[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 02/10] xen/version: Introduce non-truncating deterministically-signed XENVER_* subops

  • To: Stefano Stabellini <sstabellini@xxxxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Wed, 16 Aug 2023 03:58:35 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=QLN4c064N+ZTpBoU7886QaD5i8emmbyeKhiOTfG7/gg=; b=MSPEW26Qv/fCHk6H56UxmIIEKTwjqfbMb/L0gcqOrHLu4ePe2YQddcUAocyuGw5+8tjzC+7kKViy5e+6QRuadVnA5jxCQjaTA/0/lJrp6cnziZwtZv9NnMVfD1ETIOSDDfJPODqpXVuIO8fBR5ndVHqKyXQTXshi4hKXD4+Edx+g44eBtNNSqhy8XcZ6bx6XzSMQ/j4lZXjIOgz13hdGlqbQf4/XfUNZ4upbgD5vgYYnCG5A0xkwO2AEEGuDY0/dHn+ckRYvfEA2z1jlfYzgUsKxyfLZO/HlT9X04Jbrqq3ivmncKu7ZvFYdsh+XB7olp9XRI3b3gFjzYLgYf3j3lw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eiro0QjK9kfA+b3kL+nJSHtZCIfoIthJGqcX+69f3PMNe26ArSA2Qm1+iSapNAHHehEz1L1G/hVT2zCtQ3mo0qKKh/IHzE6FFIn9TFgJHuNAnXI2ecfs8IhUxxIFvqMy4xCeZ21DC9b2oCAPA3iDpOUgl0bTNXWgDNnSAHlyIqtrH1mporQdXXZ0vzP50bYer2/XdleabowVA+eNKhQ4KeWPtpgnRZxxH5bqTyw3PwqP5kiS+WJl45ZExQaba5jfYGhjPfmOAl5d3snOFKOQA86CNPfda7hVNOEFUYLT4/FcajDEiKYZWEqtqs66iTmW3LEZ/HOnuLyYssdDRPp6+g==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Jason Andryuk <jandryuk@xxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Wei Liu <wl@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, Daniel Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Henry Wang <Henry.Wang@xxxxxxx>
  • Delivery-date: Wed, 16 Aug 2023 02:58:56 +0000
  • Ironport-data: A9a23:bwCDh6iYQ8lXRhLPNxKJRHL+X161yREKZh0ujC45NGQN5FlHY01je htvXWGCa6qPYWrxfo9wOYS/9kIA65bVnIRrQFRory8xQnkb9cadCdqndUqhZCn6wu8v7q5Ex 55HNoSfdpBcolv0/ErF3m3J9CEkvU2wbuOgTrWCYmYpHlUMpB4J0XpLg/Q+jpNjne+3CgaMv cKai8DEMRqu1iUc3lg8sspvkzsx+qyr0N8klgZmP6sT7AaDzyN94K83fsldEVOpGuG4IcbiL wrz5OnR1n/U+R4rFuSknt7TGqHdauePVeQmoiM+t5mK2nCulARrukoIHKN0hXNsoyeIh7hMJ OBl7vRcf+uL0prkw4zxWzEAe8130DYvFLXveRBTuuTLp6HKnueFL1yDwyjaMKVBktubD12i+ tQqFz1WMAGfvtutybGVa7crqJ8xC5PkadZ3VnFIlVk1DN4AaLWaGeDv2oUd2z09wMdTAfzZe swVLyJ1awjNaAFOPVFRD48imOCvhT/0dDgwRFC9/PJrpTSMilIvluS2WDbWUoXiqcF9t0CUv G/ZuU/+BQkXLoe3wjuZ6HO8wOTImEsXXapLTuXgrK4x2Af7Kmo7BT9OWwGkmsmFi3WGRPJmG U4/+Qo+hP1nnKCsZpynN/Gim1afpQIVUddUF+w86SmOx7DS7gLfAXILJhZRZdpjuMIoSDgC0 l6Sg8ivFTFpqKeSS3+W6vGTtzzaESocK2MYdDIHZQQA6tjn5oo0i3rnbPxuDaq0hd3dAizrz naBqy1Wr6oXpd4G0eO851+vqzCxopnESCYl6wORWXiqhit1a4KoaJahwUTK5vZHaoCCRx+Ou 2Zss8SG9+UPEZGlnTSAWvkQB6qu4+uZMTramhhkGJxJ3xSg/WSyO79Z5j5WLV1sdM0DfFfUj FT7vApQ4NpWIyGsZKouOYapUZx2lu7nCMjvUe3SYpxWeJ9teQSb/SZoI0mNw2Tql0tqmqY6U XuGTfuR4b8hIfwP5FKLqy01iNfHGghWKbvveK3G
  • Ironport-hdrordr: A9a23:v/uzW6sNc0dh6Cs4TvuJrANR7skDYdV00zEX/kB9WHVpm6uj9/ xG/c576faQsl16ZJhOo6HjBED+ewK4yXcY2+Qs1NSZMjUO2lHYT72KhLGKqwEIcBeQygcy78 tdmqFFebnNMWQ=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 16/08/2023 1:19 am, Stefano Stabellini wrote:
> On Tue, 15 Aug 2023, Andrew Cooper wrote:
>> @@ -498,6 +499,59 @@ static int __init cf_check param_init(void)
>>
>> +    sz = strlen(str);
>> +
>> +    if ( sz > KB(64) ) /* Arbitrary limit.  Avoid long-running operations. 
>> */
>> +        return -E2BIG;
> Realistically do we want this buffer to cross page boundaries?

A 1-byte answer can cross a page boundary, even if the hypercall
argument is correctly aligned (and even that is unspecified in the Xen ABI).

But importantly, this series is also prep work to fixing the cmdline
limit.  1k is already causing problems, and 64k is a whole lot less bad
than 4k when we enter such corner cases.

>> diff --git a/xen/include/public/version.h b/xen/include/public/version.h
>> index cbc4ef7a46e6..0dd6bbcb43cc 100644
>> --- a/xen/include/public/version.h
>> +++ b/xen/include/public/version.h
>> @@ -19,12 +19,20 @@
>>  /* arg == NULL; returns major:minor (16:16). */
>>  #define XENVER_version      0
>>  
>> -/* arg == xen_extraversion_t. */
>> +/*
>> + * arg == xen_extraversion_t.
>> + *
>> + * This API/ABI is broken.  Use XENVER_extraversion2 where possible.
> Like Jan and Julien I also don't like the word "broken" especially
> without explanation of why it is broken next to it.

The word "broken" is an accurate and appropriate word in the English
language to describe the situation.  I'm sorry you don't like it, but
unless any of you can articulate why you think it is inappropriate
phraseology, the complaint is unactionable.

Specifically ...

> Instead, I would say:
>
> "XENVER_extraversion is deprecated. Please use XENVER_extraversion2."

... depreciated is misleading.

It would be acceptable for a case where we'd introduced a foo2 to add a
new feature to the interface, but we're being forced to make the new
interface to fix two bugs and a mis-feature in existing interface.

> If you want to convey the message that the API has problems, then I would
> say:
>
> "XENVER_extraversion might cause truncation. Please use XENVER_extraversion2."
>
> Or even:
>
> "XENVER_extraversion has problems. Please use XENVER_extraversion2."

If "broken" is too nondescript, then "might" is bad too and "has
problems" is out of the question.


There is a partial description of the ABI problems in the comment block
beside the new ops.  I could be persuaded to extend it to be a full list
of the ABI breakages.

These header files are a succinct technical reference for proficient
programmers to interact with Xen.  They are not a tutorial on writing C,
nor are they appropriate places to sentences of no useful value.

Through this series, I have done the hard work of updating the
commonly-used interfaces such that downstreams can stop working around
real problems caused by real errors in these APIs.  For everyone else
re-syncing the headers, it is important that the message come across as
an instruction and not a suggestion ...

... People will probably ignore it irrespective, but that's then firmly
on them, and not on Xen trying to downplay problems in the public interface.

>> + */
>>  #define XENVER_commandline 9
>>  typedef char xen_commandline_t[1024];
>>  
>> @@ -110,6 +133,42 @@ struct xen_build_id {
>>  };
>>  typedef struct xen_build_id xen_build_id_t;
>>  
>> +/*
>> + * Container for an arbitrary variable length buffer.
>> + */
>> +struct xen_varbuf {
>> +    uint32_t len;                          /* IN:  size of buf[] in bytes. 
>> */
>> +    unsigned char buf[XEN_FLEX_ARRAY_DIM]; /* OUT: requested data.         
>> */
> I realize that you just copied struct xen_build_id

No - it was originally an ambiguously-signed char in v1.  It became
unsigned through review.

But being unsigned char is relevant to the non-ABI-changingness of later
patches in the series.

> but I recall from
> MISRA C training that we should use plain "char" for strings for good
> reasons, not "unsigned char"?

I don't recall anything to that effect, nor can I see anything obvious
when scanning through the standard.

MISRA can't plausibly prohibit the use of char for arbitrary data.  It's
the one and only thing the C spec states is safe for the task.

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.