[PATCH 00/20] tools/xenstore: do some cleanup and fixes

[PATCH 00/20] tools/xenstore: do some cleanup and fixes

[Juergen Gross]

This is a first run of post-XSA patches which piled up during the
development phase of all the recent Xenstore related XSA patches.

At least the first 7 patches are completely independent from each
other. After those the dependencies are starting to be more complex.

This is a mixture of small fixes, enhancements and cleanups. Patch 2
was initially part of the XSA patches, which is the reason for having
a "Reviewed-by:" tag already. Even with fixing a previous commit it is
not urgent to put this patch in, so I don't think this is 4.17
material.

Juergen Gross (20):
  tools/xenstore: remove XEN_LIB_STORED and XENSTORED_ROOTDIR
  tools/xenstore: call remove_domid_from_perm() for special nodes
  tools/xenstore: let talloc_free() preserve errno
  tools/xenstore: let tdb_logger() preserve errno
  tools/xenstore: preserve errno across corrupt()
  tools/xenstore: remove all watches when a domain has stopped
  tools/xenstore: enhance hashtable implementation
  tools/xenstore: add hashlist for finding struct domain by domid
  tools/xenstore: introduce dummy nodes for special watch paths
  tools/xenstore: replace watch->relative_path with a prefix length
  tools/xenstore: move changed domain handling
  tools/xenstore: change per-domain node accounting interface
  tools/xenstore: don't allow creating too many nodes in a transaction
  tools/xenstore: replace literal domid 0 with dom0_domid
  tools/xenstore: make domain_is_unprivileged() an inline function
  tools/xenstore: let chk_domain_generation() return a bool
  tools/xenstore: switch hashtable to use the talloc framework
  tools/xenstore: make log macro globally available
  tools/xenstore: introduce trace classes
  tools/xenstore: let check_store() check the accounting data

 config/Paths.mk.in                            |   1 -
 configure                                     |   4 -
 docs/configure                                |   4 -
 docs/misc/xenstore.txt                        |  18 +-
 m4/paths.m4                                   |   3 -
 tools/configure                               |   7 +-
 tools/configure.ac                            |   1 -
 tools/hotplug/FreeBSD/rc.d/xencommons.in      |   6 -
 tools/hotplug/Linux/systemd/Makefile          |   1 -
 .../Linux/systemd/var-lib-xenstored.mount.in  |  12 -
 tools/libs/store/Makefile                     |   1 -
 tools/xenstore/.gdbinit                       |   4 -
 tools/xenstore/Makefile                       |   4 -
 tools/xenstore/Makefile.common                |   1 -
 tools/xenstore/hashtable.c                    | 134 ++--
 tools/xenstore/hashtable.h                    |  38 +-
 tools/xenstore/talloc.c                       |  25 +-
 tools/xenstore/xenstored_control.c            |  44 +-
 tools/xenstore/xenstored_core.c               | 223 ++++---
 tools/xenstore/xenstored_core.h               |  31 +
 tools/xenstore/xenstored_domain.c             | 596 ++++++++++--------
 tools/xenstore/xenstored_domain.h             |  21 +-
 tools/xenstore/xenstored_transaction.c        |  76 +--
 tools/xenstore/xenstored_transaction.h        |   7 +-
 tools/xenstore/xenstored_watch.c              |  43 +-
 tools/xenstore/xs_lib.c                       |  11 +-
 26 files changed, 707 insertions(+), 609 deletions(-)
 delete mode 100644 tools/hotplug/Linux/systemd/var-lib-xenstored.mount.in
 delete mode 100644 tools/xenstore/.gdbinit

-- 
2.35.3

[PATCH 01/20] tools/xenstore: remove XEN_LIB_STORED and XENSTORED_ROOTDIR

[Juergen Gross]

XEN_LIB_STORED is serving no real purpose, as it is a mount point for
a tmpfs, so it can be replaced easily by XEN_RUN_STORED.

XENSTORED_ROOTDIR is basically unused already, there is just a single
reference in xs_daemon_rootdir() with a fallback to XEN_LIB_STORED,
and a .gdbinit file setting it.

Remove the .gdbinit file, as it is not known having been used since
ages, and make xs_daemon_rootdir() an alias of xs_daemon_rundir().

Signed-off-by: Juergen Gross <jgross@suse.com>
---
 config/Paths.mk.in                                   |  1 -
 configure                                            |  4 ----
 docs/configure                                       |  4 ----
 m4/paths.m4                                          |  3 ---
 tools/configure                                      |  7 +------
 tools/configure.ac                                   |  1 -
 tools/hotplug/FreeBSD/rc.d/xencommons.in             |  6 ------
 tools/hotplug/Linux/systemd/Makefile                 |  1 -
 .../hotplug/Linux/systemd/var-lib-xenstored.mount.in | 12 ------------
 tools/libs/store/Makefile                            |  1 -
 tools/xenstore/.gdbinit                              |  4 ----
 tools/xenstore/Makefile                              |  4 ----
 tools/xenstore/Makefile.common                       |  1 -
 tools/xenstore/xs_lib.c                              | 11 +++++------
 14 files changed, 6 insertions(+), 54 deletions(-)
 delete mode 100644 tools/hotplug/Linux/systemd/var-lib-xenstored.mount.in
 delete mode 100644 tools/xenstore/.gdbinit

diff --git a/config/Paths.mk.in b/config/Paths.mk.in
index 416fc7aab9..44bab1d748 100644
--- a/config/Paths.mk.in
+++ b/config/Paths.mk.in
@@ -41,7 +41,6 @@ MAN8DIR                  := $(mandir)/man8
 XEN_RUN_DIR              := @XEN_RUN_DIR@
 XEN_LOG_DIR              := @XEN_LOG_DIR@
 XEN_LIB_DIR              := @XEN_LIB_DIR@
-XEN_LIB_STORED           := @XEN_LIB_STORED@
 XEN_RUN_STORED           := @XEN_RUN_STORED@
 
 CONFIG_DIR               := @CONFIG_DIR@
diff --git a/configure b/configure
index bb7f27ddad..b51174f2ef 100755
--- a/configure
+++ b/configure
@@ -603,7 +603,6 @@ INITD_DIR
 SHAREDIR
 XEN_LIB_DIR
 XEN_RUN_STORED
-XEN_LIB_STORED
 XEN_LOG_DIR
 XEN_RUN_DIR
 XENFIRMWAREDIR
@@ -2081,9 +2080,6 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 
-XEN_LIB_STORED=$localstatedir/lib/xenstored
-
-
 XEN_RUN_STORED=$rundir_path/xenstored
 
 
diff --git a/docs/configure b/docs/configure
index d4fced9858..f008ca0565 100755
--- a/docs/configure
+++ b/docs/configure
@@ -601,7 +601,6 @@ INITD_DIR
 SHAREDIR
 XEN_LIB_DIR
 XEN_RUN_STORED
-XEN_LIB_STORED
 XEN_LOG_DIR
 XEN_RUN_DIR
 XENFIRMWAREDIR
@@ -1984,9 +1983,6 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 
-XEN_LIB_STORED=$localstatedir/lib/xenstored
-
-
 XEN_RUN_STORED=$rundir_path/xenstored
 
 
diff --git a/m4/paths.m4 b/m4/paths.m4
index 826faada45..e4104bcce0 100644
--- a/m4/paths.m4
+++ b/m4/paths.m4
@@ -136,9 +136,6 @@ XEN_LOG_DIR=$localstatedir/log/xen
 AC_SUBST(XEN_LOG_DIR)
 AC_DEFINE_UNQUOTED([XEN_LOG_DIR], ["$XEN_LOG_DIR"], [Xen's log dir])
 
-XEN_LIB_STORED=$localstatedir/lib/xenstored
-AC_SUBST(XEN_LIB_STORED)
-
 XEN_RUN_STORED=$rundir_path/xenstored
 AC_SUBST(XEN_RUN_STORED)
 
diff --git a/tools/configure b/tools/configure
index 6199823f5a..ffe3f48901 100755
--- a/tools/configure
+++ b/tools/configure
@@ -725,7 +725,6 @@ INITD_DIR
 SHAREDIR
 XEN_LIB_DIR
 XEN_RUN_STORED
-XEN_LIB_STORED
 XEN_LOG_DIR
 XEN_RUN_DIR
 XENFIRMWAREDIR
@@ -4065,9 +4064,6 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 
-XEN_LIB_STORED=$localstatedir/lib/xenstored
-
-
 XEN_RUN_STORED=$rundir_path/xenstored
 
 
@@ -10085,7 +10081,7 @@ fi
 
 if test "x$systemd" = "xy"; then :
 
-    ac_config_files="$ac_config_files hotplug/Linux/systemd/proc-xen.mount hotplug/Linux/systemd/var-lib-xenstored.mount hotplug/Linux/systemd/xen-init-dom0.service hotplug/Linux/systemd/xen-qemu-dom0-disk-backend.service hotplug/Linux/systemd/xen-watchdog.service hotplug/Linux/systemd/xenconsoled.service hotplug/Linux/systemd/xendomains.service hotplug/Linux/systemd/xendriverdomain.service hotplug/Linux/systemd/xenstored.service"
+    ac_config_files="$ac_config_files hotplug/Linux/systemd/proc-xen.mount hotplug/Linux/systemd/xen-init-dom0.service hotplug/Linux/systemd/xen-qemu-dom0-disk-backend.service hotplug/Linux/systemd/xen-watchdog.service hotplug/Linux/systemd/xenconsoled.service hotplug/Linux/systemd/xendomains.service hotplug/Linux/systemd/xendriverdomain.service hotplug/Linux/systemd/xenstored.service"
 
 
 fi
@@ -10967,7 +10963,6 @@ do
     "ocaml/xenstored/oxenstored.conf") CONFIG_FILES="$CONFIG_FILES ocaml/xenstored/oxenstored.conf" ;;
     "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;
     "hotplug/Linux/systemd/proc-xen.mount") CONFIG_FILES="$CONFIG_FILES hotplug/Linux/systemd/proc-xen.mount" ;;
-    "hotplug/Linux/systemd/var-lib-xenstored.mount") CONFIG_FILES="$CONFIG_FILES hotplug/Linux/systemd/var-lib-xenstored.mount" ;;
     "hotplug/Linux/systemd/xen-init-dom0.service") CONFIG_FILES="$CONFIG_FILES hotplug/Linux/systemd/xen-init-dom0.service" ;;
     "hotplug/Linux/systemd/xen-qemu-dom0-disk-backend.service") CONFIG_FILES="$CONFIG_FILES hotplug/Linux/systemd/xen-qemu-dom0-disk-backend.service" ;;
     "hotplug/Linux/systemd/xen-watchdog.service") CONFIG_FILES="$CONFIG_FILES hotplug/Linux/systemd/xen-watchdog.service" ;;
diff --git a/tools/configure.ac b/tools/configure.ac
index 18e481d77e..3a2f6a2da9 100644
--- a/tools/configure.ac
+++ b/tools/configure.ac
@@ -482,7 +482,6 @@ AX_AVAILABLE_SYSTEMD()
 AS_IF([test "x$systemd" = "xy"], [
     AC_CONFIG_FILES([
     hotplug/Linux/systemd/proc-xen.mount
-    hotplug/Linux/systemd/var-lib-xenstored.mount
     hotplug/Linux/systemd/xen-init-dom0.service
     hotplug/Linux/systemd/xen-qemu-dom0-disk-backend.service
     hotplug/Linux/systemd/xen-watchdog.service
diff --git a/tools/hotplug/FreeBSD/rc.d/xencommons.in b/tools/hotplug/FreeBSD/rc.d/xencommons.in
index fddcce314c..7f7cda289f 100644
--- a/tools/hotplug/FreeBSD/rc.d/xencommons.in
+++ b/tools/hotplug/FreeBSD/rc.d/xencommons.in
@@ -14,7 +14,6 @@ export LD_LIBRARY_PATH
 
 name="xencommons"
 rcvar="xencommons_enable"
-start_precmd="xen_precmd"
 start_cmd="xen_startcmd"
 stop_cmd="xen_stop"
 status_cmd="xen_status"
@@ -30,11 +29,6 @@ XENSTORED_PIDFILE="@XEN_RUN_DIR@/xenstored.pid"
 load_rc_config $name
 : ${xencommons_enable:=no}
 
-xen_precmd()
-{
-	mkdir -p @XEN_LIB_STORED@ || exit 1
-}
-
 xen_startcmd()
 {
 	local time=0
diff --git a/tools/hotplug/Linux/systemd/Makefile b/tools/hotplug/Linux/systemd/Makefile
index 26df2a43b1..e29889156d 100644
--- a/tools/hotplug/Linux/systemd/Makefile
+++ b/tools/hotplug/Linux/systemd/Makefile
@@ -4,7 +4,6 @@ include $(XEN_ROOT)/tools/Rules.mk
 XEN_SYSTEMD_MODULES := xen.conf
 
 XEN_SYSTEMD_MOUNT := proc-xen.mount
-XEN_SYSTEMD_MOUNT += var-lib-xenstored.mount
 
 XEN_SYSTEMD_SERVICE := xenstored.service
 XEN_SYSTEMD_SERVICE += xenconsoled.service
diff --git a/tools/hotplug/Linux/systemd/var-lib-xenstored.mount.in b/tools/hotplug/Linux/systemd/var-lib-xenstored.mount.in
deleted file mode 100644
index 11a7d50edc..0000000000
--- a/tools/hotplug/Linux/systemd/var-lib-xenstored.mount.in
+++ /dev/null
@@ -1,12 +0,0 @@
-[Unit]
-Description=mount xenstore file system
-Requires=proc-xen.mount
-After=proc-xen.mount
-ConditionPathExists=/proc/xen/capabilities
-RefuseManualStop=true
-
-[Mount]
-What=xenstore
-Where=@XEN_LIB_STORED@
-Type=tmpfs
-Options=mode=755
diff --git a/tools/libs/store/Makefile b/tools/libs/store/Makefile
index 2334c953bb..3557a8c76d 100644
--- a/tools/libs/store/Makefile
+++ b/tools/libs/store/Makefile
@@ -18,7 +18,6 @@ include ../libs.mk
 # Include configure output (config.h)
 CFLAGS += -include $(XEN_ROOT)/tools/config.h
 CFLAGS += $(CFLAGS_libxentoolcore)
-CFLAGS += -DXEN_LIB_STORED="\"$(XEN_LIB_STORED)\""
 CFLAGS += -DXEN_RUN_STORED="\"$(XEN_RUN_STORED)\""
 
 vpath xs_lib.c $(XEN_ROOT)/tools/xenstore
diff --git a/tools/xenstore/.gdbinit b/tools/xenstore/.gdbinit
deleted file mode 100644
index 9a71b20ac4..0000000000
--- a/tools/xenstore/.gdbinit
+++ /dev/null
@@ -1,4 +0,0 @@
-set environment XENSTORED_RUNDIR=testsuite/tmp
-set environment XENSTORED_ROOTDIR=testsuite/tmp
-handle SIGUSR1 noprint nostop
-handle SIGPIPE noprint nostop
diff --git a/tools/xenstore/Makefile b/tools/xenstore/Makefile
index 1b66190cc5..ce7a68178f 100644
--- a/tools/xenstore/Makefile
+++ b/tools/xenstore/Makefile
@@ -69,7 +69,6 @@ install: all
 	$(INSTALL_DIR) $(DESTDIR)$(bindir)
 ifeq ($(XENSTORE_XENSTORED),y)
 	$(INSTALL_DIR) $(DESTDIR)$(sbindir)
-	$(INSTALL_DIR) $(DESTDIR)$(XEN_LIB_STORED)
 	$(INSTALL_PROG) xenstored $(DESTDIR)$(sbindir)
 endif
 	$(INSTALL_PROG) xenstore-control $(DESTDIR)$(bindir)
@@ -85,9 +84,6 @@ uninstall:
 	rm -f $(DESTDIR)$(bindir)/xenstore-control
 ifeq ($(XENSTORE_XENSTORED),y)
 	rm -f $(DESTDIR)$(sbindir)/xenstored
-	if [ -d $(DESTDIR)$(XEN_LIB_STORED) ]; then \
-		rmdir --ignore-fail-on-non-empty $(DESTDIR)$(XEN_LIB_STORED); \
-	fi
 endif
 	if [ -d $(DESTDIR)$(includedir)/xenstore-compat ]; then \
 		rmdir --ignore-fail-on-non-empty $(DESTDIR)$(includedir)/xenstore-compat; \
diff --git a/tools/xenstore/Makefile.common b/tools/xenstore/Makefile.common
index ddbac052ac..b18f95c103 100644
--- a/tools/xenstore/Makefile.common
+++ b/tools/xenstore/Makefile.common
@@ -16,7 +16,6 @@ CFLAGS += $(CFLAGS_libxenevtchn)
 CFLAGS += $(CFLAGS_libxenctrl)
 CFLAGS += $(CFLAGS_libxenguest)
 CFLAGS += $(CFLAGS_libxentoolcore)
-CFLAGS += -DXEN_LIB_STORED="\"$(XEN_LIB_STORED)\""
 CFLAGS += -DXEN_RUN_STORED="\"$(XEN_RUN_STORED)\""
 
 ifdef CONFIG_STUBDOM
diff --git a/tools/xenstore/xs_lib.c b/tools/xenstore/xs_lib.c
index 10fa4c3ad0..b9941c567c 100644
--- a/tools/xenstore/xs_lib.c
+++ b/tools/xenstore/xs_lib.c
@@ -26,18 +26,17 @@
 
 /* Common routines for the Xen store daemon and client library. */
 
-const char *xs_daemon_rootdir(void)
-{
-	char *s = getenv("XENSTORED_ROOTDIR");
-	return (s ? s : XEN_LIB_STORED);
-}
-
 const char *xs_daemon_rundir(void)
 {
 	char *s = getenv("XENSTORED_RUNDIR");
 	return (s ? s : XEN_RUN_STORED);
 }
 
+const char *xs_daemon_rootdir(void)
+{
+	return xs_daemon_rundir();
+}
+
 static const char *xs_daemon_path(void)
 {
 	static char buf[PATH_MAX];
-- 
2.35.3

[PATCH 02/20] tools/xenstore: call remove_domid_from_perm() for special nodes

[Juergen Gross]

When destroying a domain, any stale permissions of the domain must be
removed from the special nodes "@...", too. This was not done in the
fix for XSA-322.

