From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel List <xen-devel@lists.xen.org>,
Keir Fraser <keir@xen.org>, Jan Beulich <JBeulich@suse.com>,
Tim Deegan <tim@xen.org>, Ian Campbell <Ian.Campbell@citrix.com>
Subject: Xen hypercall API/ABI problems
Date: Wed, 19 Jun 2013 16:43:21 +0100 [thread overview]
Message-ID: <51C1D199.6050409@citrix.com> (raw)
Hello,
While attempting to teach a hypercall-aware valgrind about enough
hypercalls to allow it to introspect HVM domain migration I came across
some systemic problems with certain hypercalls, particularly with migrate.
Here is the example of XENMEM_maximum_ram_page, but it is not alone as
far as this goes.
In Xen, it is defined as
/*
* Returns the maximum machine frame number of mapped RAM in this
system.
* This command always succeeds (it never returns an error
code).
* arg ==
NULL.
*/
In memory.c, there is a possible unsigned->signed conversion error from
max_pages to rc.
In compat/memory.c, there is a long->int truncation error for compat
hypercalls, although newer versions of Xen cap this at INT_{MIN,MAX}
In the privcmd driver passes the hypercall rc through as the return from
the ioctl handler, containing a possible long->int truncation error.
>From libxc, the do_memory_op() is expected -errno style error handling,
but does not enforce it. There is however a possible int->long
extension issue with xc_maximum_ram_page().
The value from this is then stuffed into unsigned long minfo->max_mfn
and immediately used in try to map the M2P table.
>From the work with XSA-55, we have already identified that the error
handling and propagation in libxc leaves a lot to be desired. However,
the hypervisor side of things is just as problematic.
What policy do we have about deprecating hypercall interfaces and
introducing newer ones? At a minimum, all hypercalls should be using
-errno style errors, with a possibility of returning 0 to LONG_MAX as well.
I realise that simply changing the hypercalls in place is not possible.
Would it be acceptable to have a step change across a Xen version (say
early in 4.4) where consumers of the public interface would have to make
use of -DXEN_LEGACY_UNSAFE_HYPERCALLS (or equivalent) in an attempt to
move them forward with the API ?
~Andrew
next reply other threads:[~2013-06-19 15:43 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-19 15:43 Andrew Cooper [this message]
2013-06-20 9:01 ` Xen hypercall API/ABI problems Jan Beulich
2013-06-25 13:10 ` Andrew Cooper
2013-06-25 14:04 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51C1D199.6050409@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=Ian.Campbell@citrix.com \
--cc=JBeulich@suse.com \
--cc=keir@xen.org \
--cc=tim@xen.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.