From: Don Slutz <dslutz@verizon.com>
To: Jan Beulich <JBeulich@suse.com>
Cc: Keir Fraser <keir@xen.org>,
Ian Campbell <ian.campbell@citrix.com>,
Stefano Stabellini <stefano.stabellini@eu.citrix.com>,
Ian Jackson <ian.jackson@eu.citrix.com>,
Don Slutz <dslutz@verizon.com>,
xen-devel <xen-devel@lists.xenproject.org>
Subject: Re: [BUGFIX][PATCH 4/4] hvm_save_one: allow the 2nd instance to be fetched for PIC.
Date: Sat, 14 Dec 2013 20:38:38 -0500 [thread overview]
Message-ID: <52AD081E.4070600@terremark.com> (raw)
In-Reply-To: <52AB29E4020000780010D0EE@nat28.tlf.novell.com>
On 12/13/13 09:38, Jan Beulich wrote:
>>>> On 12.12.13 at 01:56, Don Slutz <dslutz@verizon.com> wrote:
>> @@ -114,20 +111,20 @@ int hvm_save_one(struct domain *d, uint16_t typecode, uint16_t instance,
>> }
>> else
>> {
>> - uint32_t off;
>> + uint32_t off, add;
> "add" is a pretty odd name for what this is being used for. Why
> don't you use desc->length directly?
I picked the name when the 3rd part of the "for" was "off += add".
During unit
testing that did not work and so did not try and pick a new one. I
could have added add2:
const uint32_t add2 = sizeof (struct hvm_save_descriptor);
And then the last part of the for becomes "off += add + add2".
I can not use desc->length because:
save.c: In function 'hvm_save_one':
save.c:120:47: error: 'desc' undeclared (first use in this function)
save.c:120:47: note: each undeclared identifier is reported only once
for each function it appears in
(It is only defined in the body of the for).
>>
>> rv = -EBADSLT;
>> - for (off = 0; off < ctxt.cur; off += hvm_sr_handlers[typecode].size) {
>> + for (off = 0; off < ctxt.cur; off += add + sizeof (struct hvm_save_descriptor)) {
>> struct hvm_save_descriptor *desc
>> = (struct hvm_save_descriptor *)&ctxt.data[off];
>> + add = desc->length;
>> if (instance == desc->instance) {
>> rv = 0;
>> if ( copy_to_guest(handle,
>> ctxt.data
>> + off
>> + sizeof (struct hvm_save_descriptor),
>> - hvm_sr_handlers[typecode].size
>> - - sizeof (struct hvm_save_descriptor)) )
>> + add) )
> Further, the way this was done before means that for multi-
> instance records all records would get copied out, but the
> caller would have no way of knowing that (except by implying
> that behavior, e.g. "known to be the case for PIC").
Not exactly. Using the following adjustment to check-hvmctx (patch #1):
cb4d0e75a497f169c8419b30c1954f92bb8e29a8 Mon Sep 17 00:00:00 2001
From: Don Slutz <dslutz@verizon.com>
Date: Sat, 14 Dec 2013 19:31:16 -0500
Subject: [PATCH] check-hvmctx: add check for extra data under debug 8
Signed-off-by: Don Slutz <dslutz@verizon.com>
---
tools/tests/check-hvmctx/check-hvmctx.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/tools/tests/check-hvmctx/check-hvmctx.c
b/tools/tests/check-hvmctx/check-hvmctx.c
index 9b5c3aa..668b77a 100644
--- a/tools/tests/check-hvmctx/check-hvmctx.c
+++ b/tools/tests/check-hvmctx/check-hvmctx.c
@@ -574,7 +574,7 @@ int main(int argc, char **argv)
default:
if (xc_domain_hvm_getcontext_partial(
xch, domid, desc.typecode, desc.instance,
- tbuf, desc.length) != 0) {
+ tbuf, len) != 0) {
fprintf(stderr, "Error:
xc_domain_hvm_getcontext_partial: entry %i: type %u instance %u, length
%u: ",
entry, (unsigned) desc.typecode,
(unsigned) desc.instance, (unsigned) desc.length);
@@ -582,6 +582,23 @@ int main(int argc, char **argv)
retval = 42;
memset(tbuf, 0xee, desc.length);
}
+ if (debug & 0x08) {
+ int i;
+ int header = 1;
+
+ for (i = desc.length; i < len; i++) {
+ if (tbuf[i]) {
+ if (header) {
+ header = 0;
+ printf("Error: entry %i: type %u instance
%u, length %u extra data!\n",
+ entry, (unsigned) desc.typecode,
+ (unsigned) desc.instance, (unsigned)
desc.length);
+ }
+ printf("[%03x] unexpected data=%02x\n",
+ i, tbuf[i]);
+ }
+ }
+ }
ret = desc.length;
#ifndef NOTCLEAN
if (desc.typecode == HVM_SAVE_CODE(CPU))
--
1.7.11.7
and before this patch:
dcs-xen-51:~/xen/tools/tests/check-hvmctx>make clean;make
CHECK_HVMCTX="-DDOPIC"
rm -f *.o check-hvmctx *~ .*.d
gcc -O1 -fno-omit-frame-pointer -m64 -g -fno-strict-aliasing -std=gnu99
-Wall -Wstrict-prototypes -Wdeclaration-after-statement
-Wno-unused-but-set-variable -Wno-unused-local-typedefs -D__XEN_TOOLS__
-MMD -MF .check-hvmctx.o.d -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
-fno-optimize-sibling-calls -Werror
-I/home/don/xen/tools/tests/check-hvmctx/../../../tools/libxc
-I/home/don/xen/tools/tests/check-hvmctx/../../../tools/include
-I/home/don/xen/tools/tests/check-hvmctx/../../../tools/include
-I/home/don/xen/tools/tests/check-hvmctx/../../../tools/xenstore
-I/home/don/xen/tools/tests/check-hvmctx/../../../tools/include
-I/home/don/xen/tools/tests/check-hvmctx/../../../tools -DDOPIC -c -o
check-hvmctx.o check-hvmctx.c
gcc -o check-hvmctx check-hvmctx.o
/home/don/xen/tools/tests/check-hvmctx/../../../tools/libxc/libxenctrl.so
dcs-xen-51:~/xen/tools/tests/check-hvmctx>sudo ./check-hvmctx 1 8
Check HVM save record vs partial for domain 1
Error: entry 8: type 3 instance 0, length 8 extra data!
[008] unexpected data=03
[00a] unexpected data=01
[00c] unexpected data=08
[010] unexpected data=01
[011] unexpected data=ff
[013] unexpected data=28
[016] unexpected data=0c
Error: xc_domain_hvm_getcontext_partial: entry 9: type 3 instance 1,
length 8: Invalid argument
Error: entry 9: type 3 instance 1, length 8 mismatch!
PIC: IRQ base 0x28, irr 0x1, imr 0xff, isr 0
I see that after the expected length (8), there is a struct
hvm_save_descriptor (type 3 instance 1, length 8) followed by another
HVM_SAVE_TYPE(PIC).
> Which shows another shortcoming of the interface: There's no
> buffer size being passed in from the caller, yet we have variable
> size records. Which means latent data corruption in the caller.
This is not 100% correct. The libxl code for
xc_domain_hvm_getcontext_partial does take a length:
/* Get just one element of the HVM guest context.
* size must be >= HVM_SAVE_LENGTH(type) */
int xc_domain_hvm_getcontext_partial(xc_interface *xch,
uint32_t domid,
uint16_t typecode,
uint16_t instance,
void *ctxt_buf,
uint32_t size)
{
and it gets embeded in
DECLARE_HYPERCALL_BOUNCE(ctxt_buf, size,
XC_HYPERCALL_BUFFER_BOUNCE_OUT);
which is handle. I do not know that much about
"XEN_GUEST_HANDLE_64(uint8) handle" and DECLARE_HYPERCALL_BOUNCE, but
what my unit testing has shown me is that copy_to_guest(handle, <ptr>,
<nr>) does only copy up to the size stored in handle. It looks to zero
an unknown amount more (looks to be page sized). So there is more
needed here.
> Hence I think rather than complicating the logic here, we should
> change the interface to pass a size in and back out, which will
> not only avoid corrupting memory, but also allow the guest to
> recognize multi-instance data being returned.
The size is passed in, just not passed out. And the fact that the data is:
HVM_SAVE_TYPE(PIC)
struct hvm_save_descriptor
HVM_SAVE_TYPE(PIC)
Is strange to me. One descriptor for two entries. This was the primary
reason I went the way I did. I am not saying that the interface should
not change; I just do not see that as a bug fix type change.
-Don Slutz
> Jan
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2013-12-15 1:38 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-12 0:56 [BUGFIX][PATCH 0/4] hvm_save_one: return correct data Don Slutz
2013-12-12 0:56 ` [PATCH 1/4] tools/test: Add check-hvmctx Don Slutz
2013-12-12 0:56 ` [PATCH 2/4] Add tools/tests/offline_module Don Slutz
2013-12-12 10:01 ` Ian Campbell
2013-12-12 11:09 ` David Vrabel
2013-12-12 14:24 ` Don Slutz
2013-12-12 14:32 ` Don Slutz
2013-12-12 0:56 ` [BUGFIX][PATCH 3/4] hvm_save_one: return correct data Don Slutz
2013-12-13 14:20 ` Jan Beulich
2013-12-15 0:29 ` Don Slutz
2013-12-15 16:51 ` Andrew Cooper
2013-12-15 17:19 ` Don Slutz
2013-12-15 17:22 ` Andrew Cooper
2013-12-15 17:42 ` Don Slutz
2013-12-15 18:11 ` Andrew Cooper
2013-12-15 18:41 ` Don Slutz
2013-12-15 19:06 ` Andrew Cooper
2013-12-15 19:23 ` Don Slutz
2013-12-16 8:17 ` Jan Beulich
2013-12-16 17:51 ` Don Slutz
2013-12-16 18:33 ` Andrew Cooper
2013-12-22 19:40 ` Don Slutz
2013-12-22 21:13 ` Andrew Cooper
2014-01-07 15:55 ` Keir Fraser
2013-12-17 8:20 ` Jan Beulich
2013-12-17 10:40 ` Andrew Cooper
2013-12-20 0:32 ` Don Slutz
2013-12-20 13:31 ` George Dunlap
2013-12-22 19:44 ` Don Slutz
2013-12-17 15:58 ` Don Slutz
2013-12-12 0:56 ` [BUGFIX][PATCH 4/4] hvm_save_one: allow the 2nd instance to be fetched for PIC Don Slutz
2013-12-13 14:38 ` Jan Beulich
2013-12-15 1:38 ` Don Slutz [this message]
2013-12-16 8:22 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52AD081E.4070600@terremark.com \
--to=dslutz@verizon.com \
--cc=JBeulich@suse.com \
--cc=ian.campbell@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=keir@xen.org \
--cc=stefano.stabellini@eu.citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.