Fixes: 496306324d8d ("tools/xenstore: revoke access rights for removed domains")
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Julien Grall <jgrall@amazon.com>
---
 tools/xenstore/xenstored_domain.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_domain.c
index 84b7817cd5..aa86892fed 100644
--- a/tools/xenstore/xenstored_domain.c
+++ b/tools/xenstore/xenstored_domain.c
@@ -227,6 +227,27 @@ static void unmap_interface(void *interface)
 	xengnttab_unmap(*xgt_handle, interface, 1);
 }
 
+static void remove_domid_from_perm(struct node_perms *perms,
+				   struct domain *domain)
+{
+	unsigned int cur, new;
+
+	if (perms->p[0].id == domain->domid)
+		perms->p[0].id = priv_domid;
+
+	for (cur = new = 1; cur < perms->num; cur++) {
+		if (perms->p[cur].id == domain->domid)
+			continue;
+
+		if (new != cur)
+			perms->p[new] = perms->p[cur];
+
+		new++;
+	}
+
+	perms->num = new;
+}
+
 static int domain_tree_remove_sub(const void *ctx, struct connection *conn,
 				  struct node *node, void *arg)
 {
@@ -277,6 +298,9 @@ static void domain_tree_remove(struct domain *domain)
 			syslog(LOG_ERR,
 			       "error when looking for orphaned nodes\n");
 	}
+
+	remove_domid_from_perm(&dom_release_perms, domain);
+	remove_domid_from_perm(&dom_introduce_perms, domain);
 }
 
 static int destroy_domain(void *_domain)
-- 
2.35.3

[PATCH 03/20] tools/xenstore: let talloc_free() preserve errno

[Juergen Gross]

Today talloc_free() is not guaranteed to preserve errno, especially in
case a custom destructor is being used.

Change that by renaming talloc_free() to _talloc_free() in talloc.c and
adding a wrapper to talloc.c.

This allows to remove some errno saving outside of talloc.c.

Signed-off-by: Juergen Gross <jgross@suse.com>
---
 tools/xenstore/talloc.c         | 25 ++++++++++++++++++-------
 tools/xenstore/xenstored_core.c |  2 --
 2 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/tools/xenstore/talloc.c b/tools/xenstore/talloc.c
index d7edcf3a93..5fbefdf091 100644
--- a/tools/xenstore/talloc.c
+++ b/tools/xenstore/talloc.c
@@ -103,6 +103,8 @@ struct talloc_chunk {
 	unsigned flags;
 };
 
+static int _talloc_free(void *ptr);
+
 /* 16 byte alignment seems to keep everyone happy */
 #define TC_HDR_SIZE ((sizeof(struct talloc_chunk)+15)&~15)
 #define TC_PTR_FROM_CHUNK(tc) ((void *)(TC_HDR_SIZE + (char*)tc))
@@ -245,7 +247,7 @@ static int talloc_reference_destructor(void *ptr)
 		tc1->destructor = NULL;
 	}
 	_TLIST_REMOVE(tc2->refs, handle);
-	talloc_free(handle);
+	_talloc_free(handle);
 	return 0;
 }
 
@@ -311,7 +313,7 @@ static int talloc_unreference(const void *context, const void *ptr)
 
 	talloc_set_destructor(h, NULL);
 	_TLIST_REMOVE(tc->refs, h);
-	talloc_free(h);
+	_talloc_free(h);
 	return 0;
 }
 
@@ -349,7 +351,7 @@ int talloc_unlink(const void *context, void *ptr)
 	tc_p = talloc_chunk_from_ptr(ptr);
 
 	if (tc_p->refs == NULL) {
-		return talloc_free(ptr);
+		return _talloc_free(ptr);
 	}
 
 	new_p = talloc_parent_chunk(tc_p->refs);
@@ -521,7 +523,7 @@ static void talloc_free_children(void *ptr)
 			struct talloc_chunk *p = talloc_parent_chunk(tc->child->refs);
 			if (p) new_parent = TC_PTR_FROM_CHUNK(p);
 		}
-		if (talloc_free(child) == -1) {
+		if (_talloc_free(child) == -1) {
 			if (new_parent == null_context) {
 				struct talloc_chunk *p = talloc_parent_chunk(ptr);
 				if (p) new_parent = TC_PTR_FROM_CHUNK(p);
@@ -539,7 +541,7 @@ static void talloc_free_children(void *ptr)
    will not be freed if the ref_count is > 1 or the destructor (if
    any) returns non-zero
 */
-int talloc_free(void *ptr)
+static int _talloc_free(void *ptr)
 {
 	struct talloc_chunk *tc;
 
@@ -597,7 +599,16 @@ int talloc_free(void *ptr)
 	return 0;
 }
 
+int talloc_free(void *ptr)
+{
+	int ret;
+	int saved_errno = errno;
 
+	ret = _talloc_free(ptr);
+	errno = saved_errno;
+
+	return ret;
+}
 
 /*
   A talloc version of realloc. The context argument is only used if
@@ -610,7 +621,7 @@ void *_talloc_realloc(const void *context, void *ptr, size_t size, const char *n
 
 	/* size zero is equivalent to free() */
 	if (size == 0) {
-		talloc_free(ptr);
+		_talloc_free(ptr);
 		return NULL;
 	}
 
@@ -1243,7 +1254,7 @@ void *talloc_realloc_fn(const void *context, void *ptr, size_t size)
 
 static void talloc_autofree(void)
 {
-	talloc_free(cleanup_context);
+	_talloc_free(cleanup_context);
 	cleanup_context = NULL;
 }
 
diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index 476d5c6d51..5a174b9881 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -771,9 +771,7 @@ struct node *read_node(struct connection *conn, const void *ctx,
 	return node;
 
  error:
-	err = errno;
 	talloc_free(node);
-	errno = err;
 	return NULL;
 }
 
-- 
2.35.3

[PATCH 04/20] tools/xenstore: let tdb_logger() preserve errno

[Juergen Gross]

tdb_logger() is called by TDB for logging errors. As errno is checked
often after doing the logging, tdb_logger() should preserve errno.

Signed-off-by: Juergen Gross <jgross@suse.com>
---
 tools/xenstore/xenstored_core.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index 5a174b9881..d48208ecfe 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -2345,6 +2345,7 @@ static void tdb_logger(TDB_CONTEXT *tdb, int level, const char * fmt, ...)
 {
 	va_list ap;
 	char *s;
+	int saved_errno = errno;
 
 	va_start(ap, fmt);
 	s = talloc_vasprintf(NULL, fmt, ap);
@@ -2360,6 +2361,8 @@ static void tdb_logger(TDB_CONTEXT *tdb, int level, const char * fmt, ...)
 		trace("talloc failure during logging\n");
 		syslog(LOG_ERR, "talloc failure during logging\n");
 	}
+
+	errno = saved_errno;
 }
 
 void setup_structure(bool live_update)
-- 
2.35.3

[PATCH 05/20] tools/xenstore: preserve errno across corrupt()

[Juergen Gross]

Let corrupt() preserve errno in order to be able to simplify error
handling in future.

This is rather easy as the errno value when entering corrupt() is
saved already.

Signed-off-by: Juergen Gross <jgross@suse.com>
---
 tools/xenstore/xenstored_core.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index d48208ecfe..8c2cca62b7 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -2549,6 +2549,8 @@ void corrupt(struct connection *conn, const char *fmt, ...)
 	talloc_free(str);
 
 	check_store();
+
+	errno = saved_errno;
 }
 
 #ifndef NO_SOCKETS
-- 
2.35.3

[PATCH 06/20] tools/xenstore: remove all watches when a domain has stopped

[Juergen Gross]

When a domain has been recognized to have stopped, remove all its
registered watches. This avoids sending watch events to the dead domain
when all the nodes related to it are being removed by the Xen tools.

Signed-off-by: Juergen Gross <jgross@suse.com>
---
 tools/xenstore/xenstored_domain.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_domain.c
index aa86892fed..1516df71d8 100644
--- a/tools/xenstore/xenstored_domain.c
+++ b/tools/xenstore/xenstored_domain.c
@@ -364,6 +364,12 @@ void check_domains(void)
 			    && !domain->shutdown) {
 				domain->shutdown = true;
 				notify = 1;
+				/*
+				 * Avoid triggering watch events when the
+				 * domain's nodes are being deleted.
+				 */
+				if (domain->conn)
+					conn_delete_all_watches(domain->conn);
 			}
 			if (!dominfo.dying)
 				continue;
-- 
2.35.3

[PATCH 07/20] tools/xenstore: enhance hashtable implementation

[Juergen Gross]

Today it is possible to set a flag when calling hashtable_destroy() in
order to specify whether the data associated with the hashtable entries
should be freed or not. The keys of the entries will always be freed.

Change that by replacing the flag of hashtable_destroy() by two flags
for create_hashtable() which will specify whether the data and/or the
key of each entry should be freed or not.

This will enable users to have the key e.g. as part of the data.

Add a new function hashtable_iterate() to call a user specified
function for each entry in the hashtable.

Add new primes to the primetable in order to support smaller sizes of
the hashtable. The primes are selected according to:

https://planetmath.org/goodhashtableprimes

Signed-off-by: Juergen Gross <jgross@suse.com>
---
 tools/xenstore/hashtable.c      | 66 +++++++++++++++++++++++----------
 tools/xenstore/hashtable.h      | 35 +++++++++++++++--
 tools/xenstore/xenstored_core.c |  7 ++--
 3 files changed, 82 insertions(+), 26 deletions(-)

diff --git a/tools/xenstore/hashtable.c b/tools/xenstore/hashtable.c
index 6ac336eff1..7a1548c490 100644
--- a/tools/xenstore/hashtable.c
+++ b/tools/xenstore/hashtable.c
@@ -16,6 +16,7 @@ struct entry
 
 struct hashtable {
     unsigned int tablelength;
+    unsigned int flags;
     struct entry **table;
     unsigned int entrycount;
     unsigned int loadlimit;
@@ -25,12 +26,11 @@ struct hashtable {
 };
 
 /*
-Credit for primes table: Aaron Krowne
- http://br.endernet.org/~akrowne/
- http://planetmath.org/encyclopedia/GoodHashTablePrimes.html
-*/
+ * Credit for primes table: Aaron Krowne
+ * https://planetmath.org/goodhashtableprimes
+ */
 static const unsigned int primes[] = {
-53, 97, 193, 389,
+11, 23, 53, 97, 193, 389,
 769, 1543, 3079, 6151,
 12289, 24593, 49157, 98317,
 196613, 393241, 786433, 1572869,
@@ -52,7 +52,8 @@ indexFor(unsigned int tablelength, unsigned int hashvalue) {
 struct hashtable *
 create_hashtable(unsigned int minsize,
                  unsigned int (*hashf) (void*),
-                 int (*eqf) (void*,void*))
+                 int (*eqf) (void*,void*),
+                 unsigned int flags)
 {
     struct hashtable *h;
     unsigned int pindex, size = primes[0];
@@ -73,6 +74,7 @@ create_hashtable(unsigned int minsize,
         goto err1;
 
     h->tablelength  = size;
+    h->flags        = flags;
     h->primeindex   = pindex;
     h->entrycount   = 0;
     h->hashfn       = hashf;
@@ -235,7 +237,8 @@ hashtable_remove(struct hashtable *h, void *k)
             *pE = e->next;
             h->entrycount--;
             v = e->v;
-            free(e->k);
+            if (h->flags & HASHTABLE_FREE_KEY)
+                free(e->k);
             free(e);
             return v;
         }
@@ -246,29 +249,52 @@ hashtable_remove(struct hashtable *h, void *k)
 }
 
 /*****************************************************************************/
-/* destroy */
-void
-hashtable_destroy(struct hashtable *h, int free_values)
+int
+hashtable_iterate(struct hashtable *h,
+                  int (*func)(void *k, void *v, void *arg), void *arg)
 {
+    int ret;
     unsigned int i;
     struct entry *e, *f;
     struct entry **table = h->table;
-    if (free_values)
+
+    for (i = 0; i < h->tablelength; i++)
     {
-        for (i = 0; i < h->tablelength; i++)
+        e = table[i];
+        while (e)
         {
-            e = table[i];
-            while (NULL != e)
-            { f = e; e = e->next; free(f->k); free(f->v); free(f); }
+            f = e;
+            e = e->next;
+            ret = func(f->k, f->v, arg);
+            if (ret)
+                return ret;
         }
     }
-    else
+
+    return 0;
+}
+
+/*****************************************************************************/
+/* destroy */
+void
+hashtable_destroy(struct hashtable *h)
+{
+    unsigned int i;
+    struct entry *e, *f;
+    struct entry **table = h->table;
+
+    for (i = 0; i < h->tablelength; i++)
     {
-        for (i = 0; i < h->tablelength; i++)
+        e = table[i];
+        while (NULL != e)
         {
-            e = table[i];
-            while (NULL != e)
-            { f = e; e = e->next; free(f->k); free(f); }
+            f = e;
+            e = e->next;
+            if (h->flags & HASHTABLE_FREE_KEY)
+                free(f->k);
+            if (h->flags & HASHTABLE_FREE_VALUE)
+                free(f->v);
+            free(f);
         }
     }
     free(h->table);
diff --git a/tools/xenstore/hashtable.h b/tools/xenstore/hashtable.h
index 62fef6081a..b31eeaea26 100644
--- a/tools/xenstore/hashtable.h
+++ b/tools/xenstore/hashtable.h
@@ -12,13 +12,21 @@ struct hashtable;
  * @param   minsize         minimum initial size of hashtable
  * @param   hashfunction    function for hashing keys
  * @param   key_eq_fn       function for determining key equality
+ * @param   flags           flags HASHTABLE_*
  * @return                  newly created hashtable or NULL on failure
  */
 
+/* Let hashtable_destroy() free the entries' values. */
+#define HASHTABLE_FREE_VALUE (1U << 0)
+/* Let hashtable_remove() and hashtable_destroy() free the entries' keys. */
+#define HASHTABLE_FREE_KEY   (1U << 1)
+
 struct hashtable *
 create_hashtable(unsigned int minsize,
                  unsigned int (*hashfunction) (void*),
-                 int (*key_eq_fn) (void*,void*));
+                 int (*key_eq_fn) (void*,void*),
+                 unsigned int flags
+);
 
 /*****************************************************************************
  * hashtable_insert
@@ -76,16 +84,37 @@ hashtable_remove(struct hashtable *h, void *k);
 unsigned int
 hashtable_count(struct hashtable *h);
 
+/*****************************************************************************
+ * hashtable_iterate
+
+ * @name           hashtable_iterate
+ * @param   h      the hashtable
+ * @param   func   function to call for each entry
+ * @param   arg    user supplied parameter for func
+ * @return         0 if okay, non-zero return value of func (and iteration
+ *                 was aborted)
+ *
+ * Iterates over all entries in the hashtable and calls func with the
+ * key, value, and the user supplied parameter.
+ * func returning a non-zero value will abort the iteration. In case func is
+ * removing an entry other than itself from the hashtable, it must return a
+ * non-zero value in order to abort the iteration. Inserting entries is
+ * allowed, but it is undefined whether func will be called for those new
+ * entries during this iteration.
+ */
+int
+hashtable_iterate(struct hashtable *h,
+                  int (*func)(void *k, void *v, void *arg), void *arg);
+
 /*****************************************************************************
  * hashtable_destroy
    
  * @name        hashtable_destroy
  * @param   h   the hashtable
- * @param       free_values     whether to call 'free' on the remaining values
  */
 
 void
-hashtable_destroy(struct hashtable *h, int free_values);
+hashtable_destroy(struct hashtable *h);
 
 #endif /* __HASHTABLE_CWC22_H__ */
 
diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index 8c2cca62b7..1650821922 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -2512,7 +2512,9 @@ void check_store(void)
 		.enoent = check_store_enoent,
 	};
 
-	reachable = create_hashtable(16, hash_from_key_fn, keys_equal_fn);
+	/* Don't free values (they are all void *1) */
+	reachable = create_hashtable(16, hash_from_key_fn, keys_equal_fn,
+				     HASHTABLE_FREE_KEY);
 	if (!reachable) {
 		log("check_store: ENOMEM");
 		return;
@@ -2526,8 +2528,7 @@ void check_store(void)
 		clean_store(reachable);
 	log("Checking store complete.");
 
-	hashtable_destroy(reachable, 0 /* Don't free values (they are all
-					  (void *)1) */);
+	hashtable_destroy(reachable);
 }
 
 
-- 
2.35.3

[PATCH 08/20] tools/xenstore: add hashlist for finding struct domain by domid

[Juergen Gross]

Today finding a struct domain by its domain id requires to scan the
list of domains until finding the correct domid.

Add a hashlist for being able to speed this up. This allows to remove
the linking of struct domain in a list. Note that the list of changed
domains per transaction is kept as a list, as there are no known use
cases with more than 4 domains being touched in a single transaction
(this would be a device handled by a driver domain and being assigned
to a HVM domain with device model in a stubdom, plus the control
domain).

Some simple performance tests comparing the scanning and hashlist have
shown that the hashlist will win as soon as more than 6 entries need
to be scanned.

