|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH v10 02/11] xen: introduce implementation of save/restore of 'domain context'
On 08.10.2020 20:57, Paul Durrant wrote:
> +void __init domain_register_ctxt_type(unsigned int type, const char *name,
> + domain_save_ctxt_type save,
> + domain_load_ctxt_type load)
> +{
> + BUG_ON(type >= ARRAY_SIZE(fns));
> +
> + ASSERT(!fns[type].save);
> + ASSERT(!fns[type].load);
> +
> + fns[type].name = name;
I expect I merely didn't spot this (perhaps just latent) issue in
earlier versions: If the caller lives in code getting built into
*.init.o, the string passed in will live in .init.rodata. That's a
general shortcoming (if you like) of the .o -> .init.o
tranformation, but I see no good alternative (or else all format
strings passed to printk() and alike won't get moved either).
Therefore I wonder whether it wouldn't be safer to have the struct
field be e.g. char[16], assuming 15 characters will allow for
meaningful names.
> +int domain_load_ctxt_rec_data(struct domain_ctxt_state *c, void *dst,
> + size_t len)
> +{
> + int rc = 0;
> +
> + c->len += len;
> + if (c->len > c->rec.length)
Nit: Missing blanks.
> +int domain_load_ctxt(struct domain *d, const struct domain_load_ctxt_ops
> *ops,
> + void *priv)
> +{
> + struct domain_ctxt_state c = { .d = d, .ops.load = ops, .priv = priv, };
> + domain_load_ctxt_type load;
> + int rc;
> +
> + ASSERT(d != current->domain);
> +
> + rc = c.ops.load->read(c.priv, &c.rec, sizeof(c.rec));
> + if ( rc )
> + return rc;
> +
> + load = fns[DOMAIN_CONTEXT_START].load;
> + BUG_ON(!load);
> +
> + rc = load(d, &c);
> + if ( rc )
> + return rc;
> +
> + domain_pause(d);
> +
> + for (;;)
Nit: Missing blanks again.
> + {
> + unsigned int type;
> +
> + rc = c.ops.load->read(c.priv, &c.rec, sizeof(c.rec));
> + if ( rc )
> + break;
> +
> + type = c.rec.type;
> + if ( type == DOMAIN_CONTEXT_END )
> + break;
> +
> + rc = -EINVAL;
> + if ( type >= ARRAY_SIZE(fns) )
> + break;
> +
> + load = fns[type].load;
While this is meant to be used by Dom0 only, I think it would be
better if it nevertheless used array_access_nospec().
> +static int load_start(struct domain *d, struct domain_ctxt_state *c)
> +{
> + static struct domain_context_start s;
> + unsigned int i;
> + int rc = domain_load_ctxt_rec(c, DOMAIN_CONTEXT_START, &i, &s,
> sizeof(s));
> +
> + if ( rc )
> + return rc;
> +
> + if ( i )
> + return -EINVAL;
> +
> + /*
> + * Make sure we are not attempting to load an image generated by a newer
> + * version of Xen.
> + */
> + if ( s.xen_major > XEN_VERSION && s.xen_minor > XEN_SUBVERSION )
> + return -EOPNOTSUPP;
Are you sure this needs to be excluded here and unilaterally?
And if this is to stay, then it wants to be
if ( s.xen_major > XEN_VERSION ||
(s.xen_major == XEN_VERSION && s.xen_minor > XEN_SUBVERSION) )
return -EOPNOTSUPP;
> +/*
> + * Register save and load handlers for a record type.
> + *
> + * Save handlers will be invoked in an order which copes with any inter-
> + * entry dependencies. For now this means that HEADER will come first and
> + * END will come last, all others being invoked in order of 'typecode'.
> + *
> + * Load handlers will be invoked in the order of entries present in the
> + * buffer.
> + */
> +#define DOMAIN_REGISTER_CTXT_TYPE(x, s, l) \
> + static int __init __domain_register_##x##_ctxt_type(void) \
> + { \
> + domain_register_ctxt_type( \
> + DOMAIN_CONTEXT_ ## x, \
> + #x, \
> + &(s), \
> + &(l)); \
I don't think there's a need for each of these to consume a separate
line.
Jan
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |