[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v10 02/11] xen: introduce implementation of save/restore of 'domain context'



On 08.10.2020 20:57, Paul Durrant wrote:
> +void __init domain_register_ctxt_type(unsigned int type, const char *name,
> +                                      domain_save_ctxt_type save,
> +                                      domain_load_ctxt_type load)
> +{
> +    BUG_ON(type >= ARRAY_SIZE(fns));
> +
> +    ASSERT(!fns[type].save);
> +    ASSERT(!fns[type].load);
> +
> +    fns[type].name = name;

I expect I merely didn't spot this (perhaps just latent) issue in
earlier versions: If the caller lives in code getting built into
*.init.o, the string passed in will live in .init.rodata. That's a
general shortcoming (if you like) of the .o -> .init.o
tranformation, but I see no good alternative (or else all format
strings passed to printk() and alike won't get moved either).
Therefore I wonder whether it wouldn't be safer to have the struct
field be e.g. char[16], assuming 15 characters will allow for
meaningful names.

> +int domain_load_ctxt_rec_data(struct domain_ctxt_state *c, void *dst,
> +                              size_t len)
> +{
> +    int rc = 0;
> +
> +    c->len += len;
> +    if (c->len > c->rec.length)

Nit: Missing blanks.

> +int domain_load_ctxt(struct domain *d, const struct domain_load_ctxt_ops 
> *ops,
> +                     void *priv)
> +{
> +    struct domain_ctxt_state c = { .d = d, .ops.load = ops, .priv = priv, };
> +    domain_load_ctxt_type load;
> +    int rc;
> +
> +    ASSERT(d != current->domain);
> +
> +    rc = c.ops.load->read(c.priv, &c.rec, sizeof(c.rec));
> +    if ( rc )
> +        return rc;
> +
> +    load = fns[DOMAIN_CONTEXT_START].load;
> +    BUG_ON(!load);
> +
> +    rc = load(d, &c);
> +    if ( rc )
> +        return rc;
> +
> +    domain_pause(d);
> +
> +    for (;;)

Nit: Missing blanks again.

> +    {
> +        unsigned int type;
> +
> +        rc = c.ops.load->read(c.priv, &c.rec, sizeof(c.rec));
> +        if ( rc )
> +            break;
> +
> +        type = c.rec.type;
> +        if ( type == DOMAIN_CONTEXT_END )
> +            break;
> +
> +        rc = -EINVAL;
> +        if ( type >= ARRAY_SIZE(fns) )
> +            break;
> +
> +        load = fns[type].load;

While this is meant to be used by Dom0 only, I think it would be
better if it nevertheless used array_access_nospec().

> +static int load_start(struct domain *d, struct domain_ctxt_state *c)
> +{
> +    static struct domain_context_start s;
> +    unsigned int i;
> +    int rc = domain_load_ctxt_rec(c, DOMAIN_CONTEXT_START, &i, &s, 
> sizeof(s));
> +
> +    if ( rc )
> +        return rc;
> +
> +    if ( i )
> +        return -EINVAL;
> +
> +    /*
> +     * Make sure we are not attempting to load an image generated by a newer
> +     * version of Xen.
> +     */
> +    if ( s.xen_major > XEN_VERSION && s.xen_minor > XEN_SUBVERSION )
> +        return -EOPNOTSUPP;

Are you sure this needs to be excluded here and unilaterally?
And if this is to stay, then it wants to be

    if ( s.xen_major > XEN_VERSION ||
         (s.xen_major == XEN_VERSION && s.xen_minor > XEN_SUBVERSION) )
        return -EOPNOTSUPP;

> +/*
> + * Register save and load handlers for a record type.
> + *
> + * Save handlers will be invoked in an order which copes with any inter-
> + * entry dependencies. For now this means that HEADER will come first and
> + * END will come last, all others being invoked in order of 'typecode'.
> + *
> + * Load handlers will be invoked in the order of entries present in the
> + * buffer.
> + */
> +#define DOMAIN_REGISTER_CTXT_TYPE(x, s, l)                    \
> +    static int __init __domain_register_##x##_ctxt_type(void) \
> +    {                                                         \
> +        domain_register_ctxt_type(                            \
> +            DOMAIN_CONTEXT_ ## x,                             \
> +            #x,                                               \
> +            &(s),                                             \
> +            &(l));                                            \

I don't think there's a need for each of these to consume a separate
line.

Jan



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.