Signed-off-by: Juergen Gross <jgross@suse.com>
---
 tools/xenstore/xenstored_domain.c | 112 +++++++++++++++++-------------
 1 file changed, 65 insertions(+), 47 deletions(-)

diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_domain.c
index 1516df71d8..f6797e53c5 100644
--- a/tools/xenstore/xenstored_domain.c
+++ b/tools/xenstore/xenstored_domain.c
@@ -48,8 +48,6 @@ static struct node_perms dom_introduce_perms;
 
 struct domain
 {
-	struct list_head list;
-
 	/* The id of this domain */
 	unsigned int domid;
 
@@ -96,7 +94,7 @@ struct domain
 	bool wrl_delay_logged;
 };
 
-static LIST_HEAD(domains);
+static struct hashtable *domhash;
 
 static bool check_indexes(XENSTORE_RING_IDX cons, XENSTORE_RING_IDX prod)
 {
@@ -309,7 +307,7 @@ static int destroy_domain(void *_domain)
 
 	domain_tree_remove(domain);
 
-	list_del(&domain->list);
+	hashtable_remove(domhash, &domain->domid);
 
 	if (!domain->introduced)
 		return 0;
@@ -341,49 +339,56 @@ static bool get_domain_info(unsigned int domid, xc_dominfo_t *dominfo)
 	       dominfo->domid == domid;
 }
 
-void check_domains(void)
+static int check_domain(void *k, void *v, void *arg)
 {
 	xc_dominfo_t dominfo;
-	struct domain *domain;
 	struct connection *conn;
-	int notify = 0;
 	bool dom_valid;
+	struct domain *domain = v;
+	bool *notify = arg;
 
- again:
-	list_for_each_entry(domain, &domains, list) {
-		dom_valid = get_domain_info(domain->domid, &dominfo);
-		if (!domain->introduced) {
-			if (!dom_valid) {
-				talloc_free(domain);
-				goto again;
-			}
-			continue;
-		}
-		if (dom_valid) {
-			if ((dominfo.crashed || dominfo.shutdown)
-			    && !domain->shutdown) {
-				domain->shutdown = true;
-				notify = 1;
-				/*
-				 * Avoid triggering watch events when the
-				 * domain's nodes are being deleted.
-				 */
-				if (domain->conn)
-					conn_delete_all_watches(domain->conn);
-			}
-			if (!dominfo.dying)
-				continue;
+	dom_valid = get_domain_info(domain->domid, &dominfo);
+	if (!domain->introduced) {
+		if (!dom_valid) {
+			talloc_free(domain);
+			return 1;
 		}
-		if (domain->conn) {
-			/* domain is a talloc child of domain->conn. */
-			conn = domain->conn;
-			domain->conn = NULL;
-			talloc_unlink(talloc_autofree_context(), conn);
-			notify = 0; /* destroy_domain() fires the watch */
-			goto again;
+		return 0;
+	}
+	if (dom_valid) {
+		if ((dominfo.crashed || dominfo.shutdown)
+		    && !domain->shutdown) {
+			domain->shutdown = true;
+			*notify = true;
+			/*
+			 * Avoid triggering watch events when the domain's
+			 * nodes are being deleted.
+			 */
+			if (domain->conn)
+				conn_delete_all_watches(domain->conn);
 		}
+		if (!dominfo.dying)
+			return 0;
+	}
+	if (domain->conn) {
+		/* domain is a talloc child of domain->conn. */
+		conn = domain->conn;
+		domain->conn = NULL;
+		talloc_unlink(talloc_autofree_context(), conn);
+		*notify = false; /* destroy_domain() fires the watch */
+		return 1;
 	}
 
+	return 0;
+}
+
+void check_domains(void)
+{
+	bool notify = false;
+
+	while (hashtable_iterate(domhash, check_domain, &notify))
+		;
+
 	if (notify)
 		fire_watches(NULL, NULL, "@releaseDomain", NULL, true, NULL);
 }
@@ -421,13 +426,7 @@ static char *talloc_domain_path(const void *context, unsigned int domid)
 
 static struct domain *find_domain_struct(unsigned int domid)
 {
-	struct domain *i;
-
-	list_for_each_entry(i, &domains, list) {
-		if (i->domid == domid)
-			return i;
-	}
-	return NULL;
+	return hashtable_search(domhash, &domid);
 }
 
 int domain_get_quota(const void *ctx, struct connection *conn,
@@ -476,9 +475,13 @@ static struct domain *alloc_domain(const void *context, unsigned int domid)
 	domain->generation = generation;
 	domain->introduced = false;
 
-	talloc_set_destructor(domain, destroy_domain);
+	if (!hashtable_insert(domhash, &domain->domid, domain)) {
+		talloc_free(domain);
+		errno = ENOMEM;
+		return NULL;
+	}
 
-	list_add(&domain->list, &domains);
+	talloc_set_destructor(domain, destroy_domain);
 
 	return domain;
 }
@@ -909,10 +912,25 @@ void dom0_init(void)
 	xenevtchn_notify(xce_handle, dom0->port);
 }
 
+static unsigned int domhash_fn(void *k)
+{
+	return *(unsigned int *)k;
+}
+
+static int domeq_fn(void *key1, void *key2)
+{
+	return *(unsigned int *)key1 == *(unsigned int *)key2;
+}
+
 void domain_init(int evtfd)
 {
 	int rc;
 
+	/* Start with a random rather low domain count for the hashtable. */
+	domhash = create_hashtable(8, domhash_fn, domeq_fn, 0);
+	if (!domhash)
+		barf_perror("Failed to allocate domain hashtable");
+
 	xc_handle = talloc(talloc_autofree_context(), xc_interface*);
 	if (!xc_handle)
 		barf_perror("Failed to allocate domain handle");
-- 
2.35.3

[PATCH 09/20] tools/xenstore: introduce dummy nodes for special watch paths

[Juergen Gross]

Instead of special casing the permission handling and watch event
firing for the special watch paths "@introduceDomain" and
"@releaseDomain", use static dummy nodes added to the data base when
starting Xenstore.

This allows to simplify quite some code.

Note that this requires to rework the calls of fire_watches() for the
special events in order to avoid leaking memory.

Signed-off-by: Juergen Gross <jgross@suse.com>
---
 tools/xenstore/xenstored_control.c |   3 -
 tools/xenstore/xenstored_core.c    |  67 +++++++-----
 tools/xenstore/xenstored_domain.c  | 162 ++++-------------------------
 tools/xenstore/xenstored_domain.h  |   6 --
 tools/xenstore/xenstored_watch.c   |  17 +--
 5 files changed, 63 insertions(+), 192 deletions(-)

diff --git a/tools/xenstore/xenstored_control.c b/tools/xenstore/xenstored_control.c
index d1aaa00bf4..41e6992591 100644
--- a/tools/xenstore/xenstored_control.c
+++ b/tools/xenstore/xenstored_control.c
@@ -676,9 +676,6 @@ static const char *lu_dump_state(const void *ctx, struct connection *conn)
 	if (ret)
 		goto out;
 	ret = dump_state_connections(fp);
-	if (ret)
-		goto out;
-	ret = dump_state_special_nodes(fp);
 	if (ret)
 		goto out;
 	ret = dump_state_nodes(fp, ctx);
diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index 1650821922..cadb339486 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -616,7 +616,8 @@ static void get_acc_data(TDB_DATA *key, struct node_account_data *acc)
 static unsigned int get_acc_domid(struct connection *conn, TDB_DATA *key,
 				  unsigned int domid)
 {
-	return (!conn || key->dptr[0] == '/') ? domid : conn->id;
+	return (!conn || key->dptr[0] == '/' || key->dptr[0] == '@')
+	       ? domid : conn->id;
 }
 
 int do_tdb_write(struct connection *conn, TDB_DATA *key, TDB_DATA *data,
@@ -1780,14 +1781,6 @@ static int do_set_perms(const void *ctx, struct connection *conn,
 	if (perms.p[0].perms & XS_PERM_IGNORE)
 		return ENOENT;
 
-	/* First arg is node name. */
-	if (strstarts(in->buffer, "@")) {
-		if (set_perms_special(conn, in->buffer, &perms))
-			return errno;
-		send_ack(conn, XS_SET_PERMS);
-		return 0;
-	}
-
 	/* We must own node to do this (tools can do this too). */
 	node = get_node_canonicalized(conn, ctx, in->buffer, &name,
 				      XS_PERM_WRITE | XS_PERM_OWNER);
@@ -2388,7 +2381,9 @@ void setup_structure(bool live_update)
 		manual_node("/", "tool");
 		manual_node("/tool", "xenstored");
 		manual_node("/tool/xenstored", NULL);
-		domain_entry_fix(dom0_domid, 3, true);
+		manual_node("@releaseDomain", NULL);
+		manual_node("@introduceDomain", NULL);
+		domain_entry_fix(dom0_domid, 5, true);
 	}
 
 	check_store();
@@ -3170,6 +3165,23 @@ static int dump_state_node(const void *ctx, struct connection *conn,
 	return WALK_TREE_OK;
 }
 
+static int dump_state_special_node(FILE *fp, const void *ctx,
+				   struct dump_node_data *data,
+				   const char *name)
+{
+	struct node *node;
+	int ret;
+
+	node = read_node(NULL, ctx, name);
+	if (!node)
+		return dump_state_node_err(data, "Dump node read node error");
+
+	ret = dump_state_node(ctx, NULL, node, data);
+	talloc_free(node);
+
+	return ret;
+}
+
 const char *dump_state_nodes(FILE *fp, const void *ctx)
 {
 	struct dump_node_data data = {
@@ -3181,6 +3193,11 @@ const char *dump_state_nodes(FILE *fp, const void *ctx)
 	if (walk_node_tree(ctx, NULL, "/", &walkfuncs, &data))
 		return data.err;
 
+	if (dump_state_special_node(fp, ctx, &data, "@releaseDomain"))
+		return data.err;
+	if (dump_state_special_node(fp, ctx, &data, "@introduceDomain"))
+		return data.err;
+
 	return NULL;
 }
 
@@ -3354,25 +3371,21 @@ void read_state_node(const void *ctx, const void *state)
 		node->perms.p[i].id = sn->perms[i].domid;
 	}
 
-	if (strstarts(name, "@")) {
-		set_perms_special(&conn, name, &node->perms);
-		talloc_free(node);
-		return;
-	}
-
-	parentname = get_parent(node, name);
-	if (!parentname)
-		barf("allocation error restoring node");
-	parent = read_node(NULL, node, parentname);
-	if (!parent)
-		barf("read parent error restoring node");
+	if (!strstarts(name, "@")) {
+		parentname = get_parent(node, name);
+		if (!parentname)
+			barf("allocation error restoring node");
+		parent = read_node(NULL, node, parentname);
+		if (!parent)
+			barf("read parent error restoring node");
 
-	if (add_child(node, parent, name))
-		barf("allocation error restoring node");
+		if (add_child(node, parent, name))
+			barf("allocation error restoring node");
 
-	set_tdb_key(parentname, &key);
-	if (write_node_raw(NULL, &key, parent, true))
-		barf("write parent error restoring node");
+		set_tdb_key(parentname, &key);
+		if (write_node_raw(NULL, &key, parent, true))
+			barf("write parent error restoring node");
+	}
 
 	set_tdb_key(name, &key);
 	if (write_node_raw(NULL, &key, node, true))
diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_domain.c
index f6797e53c5..5756010944 100644
--- a/tools/xenstore/xenstored_domain.c
+++ b/tools/xenstore/xenstored_domain.c
@@ -43,9 +43,6 @@ static evtchn_port_t virq_port;
 
 xenevtchn_handle *xce_handle = NULL;
 
-static struct node_perms dom_release_perms;
-static struct node_perms dom_introduce_perms;
-
 struct domain
 {
 	/* The id of this domain */
@@ -225,27 +222,6 @@ static void unmap_interface(void *interface)
 	xengnttab_unmap(*xgt_handle, interface, 1);
 }
 
-static void remove_domid_from_perm(struct node_perms *perms,
-				   struct domain *domain)
-{
-	unsigned int cur, new;
-
-	if (perms->p[0].id == domain->domid)
-		perms->p[0].id = priv_domid;
-
-	for (cur = new = 1; cur < perms->num; cur++) {
-		if (perms->p[cur].id == domain->domid)
-			continue;
-
-		if (new != cur)
-			perms->p[new] = perms->p[cur];
-
-		new++;
-	}
-
-	perms->num = new;
-}
-
 static int domain_tree_remove_sub(const void *ctx, struct connection *conn,
 				  struct node *node, void *arg)
 {
@@ -297,8 +273,24 @@ static void domain_tree_remove(struct domain *domain)
 			       "error when looking for orphaned nodes\n");
 	}
 
-	remove_domid_from_perm(&dom_release_perms, domain);
-	remove_domid_from_perm(&dom_introduce_perms, domain);
+	walk_node_tree(domain, NULL, "@releaseDomain", &walkfuncs, domain);
+	walk_node_tree(domain, NULL, "@introduceDomain", &walkfuncs, domain);
+}
+
+static void fire_special_watches(const char *name)
+{
+	void *ctx = talloc_new(NULL);
+	struct node *node;
+
+	if (!ctx)
+		return;
+
+	node = read_node(NULL, ctx, name);
+
+	if (node)
+		fire_watches(NULL, ctx, name, node, true, NULL);
+
+	talloc_free(ctx);
 }
 
 static int destroy_domain(void *_domain)
@@ -326,7 +318,7 @@ static int destroy_domain(void *_domain)
 			unmap_interface(domain->interface);
 	}
 
-	fire_watches(NULL, domain, "@releaseDomain", NULL, true, NULL);
+	fire_special_watches("@releaseDomain");
 
 	wrl_domain_destroy(domain);
 
@@ -390,7 +382,7 @@ void check_domains(void)
 		;
 
 	if (notify)
-		fire_watches(NULL, NULL, "@releaseDomain", NULL, true, NULL);
+		fire_special_watches("@releaseDomain");
 }
 
 /* We scan all domains rather than use the information given here. */
@@ -639,8 +631,7 @@ static struct domain *introduce_domain(const void *ctx,
 		}
 
 		if (!is_master_domain && !restore)
-			fire_watches(NULL, ctx, "@introduceDomain", NULL,
-				     true, NULL);
+			fire_special_watches("@introduceDomain");
 	} else {
 		/* Use XS_INTRODUCE for recreating the xenbus event-channel. */
 		if (domain->port)
@@ -843,59 +834,6 @@ const char *get_implicit_path(const struct connection *conn)
 	return conn->domain->path;
 }
 
-static int set_dom_perms_default(struct node_perms *perms)
-{
-	perms->num = 1;
-	perms->p = talloc_array(NULL, struct xs_permissions, perms->num);
-	if (!perms->p)
-		return -1;
-	perms->p->id = 0;
-	perms->p->perms = XS_PERM_NONE;
-
-	return 0;
-}
-
-static struct node_perms *get_perms_special(const char *name)
-{
-	if (!strcmp(name, "@releaseDomain"))
-		return &dom_release_perms;
-	if (!strcmp(name, "@introduceDomain"))
-		return &dom_introduce_perms;
-	return NULL;
-}
-
-int set_perms_special(struct connection *conn, const char *name,
-		      struct node_perms *perms)
-{
-	struct node_perms *p;
-
-	p = get_perms_special(name);
-	if (!p)
-		return EINVAL;
-
-	if ((perm_for_conn(conn, p) & (XS_PERM_WRITE | XS_PERM_OWNER)) !=
-	    (XS_PERM_WRITE | XS_PERM_OWNER))
-		return EACCES;
-
-	p->num = perms->num;
-	talloc_free(p->p);
-	p->p = perms->p;
-	talloc_steal(NULL, perms->p);
-
-	return 0;
-}
-
-bool check_perms_special(const char *name, struct connection *conn)
-{
-	struct node_perms *p;
-
-	p = get_perms_special(name);
-	if (!p)
-		return false;
-
-	return perm_for_conn(conn, p) & XS_PERM_READ;
-}
-
 void dom0_init(void)
 {
 	evtchn_port_t port;
@@ -965,10 +903,6 @@ void domain_init(int evtfd)
 	if (xce_handle == NULL)
 		barf_perror("Failed to open evtchn device");
 
-	if (set_dom_perms_default(&dom_release_perms) ||
-	    set_dom_perms_default(&dom_introduce_perms))
-		barf_perror("Failed to set special permissions");
-
 	if ((rc = xenevtchn_bind_virq(xce_handle, VIRQ_DOM_EXC)) == -1)
 		barf_perror("Failed to bind to domain exception virq port");
 	virq_port = rc;
@@ -1538,60 +1472,6 @@ const char *dump_state_connections(FILE *fp)
 	return ret;
 }
 
-static const char *dump_state_special_node(FILE *fp, const char *name,
-					   const struct node_perms *perms)
-{
-	struct xs_state_record_header head;
-	struct xs_state_node sn;
-	unsigned int pathlen;
-	const char *ret;
-
-	pathlen = strlen(name) + 1;
-
-	head.type = XS_STATE_TYPE_NODE;
-	head.length = sizeof(sn);
-
-	sn.conn_id = 0;
-	sn.ta_id = 0;
-	sn.ta_access = 0;
-	sn.perm_n = perms->num;
-	sn.path_len = pathlen;
-	sn.data_len = 0;
-	head.length += perms->num * sizeof(*sn.perms);
-	head.length += pathlen;
-	head.length = ROUNDUP(head.length, 3);
-	if (fwrite(&head, sizeof(head), 1, fp) != 1)
-		return "Dump special node error";
-	if (fwrite(&sn, sizeof(sn), 1, fp) != 1)
-		return "Dump special node error";
-
-	ret = dump_state_node_perms(fp, perms->p, perms->num);
-	if (ret)
-		return ret;
-
-	if (fwrite(name, pathlen, 1, fp) != 1)
-		return "Dump special node path error";
-
-	ret = dump_state_align(fp);
-
-	return ret;
-}
-
-const char *dump_state_special_nodes(FILE *fp)
-{
-	const char *ret;
-
-	ret = dump_state_special_node(fp, "@releaseDomain",
-				      &dom_release_perms);
-	if (ret)
-		return ret;
-
-	ret = dump_state_special_node(fp, "@introduceDomain",
-				      &dom_introduce_perms);
-
-	return ret;
-}
-
 void read_state_connection(const void *ctx, const void *state)
 {
 	const struct xs_state_connection *sc = state;
diff --git a/tools/xenstore/xenstored_domain.h b/tools/xenstore/xenstored_domain.h
index b38c82991d..630641d620 100644
--- a/tools/xenstore/xenstored_domain.h
+++ b/tools/xenstore/xenstored_domain.h
@@ -99,11 +99,6 @@ void domain_outstanding_domid_dec(unsigned int domid);
 int domain_get_quota(const void *ctx, struct connection *conn,
 		     unsigned int domid);
 
-/* Special node permission handling. */
-int set_perms_special(struct connection *conn, const char *name,
-		      struct node_perms *perms);
-bool check_perms_special(const char *name, struct connection *conn);
-
 /* Write rate limiting */
 
 #define WRL_FACTOR   1000 /* for fixed-point arithmetic */
@@ -132,7 +127,6 @@ void wrl_apply_debit_direct(struct connection *conn);
 void wrl_apply_debit_trans_commit(struct connection *conn);
 
 const char *dump_state_connections(FILE *fp);
-const char *dump_state_special_nodes(FILE *fp);
 
 void read_state_connection(const void *ctx, const void *state);
 
diff --git a/tools/xenstore/xenstored_watch.c b/tools/xenstore/xenstored_watch.c
index 316c08b7f7..75748ac109 100644
--- a/tools/xenstore/xenstored_watch.c
+++ b/tools/xenstore/xenstored_watch.c
@@ -46,13 +46,6 @@ struct watch
 	char *node;
 };
 
-static bool check_special_event(const char *name)
-{
-	assert(name);
-
-	return strstarts(name, "@");
-}
-
 /* Is child a subnode of parent, or equal? */
 static bool is_child(const char *child, const char *parent)
 {
@@ -153,14 +146,8 @@ void fire_watches(struct connection *conn, const void *ctx, const char *name,
 
 	/* Create an event for each watch. */
 	list_for_each_entry(i, &connections, list) {
-		/* introduce/release domain watches */
-		if (check_special_event(name)) {
-			if (!check_perms_special(name, i))
-				continue;
-		} else {
-			if (!watch_permitted(i, ctx, name, node, perms))
-				continue;
-		}
+		if (!watch_permitted(i, ctx, name, node, perms))
+			continue;
 
 		list_for_each_entry(watch, &i->watches, list) {
 			if (exact) {
-- 
2.35.3

[PATCH 10/20] tools/xenstore: replace watch->relative_path with a prefix length

[Juergen Gross]

Instead of storing a pointer to the path which is prepended to
relative paths in struct watch, just use the length of the prepended
path.

It should be noted that the now removed special case of the
relative path being "" in get_watch_path() can't happen at all.

Signed-off-by: Juergen Gross <jgross@suse.com>
---
 tools/xenstore/xenstored_watch.c | 26 +++++++-------------------
 1 file changed, 7 insertions(+), 19 deletions(-)

diff --git a/tools/xenstore/xenstored_watch.c b/tools/xenstore/xenstored_watch.c
index 75748ac109..8bed967c56 100644
--- a/tools/xenstore/xenstored_watch.c
+++ b/tools/xenstore/xenstored_watch.c
@@ -39,8 +39,8 @@ struct watch
 	/* Current outstanding events applying to this watch. */
 	struct list_head events;
 
-	/* Is this relative to connnection's implicit path? */
-	const char *relative_path;
+	/* Offset into path for skipping prefix (used for relative paths). */
+	unsigned int prefix_len;
 
 	char *token;
 	char *node;
@@ -66,15 +66,7 @@ static bool is_child(const char *child, const char *parent)
 
 static const char *get_watch_path(const struct watch *watch, const char *name)
 {
-	const char *path = name;
-
-	if (watch->relative_path) {
-		path += strlen(watch->relative_path);
-		if (*path == '/') /* Could be "" */
-			path++;
-	}
-
-	return path;
+	return name + watch->prefix_len;
 }
 
 /*
@@ -211,10 +203,7 @@ static struct watch *add_watch(struct connection *conn, char *path, char *token,
 			      no_quota_check))
 		goto nomem;
 
-	if (relative)
-		watch->relative_path = get_implicit_path(conn);
-	else
-		watch->relative_path = NULL;
+	watch->prefix_len = relative ? strlen(get_implicit_path(conn)) + 1 : 0;
 
 	INIT_LIST_HEAD(&watch->events);
 
@@ -316,7 +305,6 @@ const char *dump_state_watches(FILE *fp, struct connection *conn,
 	struct watch *watch;
 	struct xs_state_watch sw;
 	struct xs_state_record_header head;
-	const char *path;
 
 	head.type = XS_STATE_TYPE_WATCH;
 
@@ -324,8 +312,7 @@ const char *dump_state_watches(FILE *fp, struct connection *conn,
 		head.length = sizeof(sw);
 
 		sw.conn_id = conn_id;
-		path = get_watch_path(watch, watch->node);
-		sw.path_length = strlen(path) + 1;
+		sw.path_length = strlen(watch->node + watch->prefix_len) + 1;
 		sw.token_length = strlen(watch->token) + 1;
 		head.length += sw.path_length + sw.token_length;
 		head.length = ROUNDUP(head.length, 3);
@@ -334,7 +321,8 @@ const char *dump_state_watches(FILE *fp, struct connection *conn,
 		if (fwrite(&sw, sizeof(sw), 1, fp) != 1)
 			return "Dump watch state error";
 
-		if (fwrite(path, sw.path_length, 1, fp) != 1)
+		if (fwrite(watch->node + watch->prefix_len, sw.path_length,
+			   1, fp) != 1)
 			return "Dump watch path error";
 		if (fwrite(watch->token, sw.token_length, 1, fp) != 1)
 			return "Dump watch token error";
-- 
2.35.3

[PATCH 11/20] tools/xenstore: move changed domain handling

[Juergen Gross]

Move all code related to struct changed_domain from
xenstored_transaction.c to xenstored_domain.c.

This will be needed later in order to simplify the accounting data
updates in cases of errors during a request.

Split the code to have a more generic base framework.

Signed-off-by: Juergen Gross <jgross@suse.com>
---
 tools/xenstore/xenstored_domain.c      | 85 +++++++++++++++++++++++++-
 tools/xenstore/xenstored_domain.h      |  3 +
 tools/xenstore/xenstored_transaction.c | 64 ++-----------------
 3 files changed, 90 insertions(+), 62 deletions(-)

diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_domain.c
index 5756010944..14fd84c288 100644
--- a/tools/xenstore/xenstored_domain.c
+++ b/tools/xenstore/xenstored_domain.c
@@ -91,6 +91,18 @@ struct domain
 	bool wrl_delay_logged;
 };
 
+struct changed_domain
+{
+	/* List of all changed domains. */
+	struct list_head list;
+
+	/* Identifier of the changed domain. */
+	unsigned int domid;
+
+	/* Amount by which this domain's nbentry field has changed. */
+	int nbentry;
+};
+
 static struct hashtable *domhash;
 
 static bool check_indexes(XENSTORE_RING_IDX cons, XENSTORE_RING_IDX prod)
@@ -492,8 +504,12 @@ static struct domain *find_or_alloc_existing_domain(unsigned int domid)
 	xc_dominfo_t dominfo;
 
 	domain = find_domain_struct(domid);
-	if (!domain && get_domain_info(domid, &dominfo))
-		domain = alloc_domain(NULL, domid);
+	if (!domain) {
+		if (!get_domain_info(domid, &dominfo))
+			errno = ENOENT;
+		else
+			domain = alloc_domain(NULL, domid);
+	}
 
 	return domain;
 }
@@ -547,6 +563,71 @@ static struct domain *find_domain_by_domid(unsigned int domid)
 	return (d && d->introduced) ? d : NULL;
 }
 
+int acc_fix_domains(struct list_head *head, bool update)
+{
+	struct changed_domain *cd;
+	int cnt;
+
+	list_for_each_entry(cd, head, list) {
+		cnt = domain_entry_fix(cd->domid, cd->nbentry, update);
+		if (!update) {
+			if (cnt >= quota_nb_entry_per_domain)
+				return ENOSPC;
+			if (cnt < 0)
+				return ENOMEM;
+		}
+	}
+
+	return 0;
+}
+
+static struct changed_domain *acc_find_changed_domain(struct list_head *head,
+						      unsigned int domid)
+{
+	struct changed_domain *cd;
+
+	list_for_each_entry(cd, head, list) {
+		if (cd->domid == domid)
+			return cd;
+	}
+
+	return NULL;
+}
+
+static struct changed_domain *acc_get_changed_domain(const void *ctx,
+						     struct list_head *head,
+						     unsigned int domid)
+{
+	struct changed_domain *cd;
+
+	cd = acc_find_changed_domain(head, domid);
+	if (cd)
+		return cd;
+
+	cd = talloc_zero(ctx, struct changed_domain);
+	if (!cd)
+		return NULL;
+
+	cd->domid = domid;
+	list_add_tail(&cd->list, head);
+
+	return cd;
+}
+
+int acc_add_dom_nbentry(const void *ctx, struct list_head *head, int val,
+			unsigned int domid)
+{
+	struct changed_domain *cd;
+
+	cd = acc_get_changed_domain(ctx, head, domid);
+	if (!cd)
+		return errno;
+
+	cd->nbentry += val;
+
+	return 0;
+}
+
 static void domain_conn_reset(struct domain *domain)
 {
 	struct connection *conn = domain->conn;
diff --git a/tools/xenstore/xenstored_domain.h b/tools/xenstore/xenstored_domain.h
index 630641d620..9e20d2b17d 100644
--- a/tools/xenstore/xenstored_domain.h
+++ b/tools/xenstore/xenstored_domain.h
@@ -98,6 +98,9 @@ void domain_outstanding_dec(struct connection *conn);
 void domain_outstanding_domid_dec(unsigned int domid);
 int domain_get_quota(const void *ctx, struct connection *conn,
 		     unsigned int domid);
+int acc_fix_domains(struct list_head *head, bool update);
+int acc_add_dom_nbentry(const void *ctx, struct list_head *head, int val,
+			unsigned int domid);
 
 /* Write rate limiting */
 
diff --git a/tools/xenstore/xenstored_transaction.c b/tools/xenstore/xenstored_transaction.c
index ac854197ca..89b92f0baf 100644
--- a/tools/xenstore/xenstored_transaction.c
+++ b/tools/xenstore/xenstored_transaction.c
@@ -137,18 +137,6 @@ struct accessed_node
 	bool watch_exact;
 };
 
-struct changed_domain
-{
-	/* List of all changed domains in the context of this transaction. */
-	struct list_head list;
-
-	/* Identifier of the changed domain. */
-	unsigned int domid;
-
-	/* Amount by which this domain's nbentry field has changed. */
-	int nbentry;
-};
-
 struct transaction
 {
 	/* List of all transactions active on this connection. */
@@ -514,24 +502,6 @@ int do_transaction_start(const void *ctx, struct connection *conn,
 	return 0;
 }
 
-static int transaction_fix_domains(struct transaction *trans, bool update)
-{
-	struct changed_domain *d;
-	int cnt;
-
-	list_for_each_entry(d, &trans->changed_domains, list) {
-		cnt = domain_entry_fix(d->domid, d->nbentry, update);
-		if (!update) {
-			if (cnt >= quota_nb_entry_per_domain)
-				return ENOSPC;
-			if (cnt < 0)
-				return ENOMEM;
-		}
-	}
-
-	return 0;
-}
-
 int do_transaction_end(const void *ctx, struct connection *conn,
 		       struct buffered_data *in)
 {
@@ -558,7 +528,7 @@ int do_transaction_end(const void *ctx, struct connection *conn,
 	if (streq(arg, "T")) {
 		if (trans->fail)
 			return ENOMEM;
-		ret = transaction_fix_domains(trans, false);
+		ret = acc_fix_domains(&trans->changed_domains, false);
 		if (ret)
 			return ret;
 		ret = finalize_transaction(conn, trans, &is_corrupt);
@@ -568,7 +538,7 @@ int do_transaction_end(const void *ctx, struct connection *conn,
 		wrl_apply_debit_trans_commit(conn);
 
 		/* fix domain entry for each changed domain */
-		transaction_fix_domains(trans, true);
+		acc_fix_domains(&trans->changed_domains, true);
 
 		if (is_corrupt)
 			corrupt(conn, "transaction inconsistency");
@@ -580,44 +550,18 @@ int do_transaction_end(const void *ctx, struct connection *conn,
 
 void transaction_entry_inc(struct transaction *trans, unsigned int domid)
 {
-	struct changed_domain *d;
-
-	list_for_each_entry(d, &trans->changed_domains, list)
-		if (d->domid == domid) {
-			d->nbentry++;
-			return;
-		}
-
-	d = talloc(trans, struct changed_domain);
-	if (!d) {
+	if (acc_add_dom_nbentry(trans, &trans->changed_domains, 1, domid)) {
 		/* Let the transaction fail. */
 		trans->fail = true;
-		return;
 	}
-	d->domid = domid;
-	d->nbentry = 1;
-	list_add_tail(&d->list, &trans->changed_domains);
 }
 
 void transaction_entry_dec(struct transaction *trans, unsigned int domid)
 {
-	struct changed_domain *d;
-
-	list_for_each_entry(d, &trans->changed_domains, list)
-		if (d->domid == domid) {
-			d->nbentry--;
-			return;
-		}
-
-	d = talloc(trans, struct changed_domain);
-	if (!d) {
+	if (acc_add_dom_nbentry(trans, &trans->changed_domains, -1, domid)) {
 		/* Let the transaction fail. */
 		trans->fail = true;
-		return;
 	}
-	d->domid = domid;
-	d->nbentry = -1;
-	list_add_tail(&d->list, &trans->changed_domains);
 }
 
 void fail_transaction(struct transaction *trans)
-- 
2.35.3

[PATCH 12/20] tools/xenstore: change per-domain node accounting interface

[Juergen Gross]

Rework the interface and the internals of the per-domain node
accounting:

- rename the functions to domain_nbentry_*() in order to better match
  the related counter name

- switch from node pointer to domid as interface, as all nodes have the
  owner filled in

- use a common internal function for adding a value to the counter

For the transaction case add a helper function to get the list head
of the per-transaction changed domains, enabling to eliminate the
transaction_entry_*() functions.

Signed-off-by: Juergen Gross <jgross@suse.com>
---
 tools/xenstore/xenstored_core.c        |  22 ++---
 tools/xenstore/xenstored_domain.c      | 122 +++++++++++--------------
 tools/xenstore/xenstored_domain.h      |  10 +-
 tools/xenstore/xenstored_transaction.c |  15 +--
 tools/xenstore/xenstored_transaction.h |   7 +-
 5 files changed, 72 insertions(+), 104 deletions(-)

diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index cadb339486..5fd4f8e606 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -1449,7 +1449,7 @@ static void destroy_node_rm(struct connection *conn, struct node *node)
 static int destroy_node(struct connection *conn, struct node *node)
 {
 	destroy_node_rm(conn, node);
-	domain_entry_dec(conn, node);
+	domain_nbentry_dec(conn, node->perms.p[0].id);
 
 	/*
 	 * It is not possible to easily revert the changes in a transaction.
@@ -1488,7 +1488,7 @@ static struct node *create_node(struct connection *conn, const void *ctx,
 	for (i = node; i; i = i->parent) {
 		/* i->parent is set for each new node, so check quota. */
 		if (i->parent &&
-		    domain_entry(conn) >= quota_nb_entry_per_domain) {
+		    domain_nbentry(conn) >= quota_nb_entry_per_domain) {
 			ret = ENOSPC;
 			goto err;
 		}
@@ -1499,7 +1499,7 @@ static struct node *create_node(struct connection *conn, const void *ctx,
 
 		/* Account for new node */
 		if (i->parent) {
-			if (domain_entry_inc(conn, i)) {
+			if (domain_nbentry_inc(conn, i->perms.p[0].id)) {
 				destroy_node_rm(conn, i);
 				return NULL;
 			}
@@ -1652,7 +1652,7 @@ static int delnode_sub(const void *ctx, struct connection *conn,
 	watch_exact = strcmp(root, node->name);
 	fire_watches(conn, ctx, node->name, node, watch_exact, NULL);
 
-	domain_entry_dec(conn, node);
+	domain_nbentry_dec(conn, node->perms.p[0].id);
 
 	return WALK_TREE_RM_CHILDENTRY;
 }
@@ -1793,25 +1793,25 @@ static int do_set_perms(const void *ctx, struct connection *conn,
 		return EPERM;
 
 	old_perms = node->perms;
-	domain_entry_dec(conn, node);
+	domain_nbentry_dec(conn, node->perms.p[0].id);
 	node->perms = perms;
-	if (domain_entry_inc(conn, node)) {
+	if (domain_nbentry_inc(conn, node->perms.p[0].id)) {
 		node->perms = old_perms;
 		/*
 		 * This should never fail because we had a reference on the
 		 * domain before and Xenstored is single-threaded.
 		 */
-		domain_entry_inc(conn, node);
+		domain_nbentry_inc(conn, node->perms.p[0].id);
 		return ENOMEM;
 	}
 
 	if (write_node(conn, node, false)) {
 		int saved_errno = errno;
 
-		domain_entry_dec(conn, node);
+		domain_nbentry_dec(conn, node->perms.p[0].id);
 		node->perms = old_perms;
 		/* No failure possible as above. */
-		domain_entry_inc(conn, node);
+		domain_nbentry_inc(conn, node->perms.p[0].id);
 
 		errno = saved_errno;
 		return errno;
@@ -2383,7 +2383,7 @@ void setup_structure(bool live_update)
 		manual_node("/tool/xenstored", NULL);
 		manual_node("@releaseDomain", NULL);
 		manual_node("@introduceDomain", NULL);
-		domain_entry_fix(dom0_domid, 5, true);
+		domain_nbentry_fix(dom0_domid, 5, true);
 	}
 
 	check_store();
@@ -3391,7 +3391,7 @@ void read_state_node(const void *ctx, const void *state)
 	if (write_node_raw(NULL, &key, node, true))
 		barf("write node error restoring node");
 
-	if (domain_entry_inc(&conn, node))
+	if (domain_nbentry_inc(&conn, node->perms.p[0].id))
 		barf("node accounting error restoring node");
 
 	talloc_free(node);
diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_domain.c
index 14fd84c288..b737a77683 100644
--- a/tools/xenstore/xenstored_domain.c
+++ b/tools/xenstore/xenstored_domain.c
@@ -249,7 +249,7 @@ static int domain_tree_remove_sub(const void *ctx, struct connection *conn,
 		domain->nbentry--;
 		node->perms.p[0].id = priv_domid;
 		node->acc.memory = 0;
-		domain_entry_inc(NULL, node);
+		domain_nbentry_inc(NULL, priv_domid);
 		if (write_node_raw(NULL, &key, node, true)) {
 			/* That's unfortunate. We only can try to continue. */
 			syslog(LOG_ERR,
@@ -569,7 +569,7 @@ int acc_fix_domains(struct list_head *head, bool update)
 	int cnt;
 
 	list_for_each_entry(cd, head, list) {
-		cnt = domain_entry_fix(cd->domid, cd->nbentry, update);
+		cnt = domain_nbentry_fix(cd->domid, cd->nbentry, update);
 		if (!update) {
 			if (cnt >= quota_nb_entry_per_domain)
 				return ENOSPC;
@@ -614,18 +614,19 @@ static struct changed_domain *acc_get_changed_domain(const void *ctx,
 	return cd;
 }
 
-int acc_add_dom_nbentry(const void *ctx, struct list_head *head, int val,
-			unsigned int domid)
+static int acc_add_dom_nbentry(const void *ctx, struct list_head *head, int val,
+			       unsigned int domid)
 {
 	struct changed_domain *cd;
 
 	cd = acc_get_changed_domain(ctx, head, domid);
 	if (!cd)
-		return errno;
+		return 0;
 
+	errno = 0;
 	cd->nbentry += val;
 
-	return 0;
+	return cd->nbentry;
 }
 
 static void domain_conn_reset(struct domain *domain)
@@ -995,30 +996,6 @@ void domain_deinit(void)
 		xenevtchn_unbind(xce_handle, virq_port);
 }
 
-int domain_entry_inc(struct connection *conn, struct node *node)
-{
-	struct domain *d;
-	unsigned int domid;
-
-	if (!node->perms.p)
-		return 0;
-
-	domid = node->perms.p[0].id;
-
-	if (conn && conn->transaction) {
-		transaction_entry_inc(conn->transaction, domid);
-	} else {
-		d = (conn && domid == conn->id && conn->domain) ? conn->domain
-		    : find_or_alloc_existing_domain(domid);
-		if (d)
-			d->nbentry++;
-		else
-			return ENOMEM;
-	}
-
-	return 0;
-}
-
 /*
  * Check whether a domain was created before or after a specific generation
  * count (used for testing whether a node permission is older than a domain).
@@ -1086,62 +1063,67 @@ int domain_adjust_node_perms(struct node *node)
 	return 0;
 }
 
-void domain_entry_dec(struct connection *conn, struct node *node)
+static int domain_nbentry_add(struct connection *conn, unsigned int domid,
+			      int add, bool dom_exists)
 {
 	struct domain *d;
-	unsigned int domid;
-
-	if (!node->perms.p)
-		return;
+	struct list_head *head;
+	int ret;
 
-	domid = node->perms.p ? node->perms.p[0].id : conn->id;
+	if (conn && domid == conn->id && conn->domain)
+		d = conn->domain;
+	else if (dom_exists) {
+		d = find_domain_struct(domid);
+		if (!d) {
+			errno = ENOENT;
+			corrupt(conn, "Missing domain %u\n", domid);
+			return -1;
+		}
+	} else {
+		d = find_or_alloc_existing_domain(domid);
+		if (!d) {
+			errno = ENOMEM;
+			return -1;
+		}
+	}
 
 	if (conn && conn->transaction) {
-		transaction_entry_dec(conn->transaction, domid);
-	} else {
-		d = (conn && domid == conn->id && conn->domain) ? conn->domain
-		    : find_domain_struct(domid);
-		if (d) {
-			d->nbentry--;
-		} else {
-			errno = ENOENT;
-			corrupt(conn,
-				"Node \"%s\" owned by non-existing domain %u\n",
-				node->name, domid);
+		head = transaction_get_changed_domains(conn->transaction);
+		ret = acc_add_dom_nbentry(conn->transaction, head, add, domid);
+		if (errno) {
+			fail_transaction(conn->transaction);
+			return -1;
 		}
+		return d->nbentry + ret;
 	}
+
+	d->nbentry += add;
+
+	return d->nbentry;
 }
 
-int domain_entry_fix(unsigned int domid, int num, bool update)
+int domain_nbentry_inc(struct connection *conn, unsigned int domid)
 {
-	struct domain *d;
-	int cnt;
+	return (domain_nbentry_add(conn, domid, 1, false) < 0) ? errno : 0;
+}
 
-	if (update) {
-		d = find_domain_struct(domid);
-		assert(d);
-	} else {
-		/*
-		 * We are called first with update == false in order to catch
-		 * any error. So do a possible allocation and check for error
-		 * only in this case, as in the case of update == true nothing
-		 * can go wrong anymore as the allocation already happened.
-		 */
-		d = find_or_alloc_existing_domain(domid);
-		if (!d)
-			return -1;
-	}
+int domain_nbentry_dec(struct connection *conn, unsigned int domid)
+{
+	return (domain_nbentry_add(conn, domid, -1, true) < 0) ? errno : 0;
+}
 
-	cnt = d->nbentry + num;
-	assert(cnt >= 0);
+int domain_nbentry_fix(unsigned int domid, int num, bool update)
+{
+	int ret;
 
-	if (update)
-		d->nbentry = cnt;
+	ret = domain_nbentry_add(NULL, domid, update ? num : 0, update);
+	if (ret < 0 || update)
+		return ret;
 
-	return domid_is_unprivileged(domid) ? cnt : 0;
+	return domid_is_unprivileged(domid) ? ret + num : 0;
 }
 
-int domain_entry(struct connection *conn)
+int domain_nbentry(struct connection *conn)
 {
 	return (domain_is_unprivileged(conn))
 		? conn->domain->nbentry
diff --git a/tools/xenstore/xenstored_domain.h b/tools/xenstore/xenstored_domain.h
index 9e20d2b17d..1e402f2609 100644
--- a/tools/xenstore/xenstored_domain.h
+++ b/tools/xenstore/xenstored_domain.h
@@ -66,10 +66,10 @@ int domain_adjust_node_perms(struct node *node);
 int domain_alloc_permrefs(struct node_perms *perms);
 
 /* Quota manipulation */
-int domain_entry_inc(struct connection *conn, struct node *);
-void domain_entry_dec(struct connection *conn, struct node *);
-int domain_entry_fix(unsigned int domid, int num, bool update);
-int domain_entry(struct connection *conn);
+int domain_nbentry_inc(struct connection *conn, unsigned int domid);
+int domain_nbentry_dec(struct connection *conn, unsigned int domid);
+int domain_nbentry_fix(unsigned int domid, int num, bool update);
+int domain_nbentry(struct connection *conn);
 int domain_memory_add(unsigned int domid, int mem, bool no_quota_check);
 
 /*
@@ -99,8 +99,6 @@ void domain_outstanding_domid_dec(unsigned int domid);
 int domain_get_quota(const void *ctx, struct connection *conn,
 		     unsigned int domid);
 int acc_fix_domains(struct list_head *head, bool update);
-int acc_add_dom_nbentry(const void *ctx, struct list_head *head, int val,
-			unsigned int domid);
 
 /* Write rate limiting */
 
diff --git a/tools/xenstore/xenstored_transaction.c b/tools/xenstore/xenstored_transaction.c
index 89b92f0baf..82e5e66c18 100644
--- a/tools/xenstore/xenstored_transaction.c
+++ b/tools/xenstore/xenstored_transaction.c
@@ -548,20 +548,9 @@ int do_transaction_end(const void *ctx, struct connection *conn,
 	return 0;
 }
 
-void transaction_entry_inc(struct transaction *trans, unsigned int domid)
+struct list_head *transaction_get_changed_domains(struct transaction *trans)
 {
-	if (acc_add_dom_nbentry(trans, &trans->changed_domains, 1, domid)) {
-		/* Let the transaction fail. */
-		trans->fail = true;
-	}
-}
-
-void transaction_entry_dec(struct transaction *trans, unsigned int domid)
-{
-	if (acc_add_dom_nbentry(trans, &trans->changed_domains, -1, domid)) {
-		/* Let the transaction fail. */
-		trans->fail = true;
-	}
+	return &trans->changed_domains;
 }
 
 void fail_transaction(struct transaction *trans)
diff --git a/tools/xenstore/xenstored_transaction.h b/tools/xenstore/xenstored_transaction.h
index 3417303f94..b6f8cb7d0a 100644
--- a/tools/xenstore/xenstored_transaction.h
+++ b/tools/xenstore/xenstored_transaction.h
@@ -36,10 +36,6 @@ int do_transaction_end(const void *ctx, struct connection *conn,
 
 struct transaction *transaction_lookup(struct connection *conn, uint32_t id);
 
-/* inc/dec entry number local to trans while changing a node */
-void transaction_entry_inc(struct transaction *trans, unsigned int domid);
-void transaction_entry_dec(struct transaction *trans, unsigned int domid);
-
 /* This node was accessed. */
 int __must_check access_node(struct connection *conn, struct node *node,
                              enum node_access_type type, TDB_DATA *key);
@@ -54,6 +50,9 @@ void transaction_prepend(struct connection *conn, const char *name,
 /* Mark the transaction as failed. This will prevent it to be committed. */
 void fail_transaction(struct transaction *trans);
 
+/* Get the list head of the changed domains. */
+struct list_head *transaction_get_changed_domains(struct transaction *trans);
+
 void conn_delete_all_transactions(struct connection *conn);
 int check_transactions(struct hashtable *hash);
 
-- 
2.35.3

[PATCH 13/20] tools/xenstore: don't allow creating too many nodes in a transaction

[Juergen Gross]

The accounting for the number of nodes of a domain in an active
transaction is not working correctly, as it allows to create arbitrary
number of nodes. The transaction will finally fail due to exceeding
the number of nodes quota, but before closing the transaction an
unprivileged guest could cause Xenstore to use a lot of memory.

Signed-off-by: Juergen Gross <jgross@suse.com>
---
 tools/xenstore/xenstored_domain.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_domain.c
index b737a77683..529ffb522a 100644
--- a/tools/xenstore/xenstored_domain.c
+++ b/tools/xenstore/xenstored_domain.c
@@ -1125,9 +1125,8 @@ int domain_nbentry_fix(unsigned int domid, int num, bool update)
 
 int domain_nbentry(struct connection *conn)
 {
-	return (domain_is_unprivileged(conn))
-		? conn->domain->nbentry
-		: 0;
+	return domain_is_unprivileged(conn)
+	       ? domain_nbentry_add(conn, conn->id, 0, true) : 0;
 }
 
 static bool domain_chk_quota(struct domain *domain, int mem)
-- 
2.35.3

[PATCH 14/20] tools/xenstore: replace literal domid 0 with dom0_domid

[Juergen Gross]

There are some places left where dom0 is associated with domid 0.

Use dom0_domid instead.

Signed-off-by: Juergen Gross <jgross@suse.com>
---
V2:
- new patch
---
 tools/xenstore/xenstored_core.c   | 5 +++--
 tools/xenstore/xenstored_domain.c | 8 ++++----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index 5fd4f8e606..5013f8b909 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -2302,9 +2302,10 @@ static void accept_connection(int sock)
 		return;
 
 	conn = new_connection(&socket_funcs);
-	if (conn)
+	if (conn) {
 		conn->fd = fd;
-	else
+		conn->id = dom0_domid;
+	} else
 		close(fd);
 }
 #endif
diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_domain.c
index 529ffb522a..0f1c903ee6 100644
--- a/tools/xenstore/xenstored_domain.c
+++ b/tools/xenstore/xenstored_domain.c
@@ -324,7 +324,7 @@ static int destroy_domain(void *_domain)
 	if (domain->interface) {
 		/* Domain 0 was mapped by dom0_init, so it must be unmapped
 		   using munmap() and not the grant unmap call. */
-		if (domain->domid == 0)
+		if (domain->domid == dom0_domid)
 			unmap_xenbus(domain->interface);
 		else
 			unmap_interface(domain->interface);
@@ -414,7 +414,7 @@ void handle_event(void)
 
 static bool domid_is_unprivileged(unsigned int domid)
 {
-	return domid != 0 && domid != priv_domid;
+	return domid != dom0_domid && domid != priv_domid;
 }
 
 bool domain_is_unprivileged(struct connection *conn)
@@ -806,7 +806,7 @@ static struct domain *onearg_domain(struct connection *conn,
 		return ERR_PTR(-EINVAL);
 
 	domid = atoi(domid_str);
-	if (!domid)
+	if (domid == dom0_domid)
 		return ERR_PTR(-EINVAL);
 
 	return find_connected_domain(domid);
@@ -1009,7 +1009,7 @@ static int chk_domain_generation(unsigned int domid, uint64_t gen)
 {
 	struct domain *d;
 
-	if (!xc_handle && domid == 0)
+	if (!xc_handle && domid == dom0_domid)
 		return 1;
 
 	d = find_domain_struct(domid);
-- 
2.35.3

[PATCH 15/20] tools/xenstore: make domain_is_unprivileged() an inline function

[Juergen Gross]

clang is complaining about a NULL dereference for constructs like:

  domain_is_unprivileged(conn) ? conn->in : NULL

as it can't know that domain_is_unprivileged(conn) will return false
if conn is NULL.

Fix that by making domain_is_unprivileged() an inline function (and
related to that domid_is_unprivileged(), too).

In order not having to make struct domain public, use conn->id instead
of conn->domain->domid for the test.

Signed-off-by: Juergen Gross <jgross@suse.com>
---
 tools/xenstore/xenstored_core.h   | 10 ++++++++++
 tools/xenstore/xenstored_domain.c | 11 -----------
 tools/xenstore/xenstored_domain.h |  2 --
 3 files changed, 10 insertions(+), 13 deletions(-)

diff --git a/tools/xenstore/xenstored_core.h b/tools/xenstore/xenstored_core.h
index 37006d508d..3c4e27d0dd 100644
--- a/tools/xenstore/xenstored_core.h
+++ b/tools/xenstore/xenstored_core.h
@@ -297,6 +297,16 @@ void unmap_xenbus(void *interface);
 
 static inline int xenbus_master_domid(void) { return dom0_domid; }
 
+static inline bool domid_is_unprivileged(unsigned int domid)
+{
+	return domid != dom0_domid && domid != priv_domid;
+}
+
+static inline bool domain_is_unprivileged(const struct connection *conn)
+{
+	return conn && domid_is_unprivileged(conn->id);
+}
+
 /* Return the event channel used by xenbus. */
 evtchn_port_t xenbus_evtchn(void);
 
diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_domain.c
index 0f1c903ee6..368b9bc2b7 100644
--- a/tools/xenstore/xenstored_domain.c
+++ b/tools/xenstore/xenstored_domain.c
@@ -412,17 +412,6 @@ void handle_event(void)
 		barf_perror("Failed to write to event fd");
 }
 
-static bool domid_is_unprivileged(unsigned int domid)
-{
-	return domid != dom0_domid && domid != priv_domid;
-}
-
-bool domain_is_unprivileged(struct connection *conn)
-{
-	return conn && conn->domain &&
-	       domid_is_unprivileged(conn->domain->domid);
-}
-
 static char *talloc_domain_path(const void *context, unsigned int domid)
 {
 	return talloc_asprintf(context, "/local/domain/%u", domid);
diff --git a/tools/xenstore/xenstored_domain.h b/tools/xenstore/xenstored_domain.h
index 1e402f2609..22996e2576 100644
--- a/tools/xenstore/xenstored_domain.h
+++ b/tools/xenstore/xenstored_domain.h
@@ -59,8 +59,6 @@ void ignore_connection(struct connection *conn, unsigned int err);
 /* Returns the implicit path of a connection (only domains have this) */
 const char *get_implicit_path(const struct connection *conn);
 
-bool domain_is_unprivileged(struct connection *conn);
-
 /* Remove node permissions for no longer existing domains. */
 int domain_adjust_node_perms(struct node *node);
 int domain_alloc_permrefs(struct node_perms *perms);
-- 
2.35.3

[PATCH 16/20] tools/xenstore: let chk_domain_generation() return a bool

[Juergen Gross]

Instead of returning 0 or 1 let chk_domain_generation() return a
boolean value.

