From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel List <xen-devel@lists.xen.org>,
Keir Fraser <keir@xen.org>, Jan Beulich <JBeulich@suse.com>,
Tim Deegan <tim@xen.org>, Ian Campbell <Ian.Campbell@citrix.com>
Subject: Xen hypercall API/ABI problems
Date: Wed, 19 Jun 2013 16:43:21 +0100 [thread overview]
Message-ID: <51C1D199.6050409@citrix.com> (raw)
Hello,
While attempting to teach a hypercall-aware valgrind about enough
hypercalls to allow it to introspect HVM domain migration I came across
some systemic problems with certain hypercalls, particularly with migrate.
Here is the example of XENMEM_maximum_ram_page, but it is not alone as
far as this goes.
In Xen, it is defined as
/*
* Returns the maximum machine frame number of mapped RAM in this
system.
* This command always succeeds (it never returns an error
code).
* arg ==
NULL.
*/
In memory.c, there is a possible unsigned->signed conversion error from
max_pages to rc.
In compat/memory.c, there is a long->int truncation error for compat
hypercalls, although newer versions of Xen cap this at INT_{MIN,MAX}
In the privcmd driver passes the hypercall rc through as the return from
the ioctl handler, containing a possible long->int truncation error.
>From libxc, the do_memory_op() is expected -errno style error handling,
but does not enforce it. There is however a possible int->long
extension issue with xc_maximum_ram_page().
The value from this is then stuffed into unsigned long minfo->max_mfn
and immediately used in try to map the M2P table.
>From the work with XSA-55, we have already identified that the error
handling and propagation in libxc leaves a lot to be desired. However,
the hypervisor side of things is just as problematic.
What policy do we have about deprecating hypercall interfaces and
introducing newer ones? At a minimum, all hypercalls should be using
-errno style errors, with a possibility of returning 0 to LONG_MAX as well.
I realise that simply changing the hypercalls in place is not possible.
Would it be acceptable to have a step change across a Xen version (say
early in 4.4) where consumers of the public interface would have to make
use of -DXEN_LEGACY_UNSAFE_HYPERCALLS (or equivalent) in an attempt to
move them forward with the API ?
~Andrew
next reply other threads:[~2013-06-19 15:43 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-19 15:43 Andrew Cooper [this message]
2013-06-20 9:01 ` Xen hypercall API/ABI problems Jan Beulich
2013-06-25 13:10 ` Andrew Cooper
2013-06-25 14:04 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51C1D199.6050409@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=Ian.Campbell@citrix.com \
--cc=JBeulich@suse.com \
--cc=keir@xen.org \
--cc=tim@xen.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).