modifying nr_altp2m would (in my
opinion) feel semantically incorrect, as that value should behave more
or less as const, that is initialized once.
> > Or is there anything else?
>
> There was also the question of whether to guard the allocation, to avoid a
> de-generate xmalloc_array() of zero size. Yet in the interest of avoiding
> not strictly necessary conditionals, that may well want to remain as is.
True, nr_altp2m would mean zero-sized allocation, as p2m_init_altp2m
is called unconditionally (when booted with altp2m=1). Is it a
problem, though?
P.