Simplify the only caller by removing the ret variable.

Signed-off-by: Juergen Gross <jgross@suse.com>
---
 tools/xenstore/xenstored_domain.c | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_domain.c
index 368b9bc2b7..3d460a6fa8 100644
--- a/tools/xenstore/xenstored_domain.c
+++ b/tools/xenstore/xenstored_domain.c
@@ -990,20 +990,20 @@ void domain_deinit(void)
  * count (used for testing whether a node permission is older than a domain).
  *
  * Return values:
- *  0: domain has higher generation count (it is younger than a node with the
- *     given count), or domain isn't existing any longer
- *  1: domain is older than the node
+ *  false: domain has higher generation count (it is younger than a node with
+ *     the given count), or domain isn't existing any longer
+ *  true: domain is older than the node
  */
-static int chk_domain_generation(unsigned int domid, uint64_t gen)
+static bool chk_domain_generation(unsigned int domid, uint64_t gen)
 {
 	struct domain *d;
 
 	if (!xc_handle && domid == dom0_domid)
-		return 1;
+		return true;
 
 	d = find_domain_struct(domid);
 
-	return (d && d->generation <= gen) ? 1 : 0;
+	return d && d->generation <= gen;
 }
 
 /*
@@ -1038,14 +1038,12 @@ int domain_alloc_permrefs(struct node_perms *perms)
 int domain_adjust_node_perms(struct node *node)
 {
 	unsigned int i;
-	int ret;
 
 	for (i = 1; i < node->perms.num; i++) {
 		if (node->perms.p[i].perms & XS_PERM_IGNORE)
 			continue;
-		ret = chk_domain_generation(node->perms.p[i].id,
-					    node->generation);
-		if (!ret)
+		if (!chk_domain_generation(node->perms.p[i].id,
+					   node->generation))
 			node->perms.p[i].perms |= XS_PERM_IGNORE;
 	}
 
-- 
2.35.3

[PATCH 17/20] tools/xenstore: switch hashtable to use the talloc framework

[Juergen Gross]

Instead of using malloc() and friends, let the hashtable implementation
use the talloc framework.

Signed-off-by: Juergen Gross <jgross@suse.com>
---
 tools/xenstore/hashtable.c        | 86 ++++++++++++-------------------
 tools/xenstore/hashtable.h        |  3 +-
 tools/xenstore/xenstored_core.c   |  5 +-
 tools/xenstore/xenstored_domain.c |  2 +-
 4 files changed, 39 insertions(+), 57 deletions(-)

diff --git a/tools/xenstore/hashtable.c b/tools/xenstore/hashtable.c
index 7a1548c490..1c8656e016 100644
--- a/tools/xenstore/hashtable.c
+++ b/tools/xenstore/hashtable.c
@@ -6,6 +6,8 @@
 #include <string.h>
 #include <math.h>
 #include <stdint.h>
+#include <stdarg.h>
+#include "talloc.h"
 
 struct entry
 {
@@ -50,7 +52,7 @@ indexFor(unsigned int tablelength, unsigned int hashvalue) {
 
 /*****************************************************************************/
 struct hashtable *
-create_hashtable(unsigned int minsize,
+create_hashtable(const void *ctx, unsigned int minsize,
                  unsigned int (*hashf) (void*),
                  int (*eqf) (void*,void*),
                  unsigned int flags)
@@ -66,10 +68,10 @@ create_hashtable(unsigned int minsize,
         if (primes[pindex] > minsize) { size = primes[pindex]; break; }
     }
 
-    h = (struct hashtable *)calloc(1, sizeof(struct hashtable));
+    h = talloc_zero(ctx, struct hashtable);
     if (NULL == h)
         goto err0;
-    h->table = (struct entry **)calloc(size, sizeof(struct entry *));
+    h->table = talloc_zero_array(h, struct entry *, size);
     if (NULL == h->table)
         goto err1;
 
@@ -83,7 +85,7 @@ create_hashtable(unsigned int minsize,
     return h;
 
 err1:
-   free(h);
+   talloc_free(h);
 err0:
    return NULL;
 }
@@ -115,47 +117,32 @@ hashtable_expand(struct hashtable *h)
     if (h->primeindex == (prime_table_length - 1)) return 0;
     newsize = primes[++(h->primeindex)];
 
-    newtable = (struct entry **)calloc(newsize, sizeof(struct entry*));
-    if (NULL != newtable)
+    newtable = talloc_realloc(h, h->table, struct entry *, newsize);
+    if (!newtable)
     {
-        /* This algorithm is not 'stable'. ie. it reverses the list
-         * when it transfers entries between the tables */
-        for (i = 0; i < h->tablelength; i++) {
-            while (NULL != (e = h->table[i])) {
-                h->table[i] = e->next;
-                index = indexFor(newsize,e->h);
+        h->primeindex--;
+        return 0;
+    }
+
+    h->table = newtable;
+    memset(newtable + h->tablelength, 0,
+           (newsize - h->tablelength) * sizeof(*newtable));
+    for (i = 0; i < h->tablelength; i++) {
+        for (pE = &(newtable[i]), e = *pE; e != NULL; e = *pE) {
+            index = indexFor(newsize,e->h);
+            if (index == i)
+            {
+                pE = &(e->next);
+            }
+            else
+            {
+                *pE = e->next;
                 e->next = newtable[index];
                 newtable[index] = e;
             }
         }
-        free(h->table);
-        h->table = newtable;
-    }
-    /* Plan B: realloc instead */
-    else 
-    {
-        newtable = (struct entry **)
-                   realloc(h->table, newsize * sizeof(struct entry *));
-        if (NULL == newtable) { (h->primeindex)--; return 0; }
-        h->table = newtable;
-        memset(newtable + h->tablelength, 0,
-               (newsize - h->tablelength) * sizeof(*newtable));
-        for (i = 0; i < h->tablelength; i++) {
-            for (pE = &(newtable[i]), e = *pE; e != NULL; e = *pE) {
-                index = indexFor(newsize,e->h);
-                if (index == i)
-                {
-                    pE = &(e->next);
-                }
-                else
-                {
-                    *pE = e->next;
-                    e->next = newtable[index];
-                    newtable[index] = e;
-                }
-            }
-        }
     }
+
     h->tablelength = newsize;
     h->loadlimit   = (unsigned int)
         (((uint64_t)newsize * max_load_factor) / 100);
@@ -184,7 +171,7 @@ hashtable_insert(struct hashtable *h, void *k, void *v)
          * element may be ok. Next time we insert, we'll try expanding again.*/
         hashtable_expand(h);
     }
-    e = (struct entry *)calloc(1, sizeof(struct entry));
+    e = talloc_zero(h, struct entry);
     if (NULL == e) { --(h->entrycount); return 0; } /*oom*/
     e->h = hash(h,k);
     index = indexFor(h->tablelength,e->h);
@@ -238,8 +225,8 @@ hashtable_remove(struct hashtable *h, void *k)
             h->entrycount--;
             v = e->v;
             if (h->flags & HASHTABLE_FREE_KEY)
-                free(e->k);
-            free(e);
+                talloc_free(e->k);
+            talloc_free(e);
             return v;
         }
         pE = &(e->next);
@@ -280,25 +267,20 @@ void
 hashtable_destroy(struct hashtable *h)
 {
     unsigned int i;
-    struct entry *e, *f;
+    struct entry *e;
     struct entry **table = h->table;
 
     for (i = 0; i < h->tablelength; i++)
     {
-        e = table[i];
-        while (NULL != e)
+        for (e = table[i]; e; e = e->next)
         {
-            f = e;
-            e = e->next;
             if (h->flags & HASHTABLE_FREE_KEY)
-                free(f->k);
+                talloc_free(e->k);
             if (h->flags & HASHTABLE_FREE_VALUE)
-                free(f->v);
-            free(f);
+                talloc_free(e->v);
         }
     }
-    free(h->table);
-    free(h);
+    talloc_free(h);
 }
 
 /*
diff --git a/tools/xenstore/hashtable.h b/tools/xenstore/hashtable.h
index b31eeaea26..07fdc1a82b 100644
--- a/tools/xenstore/hashtable.h
+++ b/tools/xenstore/hashtable.h
@@ -9,6 +9,7 @@ struct hashtable;
  * create_hashtable
    
  * @name                    create_hashtable
+ * @param   ctx             talloc context to use for allocations
  * @param   minsize         minimum initial size of hashtable
  * @param   hashfunction    function for hashing keys
  * @param   key_eq_fn       function for determining key equality
@@ -22,7 +23,7 @@ struct hashtable;
 #define HASHTABLE_FREE_KEY   (1U << 1)
 
 struct hashtable *
-create_hashtable(unsigned int minsize,
+create_hashtable(const void *ctx, unsigned int minsize,
                  unsigned int (*hashfunction) (void*),
                  int (*key_eq_fn) (void*,void*),
                  unsigned int flags
diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index 5013f8b909..9361ee7696 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -2410,11 +2410,10 @@ static int keys_equal_fn(void *key1, void *key2)
 
 int remember_string(struct hashtable *hash, const char *str)
 {
-	char *k = malloc(strlen(str) + 1);
+	char *k = talloc_strdup(NULL, str);
 
 	if (!k)
 		return 0;
-	strcpy(k, str);
 	return hashtable_insert(hash, k, (void *)1);
 }
 
@@ -2509,7 +2508,7 @@ void check_store(void)
 	};
 
 	/* Don't free values (they are all void *1) */
-	reachable = create_hashtable(16, hash_from_key_fn, keys_equal_fn,
+	reachable = create_hashtable(NULL, 16, hash_from_key_fn, keys_equal_fn,
 				     HASHTABLE_FREE_KEY);
 	if (!reachable) {
 		log("check_store: ENOMEM");
diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_domain.c
index 3d460a6fa8..0bf35cd353 100644
--- a/tools/xenstore/xenstored_domain.c
+++ b/tools/xenstore/xenstored_domain.c
@@ -936,7 +936,7 @@ void domain_init(int evtfd)
 	int rc;
 
 	/* Start with a random rather low domain count for the hashtable. */
-	domhash = create_hashtable(8, domhash_fn, domeq_fn, 0);
+	domhash = create_hashtable(NULL, 8, domhash_fn, domeq_fn, 0);
 	if (!domhash)
 		barf_perror("Failed to allocate domain hashtable");
 
-- 
2.35.3

[PATCH 18/20] tools/xenstore: make log macro globally available

[Juergen Gross]

Move the definition of the log() macro to xenstored_core.h in order
to make it usable from other source files, too.

While at it preserve errno from being modified.

Signed-off-by: Juergen Gross <jgross@suse.com>
---
V2:
- preserve errno (Julien Grall)
---
 tools/xenstore/xenstored_core.c | 14 --------------
 tools/xenstore/xenstored_core.h | 15 +++++++++++++++
 2 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index 9361ee7696..e79d82cbff 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -88,20 +88,6 @@ TDB_CONTEXT *tdb_ctx = NULL;
 
 static const char *sockmsg_string(enum xsd_sockmsg_type type);
 
-#define log(...)							\
-	do {								\
-		char *s = talloc_asprintf(NULL, __VA_ARGS__);		\
-		if (s) {						\
-			trace("%s\n", s);				\
-			syslog(LOG_ERR, "%s\n",  s);			\
-			talloc_free(s);					\
-		} else {						\
-			trace("talloc failure during logging\n");	\
-			syslog(LOG_ERR, "talloc failure during logging\n"); \
-		}							\
-	} while (0)
-
-
 int quota_nb_entry_per_domain = 1000;
 int quota_nb_watch_per_domain = 128;
 int quota_max_entry_size = 2048; /* 2K */
diff --git a/tools/xenstore/xenstored_core.h b/tools/xenstore/xenstored_core.h
index 3c4e27d0dd..3b96ecd018 100644
--- a/tools/xenstore/xenstored_core.h
+++ b/tools/xenstore/xenstored_core.h
@@ -267,6 +267,21 @@ void trace(const char *fmt, ...) __attribute__ ((format (printf, 1, 2)));
 void reopen_log(void);
 void close_log(void);
 
+#define log(...)							\
+	do {								\
+		int _saved_errno = errno;				\
+		char *s = talloc_asprintf(NULL, __VA_ARGS__);		\
+		if (s) {						\
+			trace("%s\n", s);				\
+			syslog(LOG_ERR, "%s\n",	s);			\
+			talloc_free(s);					\
+		} else {						\
+			trace("talloc failure during logging\n");	\
+			syslog(LOG_ERR, "talloc failure during logging\n"); \
+		}							\
+		errno = _saved_errno;					\
+	} while (0)
+
 extern int orig_argc;
 extern char **orig_argv;
 
-- 
2.35.3

[PATCH 19/20] tools/xenstore: introduce trace classes

[Juergen Gross]

Make the xenstored internal trace configurable by adding classes
which can be switched on and off independently from each other.

Define the following classes:

- obj: Creation and deletion of interesting "objects" (watch,
  transaction, connection)
- io: incoming requests and outgoing responses
- wrl: write limiting

Per default "obj" and "io" are switched on.

Entries written via trace() will always be printed (if tracing is on
at all).

Rename the misnamed xenstore-control commands "logfile" to "tracefile"
and "log" to "trace".

Add the capability to control the trace settings via the "trace"
command and via a new "--trace-control" command line option.

Add a missing trace_create() call for creating a transaction.

Signed-off-by: Juergen Gross <jgross@suse.com>
---
 docs/misc/xenstore.txt                 | 18 +++++++----
 tools/xenstore/xenstored_control.c     | 41 +++++++++++++++++++-----
 tools/xenstore/xenstored_core.c        | 44 +++++++++++++++++++++++---
 tools/xenstore/xenstored_core.h        |  6 ++++
 tools/xenstore/xenstored_domain.c      | 27 ++++++++--------
 tools/xenstore/xenstored_transaction.c |  1 +
 6 files changed, 105 insertions(+), 32 deletions(-)

diff --git a/docs/misc/xenstore.txt b/docs/misc/xenstore.txt
index 44428ae3a7..9db0385120 100644
--- a/docs/misc/xenstore.txt
+++ b/docs/misc/xenstore.txt
@@ -409,14 +409,8 @@ CONTROL			<command>|[<parameters>|]
 		error string in case of failure. -s can return "BUSY" in case
 		of an active transaction, a retry of -s can be done in that
 		case.
-	log|on
-		turn xenstore logging on
-	log|off
-		turn xenstore logging off
-	logfile|<file-name>
-		log to specified file
 	memreport|[<file-name>]
-		print memory statistics to logfile (no <file-name>
+		print memory statistics to tracefile (no <file-name>
 		specified) or to specific file
 	print|<string>
 		print <string> to syslog (xenstore runs as daemon) or
@@ -432,6 +426,16 @@ CONTROL			<command>|[<parameters>|]
 		the domain <domid>
 	quota-soft|[set <name> <val>]
 		like the "quota" command, but for soft-quota.
+	trace|[+|-<switch>]
+		without parameters: show possible trace switches
+		+<switch> activates trace entries for <switch>,
+		-<switch> deactivates trace entries for <switch>
+	trace|on
+		turn xenstore tracing on
+	trace|off
+		turn xenstore tracing off
+	tracefile|<file-name>
+		trace to specified file
 	help			<supported-commands>
 		return list of supported commands for CONTROL
 
diff --git a/tools/xenstore/xenstored_control.c b/tools/xenstore/xenstored_control.c
index 41e6992591..0a985a1faa 100644
--- a/tools/xenstore/xenstored_control.c
+++ b/tools/xenstore/xenstored_control.c
@@ -179,9 +179,31 @@ static int do_control_check(const void *ctx, struct connection *conn,
 	return 0;
 }
 
-static int do_control_log(const void *ctx, struct connection *conn,
-			  char **vec, int num)
+static int do_control_trace(const void *ctx, struct connection *conn,
+			    char **vec, int num)
 {
+	int ret;
+
+	if (num == 0) {
+		char *resp = talloc_asprintf(ctx, "Trace switch settings:\n");
+		unsigned int idx;
+		bool on;
+
+		if (!resp)
+			return ENOMEM;
+		for (idx = 0; trace_switches[idx]; idx++) {
+			on = trace_flags & (1u << idx);
+			resp = talloc_asprintf_append(resp, "%-8s: %s\n",
+						      trace_switches[idx],
+						      on ? "on" : "off");
+			if (!resp)
+				return ENOMEM;
+		}
+
+		send_reply(conn, XS_CONTROL, resp, strlen(resp) + 1);
+		return 0;
+	}
+
 	if (num != 1)
 		return EINVAL;
 
@@ -189,8 +211,11 @@ static int do_control_log(const void *ctx, struct connection *conn,
 		reopen_log();
 	else if (!strcmp(vec[0], "off"))
 		close_log();
-	else
-		return EINVAL;
+	else {
+		ret = set_trace_switch(vec[0]);
+		if (ret)
+			return ret;
+	}
 
 	send_ack(conn, XS_CONTROL);
 	return 0;
@@ -318,8 +343,8 @@ static int do_control_memreport(const void *ctx, struct connection *conn,
 	return 0;
 }
 #else
-static int do_control_logfile(const void *ctx, struct connection *conn,
-			      char **vec, int num)
+static int do_control_tracefile(const void *ctx, struct connection *conn,
+				char **vec, int num)
 {
 	if (num != 1)
 		return EINVAL;
@@ -923,7 +948,7 @@ static int do_control_help(const void *, struct connection *, char **, int);
 
 static struct cmd_s cmds[] = {
 	{ "check", do_control_check, "" },
-	{ "log", do_control_log, "on|off" },
+	{ "trace", do_control_trace, "[on|off|[!]<switch>]" },
 
