[4/6] sysctl: use xmalloc_array() for XEN_SYSCTL_page_offline_op

Commit Message

Jan Beulich Feb. 5, 2020, 1:16 p.m. UTC

This is more robust than the raw xmalloc_bytes().

Also add a sanity check on the input page range.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

Comments

Julien Grall Feb. 5, 2020, 2:34 p.m. UTC | #1

Hi Jan,

On 05/02/2020 13:16, Jan Beulich wrote:
> This is more robust than the raw xmalloc_bytes().
> 
> Also add a sanity check on the input page range.

It feels to me that the commit message/title should focus on the sanity 
check. The xmalloc_array() is just a cleanup is "less important".

Argually the clean-up should be in a separate patch but I can appreciate 
they are somewhat related.

> 
> Signed-off-by: Jan Beulich <jbeulich@suse.com>
> 
> --- a/xen/common/sysctl.c
> +++ b/xen/common/sysctl.c
> @@ -187,13 +187,17 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xe
>           uint32_t *status, *ptr;
>           mfn_t mfn;
>   
> +        ret = -EINVAL;
> +        if ( op->u.page_offline.end < op->u.page_offline.start )
> +            break;
> +
>           ret = xsm_page_offline(XSM_HOOK, op->u.page_offline.cmd);
>           if ( ret )
>               break;
>   
> -        ptr = status = xmalloc_bytes( sizeof(uint32_t) *
> -                                (op->u.page_offline.end -
> -                                  op->u.page_offline.start + 1));
> +        ptr = status = xmalloc_array(uint32_t,
> +                                     (op->u.page_offline.end -
> +                                      op->u.page_offline.start + 1));
>           if ( !status )
>           {
>               dprintk(XENLOG_WARNING, "Out of memory for page offline op\n");
>

Jan Beulich Feb. 5, 2020, 4:38 p.m. UTC | #2

On 05.02.2020 15:34, Julien Grall wrote:
> On 05/02/2020 13:16, Jan Beulich wrote:
>> This is more robust than the raw xmalloc_bytes().
>>
>> Also add a sanity check on the input page range.
> 
> It feels to me that the commit message/title should focus on the sanity 
> check. The xmalloc_array() is just a cleanup is "less important".

But it not being there would generally just result in -ENOMEM
due to the xmalloc_...() failing (leaving aside overflow not
accounted for in the old code), which by the new check just
gets changed into the more applicable -EINVAL. I view the
changed called out in the title as more important.

Jan

>> --- a/xen/common/sysctl.c
>> +++ b/xen/common/sysctl.c
>> @@ -187,13 +187,17 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xe
>>           uint32_t *status, *ptr;
>>           mfn_t mfn;
>>   
>> +        ret = -EINVAL;
>> +        if ( op->u.page_offline.end < op->u.page_offline.start )
>> +            break;
>> +
>>           ret = xsm_page_offline(XSM_HOOK, op->u.page_offline.cmd);
>>           if ( ret )
>>               break;
>>   
>> -        ptr = status = xmalloc_bytes( sizeof(uint32_t) *
>> -                                (op->u.page_offline.end -
>> -                                  op->u.page_offline.start + 1));
>> +        ptr = status = xmalloc_array(uint32_t,
>> +                                     (op->u.page_offline.end -
>> +                                      op->u.page_offline.start + 1));
>>           if ( !status )
>>           {
>>               dprintk(XENLOG_WARNING, "Out of memory for page offline op\n");
>>
>

Julien Grall Feb. 5, 2020, 5:15 p.m. UTC | #3

Hi Jan,

On 05/02/2020 16:38, Jan Beulich wrote:
> On 05.02.2020 15:34, Julien Grall wrote:
>> On 05/02/2020 13:16, Jan Beulich wrote:
>>> This is more robust than the raw xmalloc_bytes().
>>>
>>> Also add a sanity check on the input page range.
>>
>> It feels to me that the commit message/title should focus on the sanity
>> check. The xmalloc_array() is just a cleanup is "less important".
> 
> But it not being there would generally just result in -ENOMEM
> due to the xmalloc_...() failing (leaving aside overflow not
> accounted for in the old code), which by the new check just
> gets changed into the more applicable -EINVAL. I view the
> changed called out in the title as more important.

None of the commit message really explain this. So the sanity check did 
feel more important.

You probably want to reword the commit message to explain why the sanity 
check is added (i.e ENOMEM vs EINVAL).

Cheers,

Patch

--- a/xen/common/sysctl.c
+++ b/xen/common/sysctl.c
@@ -187,13 +187,17 @@  long do_sysctl(XEN_GUEST_HANDLE_PARAM(xe
         uint32_t *status, *ptr;
         mfn_t mfn;
 
+        ret = -EINVAL;
+        if ( op->u.page_offline.end < op->u.page_offline.start )
+            break;
+
         ret = xsm_page_offline(XSM_HOOK, op->u.page_offline.cmd);
         if ( ret )
             break;
 
-        ptr = status = xmalloc_bytes( sizeof(uint32_t) *
-                                (op->u.page_offline.end -
-                                  op->u.page_offline.start + 1));
+        ptr = status = xmalloc_array(uint32_t,
+                                     (op->u.page_offline.end -
+                                      op->u.page_offline.start + 1));
         if ( !status )
         {
             dprintk(XENLOG_WARNING, "Out of memory for page offline op\n");