xen/vcpu: Improve sanity checks in vcpu_create()

The BUG_ON() is confusing to follow.  The (!is_idle_domain(d) || vcpu_id) part
is a vestigial remnant of architectures poisioning idle_vcpu[0] with non-NULL
pointers.

Now that idle_vcpu[0] is NULL on all architectures, and d->max_vcpus specified
before vcpu_create() is called, we can properly range check the requested
vcpu_id.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Julien Grall <julien@xen.org>

diff --git a/xen/common/domain.c b/xen/common/domain.c
index 0b1103fdb2cc02c03b842b55029f7bc3c1f19754..ee3f9ffd3e813dcddce7ef9fa6ebfd83ad969c9a 100644 (file)
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -139,7 +139,19 @@ struct vcpu *vcpu_create(struct domain *d, unsigned int vcpu_id)
 {
     struct vcpu *v;
 
-    BUG_ON((!is_idle_domain(d) || vcpu_id) && d->vcpu[vcpu_id]);
+    /*
+     * Sanity check some input expectations:
+     * - vcpu_id should be bounded by d->max_vcpus, and not previously
+     *   allocated.
+     * - VCPUs should be tightly packed and allocated in ascending order,
+     *   except for the idle domain which may vary based on PCPU numbering.
+     */
+    if ( vcpu_id >= d->max_vcpus || d->vcpu[vcpu_id] ||
+         (!is_idle_domain(d) && vcpu_id && !d->vcpu[vcpu_id - 1]) )
+    {
+        ASSERT_UNREACHABLE();
+        return NULL;
+    }
 
     if ( (v = alloc_vcpu_struct(d)) == NULL )
         return NULL;