 #ifndef NO_LIVE_UPDATE
 	/*
@@ -949,7 +974,7 @@ static struct cmd_s cmds[] = {
 #ifdef __MINIOS__
 	{ "memreport", do_control_memreport, "" },
 #else
-	{ "logfile", do_control_logfile, "<file>" },
+	{ "tracefile", do_control_tracefile, "<file>" },
 	{ "memreport", do_control_memreport, "[<file>]" },
 #endif
 	{ "print", do_control_print, "<string>" },
diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index e79d82cbff..86ef511ac0 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -85,6 +85,7 @@ static int reopen_log_pipe[2];
 static int reopen_log_pipe0_pollfd_idx = -1;
 char *tracefile = NULL;
 TDB_CONTEXT *tdb_ctx = NULL;
+unsigned int trace_flags = TRACE_OBJ | TRACE_IO;
 
 static const char *sockmsg_string(enum xsd_sockmsg_type type);
 
@@ -139,13 +140,13 @@ static void trace_io(const struct connection *conn,
 	time_t now;
 	struct tm *tm;
 
-	if (tracefd < 0)
+	if (tracefd < 0 || !(trace_flags & TRACE_IO))
 		return;
 
 	now = time(NULL);
 	tm = localtime(&now);
 
-	trace("%s %p %04d%02d%02d %02d:%02d:%02d %s (",
+	trace("io: %s %p %04d%02d%02d %02d:%02d:%02d %s (",
 	      out ? "OUT" : "IN", conn,
 	      tm->tm_year + 1900, tm->tm_mon + 1,
 	      tm->tm_mday, tm->tm_hour, tm->tm_min, tm->tm_sec,
@@ -158,12 +159,14 @@ static void trace_io(const struct connection *conn,
 
 void trace_create(const void *data, const char *type)
 {
-	trace("CREATE %s %p\n", type, data);
+	if (trace_flags & TRACE_OBJ)
+		trace("obj: CREATE %s %p\n", type, data);
 }
 
 void trace_destroy(const void *data, const char *type)
 {
-	trace("DESTROY %s %p\n", type, data);
+	if (trace_flags & TRACE_OBJ)
+		trace("obj: DESTROY %s %p\n", type, data);
 }
 
 /**
@@ -2590,6 +2593,8 @@ static void usage(void)
 "  -N, --no-fork           to request that the daemon does not fork,\n"
 "  -P, --output-pid        to request that the pid of the daemon is output,\n"
 "  -T, --trace-file <file> giving the file for logging, and\n"
+"      --trace-control [!]<switch> activate (no \"!\" prepended) or deactivate\n"
+"                          a specific <switch>\n"
 "  -E, --entry-nb <nb>     limit the number of entries per domain,\n"
 "  -S, --entry-size <size> limit the size of entry per domain, and\n"
 "  -W, --watch-nb <nb>     limit the number of watches per domain,\n"
@@ -2633,6 +2638,7 @@ static struct option options[] = {
 	{ "output-pid", 0, NULL, 'P' },
 	{ "entry-size", 1, NULL, 'S' },
 	{ "trace-file", 1, NULL, 'T' },
+	{ "trace-control", 1, NULL, 1 },
 	{ "transaction", 1, NULL, 't' },
 	{ "perm-nb", 1, NULL, 'A' },
 	{ "path-max", 1, NULL, 'M' },
@@ -2707,6 +2713,33 @@ static void set_quota(const char *arg, bool soft)
 		barf("unknown quota \"%s\"\n", arg);
 }
 
+/* Sorted by bit values of TRACE_* flags. Flag is (1u << index). */
+const char *trace_switches[] = {
+	"obj", "io", "wrl",
+	NULL
+};
+
+int set_trace_switch(const char *arg)
+{
+	bool remove = (arg[0] == '!');
+	unsigned int idx;
+
+	if (remove)
+		arg++;
+
+	for (idx = 0; trace_switches[idx]; idx++) {
+		if (!strcmp(arg, trace_switches[idx])) {
+			if (remove)
+				trace_flags &= ~(1u << idx);
+			else
+				trace_flags |= 1u << idx;
+			return 0;
+		}
+	}
+
+	return EINVAL;
+}
+
 int main(int argc, char *argv[])
 {
 	int opt;
@@ -2755,6 +2788,9 @@ int main(int argc, char *argv[])
 		case 'T':
 			tracefile = optarg;
 			break;
+		case 1:
+			set_trace_switch(optarg);
+			break;
 		case 'I':
 			if (optarg && !strcmp(optarg, "off"))
 				tdb_flags = 0;
diff --git a/tools/xenstore/xenstored_core.h b/tools/xenstore/xenstored_core.h
index 3b96ecd018..c85b15515c 100644
--- a/tools/xenstore/xenstored_core.h
+++ b/tools/xenstore/xenstored_core.h
@@ -287,6 +287,12 @@ extern char **orig_argv;
 
 extern char *tracefile;
 extern int tracefd;
+extern unsigned int trace_flags;
+#define TRACE_OBJ	0x00000001
+#define TRACE_IO	0x00000002
+#define TRACE_WRL	0x00000004
+extern const char *trace_switches[];
+int set_trace_switch(const char *arg);
 
 extern TDB_CONTEXT *tdb_ctx;
 extern int dom0_domid;
diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_domain.c
index 0bf35cd353..70d9e9572d 100644
--- a/tools/xenstore/xenstored_domain.c
+++ b/tools/xenstore/xenstored_domain.c
@@ -1256,6 +1256,12 @@ static long wrl_ndomains;
 static wrl_creditt wrl_reserve; /* [-wrl_config_newdoms_dburst, +_gburst ] */
 static time_t wrl_log_last_warning; /* 0: no previous warning */
 
+#define trace_wrl(...)				\
+do {						\
+	if (trace_flags & TRACE_WRL)		\
+		trace("wrl: " __VA_ARGS__);	\
+} while (0)
+
 void wrl_gettime_now(struct wrl_timestampt *now_wt)
 {
 	struct timespec now_ts;
@@ -1361,12 +1367,9 @@ void wrl_credit_update(struct domain *domain, struct wrl_timestampt now)
 
 	domain->wrl_timestamp = now;
 
-	trace("wrl: dom %4d %6ld  msec  %9ld credit   %9ld reserve"
-	      "  %9ld discard\n",
-	      domain->domid,
-	      msec,
-	      (long)domain->wrl_credit, (long)wrl_reserve,
-	      (long)surplus);
+	trace_wrl("dom %4d %6ld msec %9ld credit %9ld reserve %9ld discard\n",
+		  domain->domid, msec, (long)domain->wrl_credit,
+		  (long)wrl_reserve, (long)surplus);
 }
 
 void wrl_check_timeout(struct domain *domain,
@@ -1398,10 +1401,9 @@ void wrl_check_timeout(struct domain *domain,
 	if (*ptimeout==-1 || wakeup < *ptimeout)
 		*ptimeout = wakeup;
 
-	trace("wrl: domain %u credit=%ld (reserve=%ld) SLEEPING for %d\n",
-	      domain->domid,
-	      (long)domain->wrl_credit, (long)wrl_reserve,
-	      wakeup);
+	trace_wrl("domain %u credit=%ld (reserve=%ld) SLEEPING for %d\n",
+		  domain->domid, (long)domain->wrl_credit, (long)wrl_reserve,
+		  wakeup);
 }
 
 #define WRL_LOG(now, ...) \
@@ -1419,9 +1421,8 @@ void wrl_apply_debit_actual(struct domain *domain)
 	wrl_credit_update(domain, now);
 
 	domain->wrl_credit -= wrl_config_writecost;
-	trace("wrl: domain %u credit=%ld (reserve=%ld)\n",
-	      domain->domid,
-	      (long)domain->wrl_credit, (long)wrl_reserve);
+	trace_wrl("domain %u credit=%ld (reserve=%ld)\n", domain->domid,
+		  (long)domain->wrl_credit, (long)wrl_reserve);
 
 	if (domain->wrl_credit < 0) {
 		if (!domain->wrl_delay_logged) {
diff --git a/tools/xenstore/xenstored_transaction.c b/tools/xenstore/xenstored_transaction.c
index 82e5e66c18..1aa9d3cb3d 100644
--- a/tools/xenstore/xenstored_transaction.c
+++ b/tools/xenstore/xenstored_transaction.c
@@ -475,6 +475,7 @@ int do_transaction_start(const void *ctx, struct connection *conn,
 	if (!trans)
 		return ENOMEM;
 
+	trace_create(trans, "transaction");
 	INIT_LIST_HEAD(&trans->accessed);
 	INIT_LIST_HEAD(&trans->changed_domains);
 	trans->conn = conn;
-- 
2.35.3

[PATCH 20/20] tools/xenstore: let check_store() check the accounting data

[Juergen Gross]

Today check_store() is only testing the correctness of the node tree.

Add verification of the accounting data (number of nodes)  and correct
the data if it is wrong.

Do the initial check_store() call only after Xenstore entries of a
live update have been read.

Signed-off-by: Juergen Gross <jgross@suse.com>
---
 tools/xenstore/xenstored_core.c   | 62 ++++++++++++++++------
 tools/xenstore/xenstored_domain.c | 86 +++++++++++++++++++++++++++++++
 tools/xenstore/xenstored_domain.h |  4 ++
 3 files changed, 137 insertions(+), 15 deletions(-)

diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index 86ef511ac0..ea0e6292d3 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -2375,8 +2375,6 @@ void setup_structure(bool live_update)
 		manual_node("@introduceDomain", NULL);
 		domain_nbentry_fix(dom0_domid, 5, true);
 	}
-
-	check_store();
 }
 
 static unsigned int hash_from_key_fn(void *k)
@@ -2419,20 +2417,28 @@ int remember_string(struct hashtable *hash, const char *str)
  * As we go, we record each node in the given reachable hashtable.  These
  * entries will be used later in clean_store.
  */
+
+struct check_store_data {
+	struct hashtable *reachable;
+	struct hashtable *domains;
+};
+
 static int check_store_step(const void *ctx, struct connection *conn,
 			    struct node *node, void *arg)
 {
-	struct hashtable *reachable = arg;
+	struct check_store_data *data = arg;
 
-	if (hashtable_search(reachable, (void *)node->name)) {
+	if (hashtable_search(data->reachable, (void *)node->name)) {
 		log("check_store: '%s' is duplicated!", node->name);
 		return recovery ? WALK_TREE_RM_CHILDENTRY
 				: WALK_TREE_SKIP_CHILDREN;
 	}
 
-	if (!remember_string(reachable, node->name))
+	if (!remember_string(data->reachable, node->name))
 		return WALK_TREE_ERROR_STOP;
 
+	domain_check_acc_add(node, data->domains);
+
 	return WALK_TREE_OK;
 }
 
@@ -2482,37 +2488,61 @@ static int clean_store_(TDB_CONTEXT *tdb, TDB_DATA key, TDB_DATA val,
  * Given the list of reachable nodes, iterate over the whole store, and
  * remove any that were not reached.
  */
-static void clean_store(struct hashtable *reachable)
+static void clean_store(struct check_store_data *data)
 {
-	tdb_traverse(tdb_ctx, &clean_store_, reachable);
+	tdb_traverse(tdb_ctx, &clean_store_, data->reachable);
+	domain_check_acc(data->domains);
 }
 
+int check_store_path(const char *name, struct check_store_data *data)
+{
+	struct node *node;
+
+	node = read_node(NULL, NULL, name);
+	if (!node) {
+		log("check_store: error %d reading special node '%s'", errno,
+		    name);
+		return errno;
+	}
+
+	return check_store_step(NULL, NULL, node, data);
+}
 
 void check_store(void)
 {
-	struct hashtable *reachable;
 	struct walk_funcs walkfuncs = {
 		.enter = check_store_step,
 		.enoent = check_store_enoent,
 	};
+	struct check_store_data data;
 
 	/* Don't free values (they are all void *1) */
-	reachable = create_hashtable(NULL, 16, hash_from_key_fn, keys_equal_fn,
-				     HASHTABLE_FREE_KEY);
-	if (!reachable) {
+	data.reachable = create_hashtable(NULL, 16, hash_from_key_fn,
+					  keys_equal_fn, HASHTABLE_FREE_KEY);
+	if (!data.reachable) {
 		log("check_store: ENOMEM");
 		return;
 	}
 
+	data.domains = domain_check_acc_init();
+	if (!data.domains) {
+		log("check_store: ENOMEM");
+		goto out_hash;
+	}
+
 	log("Checking store ...");
-	if (walk_node_tree(NULL, NULL, "/", &walkfuncs, reachable)) {
+	if (walk_node_tree(NULL, NULL, "/", &walkfuncs, &data)) {
 		if (errno == ENOMEM)
 			log("check_store: ENOMEM");
-	} else if (!check_transactions(reachable))
-		clean_store(reachable);
+	} else if (!check_store_path("@introduceDomain", &data) &&
+		   !check_store_path("@releaseDomain", &data) &&
+		   !check_transactions(data.reachable))
+		clean_store(&data);
 	log("Checking store complete.");
 
-	hashtable_destroy(reachable);
+	hashtable_destroy(data.domains);
+ out_hash:
+	hashtable_destroy(data.reachable);
 }
 
 
@@ -2900,6 +2930,8 @@ int main(int argc, char *argv[])
 		lu_read_state();
 #endif
 
+	check_store();
+
 	/* Get ready to listen to the tools. */
 	initialize_fds(&sock_pollfd_idx, &timeout);
 
diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_domain.c
index 70d9e9572d..582b78b0ee 100644
--- a/tools/xenstore/xenstored_domain.c
+++ b/tools/xenstore/xenstored_domain.c
@@ -1569,6 +1569,92 @@ void read_state_connection(const void *ctx, const void *state)
 	read_state_buffered_data(ctx, conn, sc);
 }
 
+struct domain_acc {
+	unsigned int domid;
+	int nodes;
+};
+
+static int domain_check_acc_init_sub(void *k, void *v, void *arg)
+{
+	struct hashtable *domains = arg;
+	struct domain *d = v;
+	struct domain_acc *dom;
+
+	dom = talloc_zero(NULL, struct domain_acc);
+	if (!dom)
+		return -1;
+
+	dom->domid = d->domid;
+	/*
+	 * Set the initial value to the negative one of the current domain.
+	 * If everything is correct incrementing the value for each node will
+	 * result in dom->nodes being 0 at the end.
+	 */
+	dom->nodes = -d->nbentry;
+
+	if (!hashtable_insert(domains, &dom->domid, dom)) {
+		talloc_free(dom);
+		return -1;
+	}
+
+	return 0;
+}
+
+struct hashtable *domain_check_acc_init(void)
+{
+	struct hashtable *domains;
+
+	domains = create_hashtable(NULL, 8, domhash_fn, domeq_fn,
+				   HASHTABLE_FREE_VALUE);
+	if (!domains)
+		return NULL;
+
+	if (hashtable_iterate(domhash, domain_check_acc_init_sub, domains)) {
+		hashtable_destroy(domains);
+		return NULL;
+	}
+
+	return domains;
+}
+
+void domain_check_acc_add(const struct node *node, struct hashtable *domains)
+{
+	struct domain_acc *dom;
+	unsigned int domid;
+
+	domid = node->perms.p[0].id;
+	dom = hashtable_search(domains, &domid);
+	if (!dom)
+		log("Node %s owned by unknown domain %u", node->name, domid);
+	else
+		dom->nodes++;
+}
+
+static int domain_check_acc_sub(void *k, void *v, void *arg)
+{
+	struct domain_acc *dom = v;
+	struct domain *d;
+
+	if (!dom->nodes)
+		return 0;
+
+	log("Correct accounting data for domain %u: nodes are %d off",
+	    dom->domid, dom->nodes);
+
+	d = find_domain_struct(dom->domid);
+	if (!d)
+		return 0;
+
+	d->nbentry += dom->nodes;
+
+	return 0;
+}
+
+void domain_check_acc(struct hashtable *domains)
+{
+	hashtable_iterate(domains, domain_check_acc_sub, NULL);
+}
+
 /*
  * Local variables:
  *  mode: C
diff --git a/tools/xenstore/xenstored_domain.h b/tools/xenstore/xenstored_domain.h
index 22996e2576..dc4660861e 100644
--- a/tools/xenstore/xenstored_domain.h
+++ b/tools/xenstore/xenstored_domain.h
@@ -129,4 +129,8 @@ const char *dump_state_connections(FILE *fp);
 
 void read_state_connection(const void *ctx, const void *state);
 
+struct hashtable *domain_check_acc_init(void);
+void domain_check_acc_add(const struct node *node, struct hashtable *domains);
+void domain_check_acc(struct hashtable *domains);
+
 #endif /* _XENSTORED_DOMAIN_H */
-- 
2.35.3

Re: [PATCH 01/20] tools/xenstore: remove XEN_LIB_STORED and XENSTORED_ROOTDIR

[Andrew Cooper]

On 01/11/2022 15:28, Juergen Gross wrote:
> XEN_LIB_STORED is serving no real purpose, as it is a mount point for
> a tmpfs, so it can be replaced easily by XEN_RUN_STORED.
>
> XENSTORED_ROOTDIR is basically unused already, there is just a single
> reference in xs_daemon_rootdir() with a fallback to XEN_LIB_STORED,
> and a .gdbinit file setting it.
>
> Remove the .gdbinit file, as it is not known having been used since
> ages, and make xs_daemon_rootdir() an alias of xs_daemon_rundir().
>
> Signed-off-by: Juergen Gross <jgross@suse.com>

Do I get a Requested/Reported-by?

Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>

CC Henry.  This removes an unneeded mount from dom0 (and associated init
infrastructure), and as such will be a blanket improvement (if marginal)
for 4.17.  I'd like to to be entered for consideration at this point.

~Andrew

RE: [PATCH 01/20] tools/xenstore: remove XEN_LIB_STORED and XENSTORED_ROOTDIR

[Henry Wang]

Hi Andrew,

> -----Original Message-----
> From: Andrew Cooper <Andrew.Cooper3@citrix.com>
> Subject: Re: [PATCH 01/20] tools/xenstore: remove XEN_LIB_STORED and
> XENSTORED_ROOTDIR
> 
> On 01/11/2022 15:28, Juergen Gross wrote:
> > XEN_LIB_STORED is serving no real purpose, as it is a mount point for
> > a tmpfs, so it can be replaced easily by XEN_RUN_STORED.
> >
> > XENSTORED_ROOTDIR is basically unused already, there is just a single
> > reference in xs_daemon_rootdir() with a fallback to XEN_LIB_STORED,
> > and a .gdbinit file setting it.
> >
> > Remove the .gdbinit file, as it is not known having been used since
> > ages, and make xs_daemon_rootdir() an alias of xs_daemon_rundir().
> >
> > Signed-off-by: Juergen Gross <jgross@suse.com>
> 
> Do I get a Requested/Reported-by?
> 
> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
> 
> CC Henry.  This removes an unneeded mount from dom0 (and associated init
> infrastructure), and as such will be a blanket improvement (if marginal)
> for 4.17.  I'd like to to be entered for consideration at this point.

Thanks for noticing! Sounds good to me.

Release-acked-by: Henry Wang <Henry.Wang@arm.com>

Kind regards,
Henry


> 
> ~Andrew

Re: [PATCH 01/20] tools/xenstore: remove XEN_LIB_STORED and XENSTORED_ROOTDIR

[Juergen Gross]

[-- Attachment #1.1.1: Type: text/plain, Size: 892 bytes --]

On 01.11.22 17:43, Andrew Cooper wrote:
> On 01/11/2022 15:28, Juergen Gross wrote:
>> XEN_LIB_STORED is serving no real purpose, as it is a mount point for
>> a tmpfs, so it can be replaced easily by XEN_RUN_STORED.
>>
>> XENSTORED_ROOTDIR is basically unused already, there is just a single
>> reference in xs_daemon_rootdir() with a fallback to XEN_LIB_STORED,
>> and a .gdbinit file setting it.
>>
>> Remove the .gdbinit file, as it is not known having been used since
>> ages, and make xs_daemon_rootdir() an alias of xs_daemon_rundir().
>>
>> Signed-off-by: Juergen Gross <jgross@suse.com>
> 
> Do I get a Requested/Reported-by?

Oh yes, of course. Do you want me to resend with it? I'd be fine with

Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>

added when committing.

> 
> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>

Thanks,

Juergen


[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3149 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: [PATCH 02/20] tools/xenstore: call remove_domid_from_perm() for special nodes

[Andrew Cooper]

On 01/11/2022 15:28, Juergen Gross wrote:
> When destroying a domain, any stale permissions of the domain must be
> removed from the special nodes "@...", too. This was not done in the
> fix for XSA-322.
>
> Fixes: 496306324d8d ("tools/xenstore: revoke access rights for removed domains")
> Signed-off-by: Juergen Gross <jgross@suse.com>
> Reviewed-by: Julien Grall <jgrall@amazon.com>

Henry, this one also ought to be considered for 4.17 at this point, as
it's a bugfix to security fix.

As noted in the cover letter, it is R-by already as it came up in
private, but was ultimately not included in the security content.

Thanks,

~Andrew

RE: [PATCH 02/20] tools/xenstore: call remove_domid_from_perm() for special nodes

[Henry Wang]

Hi Andrew,

> -----Original Message-----
> From: Andrew Cooper <Andrew.Cooper3@citrix.com>
> Subject: Re: [PATCH 02/20] tools/xenstore: call remove_domid_from_perm()
> for special nodes
> 
> On 01/11/2022 15:28, Juergen Gross wrote:
> > When destroying a domain, any stale permissions of the domain must be
> > removed from the special nodes "@...", too. This was not done in the
> > fix for XSA-322.
> >
> > Fixes: 496306324d8d ("tools/xenstore: revoke access rights for removed
> domains")
> > Signed-off-by: Juergen Gross <jgross@suse.com>
> > Reviewed-by: Julien Grall <jgrall@amazon.com>
> 
> Henry, this one also ought to be considered for 4.17 at this point, as
> it's a bugfix to security fix.

Yes, I was wondering why I didn't have an email in my inbox about this
patch :)

Release-acked-by: Henry Wang <Henry.Wang@arm.com>

Kind regards,
Henry

> 
> As noted in the cover letter, it is R-by already as it came up in
> private, but was ultimately not included in the security content.
> 
> Thanks,
> 
> ~Andrew

Re: [PATCH 03/20] tools/xenstore: let talloc_free() preserve errno

[Julien Grall]

Hi Juergen,

On 01/11/2022 15:28, Juergen Gross wrote:
> Today talloc_free() is not guaranteed to preserve errno, especially in
> case a custom destructor is being used.
> 
> Change that by renaming talloc_free() to _talloc_free() in talloc.c and
> adding a wrapper to talloc.c.
> 
> This allows to remove some errno saving outside of talloc.c.
> 
> Signed-off-by: Juergen Gross <jgross@suse.com>
> ---
>   tools/xenstore/talloc.c         | 25 ++++++++++++++++++-------
>   tools/xenstore/xenstored_core.c |  2 --
>   2 files changed, 18 insertions(+), 9 deletions(-)
> 
> diff --git a/tools/xenstore/talloc.c b/tools/xenstore/talloc.c
> index d7edcf3a93..5fbefdf091 100644
> --- a/tools/xenstore/talloc.c
> +++ b/tools/xenstore/talloc.c
> @@ -103,6 +103,8 @@ struct talloc_chunk {
>   	unsigned flags;
>   };
>   
> +static int _talloc_free(void *ptr);
> +
>   /* 16 byte alignment seems to keep everyone happy */
>   #define TC_HDR_SIZE ((sizeof(struct talloc_chunk)+15)&~15)
>   #define TC_PTR_FROM_CHUNK(tc) ((void *)(TC_HDR_SIZE + (char*)tc))
> @@ -245,7 +247,7 @@ static int talloc_reference_destructor(void *ptr)
>   		tc1->destructor = NULL;
>   	}
>   	_TLIST_REMOVE(tc2->refs, handle);
> -	talloc_free(handle);
> +	_talloc_free(handle);

 From the commit message, it is not clear to me why we are calling the 
underscore version here. Same for the others below.

>   	return 0;
>   }
>   
> @@ -311,7 +313,7 @@ static int talloc_unreference(const void *context, const void *ptr)
>   
>   	talloc_set_destructor(h, NULL);
>   	_TLIST_REMOVE(tc->refs, h);
> -	talloc_free(h);
> +	_talloc_free(h);
>   	return 0;
>   }
>   
> @@ -349,7 +351,7 @@ int talloc_unlink(const void *context, void *ptr)
>   	tc_p = talloc_chunk_from_ptr(ptr);
>   
>   	if (tc_p->refs == NULL) {
> -		return talloc_free(ptr);
> +		return _talloc_free(ptr);
>   	}
>   
>   	new_p = talloc_parent_chunk(tc_p->refs);
> @@ -521,7 +523,7 @@ static void talloc_free_children(void *ptr)
>   			struct talloc_chunk *p = talloc_parent_chunk(tc->child->refs);
>   			if (p) new_parent = TC_PTR_FROM_CHUNK(p);
>   		}
> -		if (talloc_free(child) == -1) {
> +		if (_talloc_free(child) == -1) {
>   			if (new_parent == null_context) {
>   				struct talloc_chunk *p = talloc_parent_chunk(ptr);
>   				if (p) new_parent = TC_PTR_FROM_CHUNK(p);
> @@ -539,7 +541,7 @@ static void talloc_free_children(void *ptr)
>      will not be freed if the ref_count is > 1 or the destructor (if
>      any) returns non-zero

Can you expand this comment to explain the different between 
_talloc_free() and talloc_free()?

I agree the code is probably clear enough, but better to be obvious.

>   */
> -int talloc_free(void *ptr)
> +static int _talloc_free(void *ptr)
>   {
>   	struct talloc_chunk *tc;
>   
> @@ -597,7 +599,16 @@ int talloc_free(void *ptr)
>   	return 0;
>   }
>   
> +int talloc_free(void *ptr)
> +{
> +	int ret;
> +	int saved_errno = errno;
>   
> +	ret = _talloc_free(ptr);
> +	errno = saved_errno;
> +
> +	return ret;
> +}
>   
>   /*
>     A talloc version of realloc. The context argument is only used if
> @@ -610,7 +621,7 @@ void *_talloc_realloc(const void *context, void *ptr, size_t size, const char *n
>   
>   	/* size zero is equivalent to free() */
>   	if (size == 0) {
> -		talloc_free(ptr);
> +		_talloc_free(ptr);
>   		return NULL;
>   	}
>   
> @@ -1243,7 +1254,7 @@ void *talloc_realloc_fn(const void *context, void *ptr, size_t size)
>   
>   static void talloc_autofree(void)
>   {
> -	talloc_free(cleanup_context);
> +	_talloc_free(cleanup_context);
>   	cleanup_context = NULL;
>   }
>   
> diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
> index 476d5c6d51..5a174b9881 100644
> --- a/tools/xenstore/xenstored_core.c
> +++ b/tools/xenstore/xenstored_core.c
> @@ -771,9 +771,7 @@ struct node *read_node(struct connection *conn, const void *ctx,
>   	return node;
>   
>    error:
> -	err = errno;
>   	talloc_free(node);
> -	errno = err;
>   	return NULL;
>   }
>   

Cheers,

-- 
Julien Grall

Re: [PATCH 04/20] tools/xenstore: let tdb_logger() preserve errno

[Julien Grall]

Hi Juergen,

On 01/11/2022 15:28, Juergen Gross wrote:
> tdb_logger() is called by TDB for logging errors. As errno is checked
> often after doing the logging, tdb_logger() should preserve errno.
> 
> Signed-off-by: Juergen Gross <jgross@suse.com>

Reviewed-by: Julien Grall <jgrall@amazon.com>

Cheers,

> ---
>   tools/xenstore/xenstored_core.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
> index 5a174b9881..d48208ecfe 100644
> --- a/tools/xenstore/xenstored_core.c
> +++ b/tools/xenstore/xenstored_core.c
> @@ -2345,6 +2345,7 @@ static void tdb_logger(TDB_CONTEXT *tdb, int level, const char * fmt, ...)
>   {
>   	va_list ap;
>   	char *s;
> +	int saved_errno = errno;
>   
>   	va_start(ap, fmt);
>   	s = talloc_vasprintf(NULL, fmt, ap);
> @@ -2360,6 +2361,8 @@ static void tdb_logger(TDB_CONTEXT *tdb, int level, const char * fmt, ...)
>   		trace("talloc failure during logging\n");
>   		syslog(LOG_ERR, "talloc failure during logging\n");
>   	}
> +
> +	errno = saved_errno;
>   }
>   
>   void setup_structure(bool live_update)

-- 
Julien Grall

Re: [PATCH 05/20] tools/xenstore: preserve errno across corrupt()

[Julien Grall]

Hi Juergen,

On 01/11/2022 15:28, Juergen Gross wrote:
> Let corrupt() preserve errno in order to be able to simplify error
> handling in future.
> 
> This is rather easy as the errno value when entering corrupt() is
> saved already.
> 
> Signed-off-by: Juergen Gross <jgross@suse.com>

Reviewed-by: Julien Grall <jgrall@amazon.com>

Cheers,

-- 
Julien Grall

Re: [PATCH 06/20] tools/xenstore: remove all watches when a domain has stopped

[Julien Grall]

Hi Juergen,

On 01/11/2022 15:28, Juergen Gross wrote:
> When a domain has been recognized to have stopped, remove all its
> registered watches. This avoids sending watch events to the dead domain
> when all the nodes related to it are being removed by the Xen tools.

 From my understanding, shutdown doesn't mean dead. It may be used 
during migration (or snapshotting), where we don't want to touch the 
state in case of a cancellation (or resume).

For instance, see the command XS_RESUME which will clear domain->shutdown.

> 
> Signed-off-by: Juergen Gross <jgross@suse.com>
> ---
>   tools/xenstore/xenstored_domain.c | 6 ++++++
>   1 file changed, 6 insertions(+)
> 
> diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_domain.c
> index aa86892fed..1516df71d8 100644
> --- a/tools/xenstore/xenstored_domain.c
> +++ b/tools/xenstore/xenstored_domain.c
> @@ -364,6 +364,12 @@ void check_domains(void)
>   			    && !domain->shutdown) {
>   				domain->shutdown = true;
>   				notify = 1;
> +				/*
> +				 * Avoid triggering watch events when the
> +				 * domain's nodes are being deleted.
> +				 */
> +				if (domain->conn)
> +					conn_delete_all_watches(domain->conn);
>   			}
>   			if (!dominfo.dying)
>   				continue;

Cheers,

-- 
Julien Grall

Re: [PATCH 09/20] tools/xenstore: introduce dummy nodes for special watch paths

[Julien Grall]

Hi Juergen,

On 01/11/2022 15:28, Juergen Gross wrote:
> Instead of special casing the permission handling and watch event
> firing for the special watch paths "@introduceDomain" and
> "@releaseDomain", use static dummy nodes added to the data base when
> starting Xenstore.

A few questions I think needs to be answered in the commit message:
   - Does this means we could write data in "@..."  node?
   - How about creating sub nodes?
   - What does it mean for the accounting? Before, it was accounted to 
no-one but now it seems to be accounted to the owner (which may not be 
dom0).

> 
> This allows to simplify quite some code.

The diff is quite nice to have, but I am not entirely convinced this is 
making the code easier to understand.

Is this patch helping you for another goal?

> 
> Note that this requires to rework the calls of fire_watches() for the
> special events in order to avoid leaking memory.
> 
> Signed-off-by: Juergen Gross <jgross@suse.com>
> ---
>   tools/xenstore/xenstored_control.c |   3 -
>   tools/xenstore/xenstored_core.c    |  67 +++++++-----
>   tools/xenstore/xenstored_domain.c  | 162 ++++-------------------------
>   tools/xenstore/xenstored_domain.h  |   6 --
>   tools/xenstore/xenstored_watch.c   |  17 +--
>   5 files changed, 63 insertions(+), 192 deletions(-)
> 
> diff --git a/tools/xenstore/xenstored_control.c b/tools/xenstore/xenstored_control.c
> index d1aaa00bf4..41e6992591 100644
> --- a/tools/xenstore/xenstored_control.c
> +++ b/tools/xenstore/xenstored_control.c
> @@ -676,9 +676,6 @@ static const char *lu_dump_state(const void *ctx, struct connection *conn)
>   	if (ret)
>   		goto out;
>   	ret = dump_state_connections(fp);
> -	if (ret)
> -		goto out;
> -	ret = dump_state_special_nodes(fp);
>   	if (ret)
>   		goto out;
>   	ret = dump_state_nodes(fp, ctx);
> diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
> index 1650821922..cadb339486 100644
> --- a/tools/xenstore/xenstored_core.c
> +++ b/tools/xenstore/xenstored_core.c
> @@ -616,7 +616,8 @@ static void get_acc_data(TDB_DATA *key, struct node_account_data *acc)
>   static unsigned int get_acc_domid(struct connection *conn, TDB_DATA *key,
>   				  unsigned int domid)
>   {
> -	return (!conn || key->dptr[0] == '/') ? domid : conn->id;
> +	return (!conn || key->dptr[0] == '/' || key->dptr[0] == '@')

The comment above says it is sufficient to check for '/'. But now, you 
are also checking for '@'.

> +	       ? domid : conn->id;
>   }
>   
>   int do_tdb_write(struct connection *conn, TDB_DATA *key, TDB_DATA *data,
> @@ -1780,14 +1781,6 @@ static int do_set_perms(const void *ctx, struct connection *conn,
>   	if (perms.p[0].perms & XS_PERM_IGNORE)
>   		return ENOENT;
>   
> -	/* First arg is node name. */
> -	if (strstarts(in->buffer, "@")) {
> -		if (set_perms_special(conn, in->buffer, &perms))
> -			return errno;
> -		send_ack(conn, XS_SET_PERMS);
> -		return 0;
> -	}

So there are a slight change in behavior here. Before, the permission 
would be directly set even if we are in a transaction. Now, this will 
only be set if the transaction has been committed.

I am split on whether this would be considered as an ABI breakage. The 
new behavior seems better, but anyone rely on the (bogus?) previous 
behavior would have a surprise. At minimum, the change should at least 
be pointed out in the commit message.

[...]

>   static int domain_tree_remove_sub(const void *ctx, struct connection *conn,
>   				  struct node *node, void *arg)
>   {
> @@ -297,8 +273,24 @@ static void domain_tree_remove(struct domain *domain)
>   			       "error when looking for orphaned nodes\n");
>   	}
>   
> -	remove_domid_from_perm(&dom_release_perms, domain);
> -	remove_domid_from_perm(&dom_introduce_perms, domain);
> +	walk_node_tree(domain, NULL, "@releaseDomain", &walkfuncs, domain);
> +	walk_node_tree(domain, NULL, "@introduceDomain", &walkfuncs, domain);
> +}
> +
> +static void fire_special_watches(const char *name)
> +{
> +	void *ctx = talloc_new(NULL);
> +	struct node *node;

I can foresee how one may want to abuse for this function. So I would 
add an assert(name[0] == '@') to match clear this should only for 
watches starting with '@'.

> +
> +	if (!ctx)
> +		return;
> +
> +	node = read_node(NULL, ctx, name);
> +
> +	if (node)
> +		fire_watches(NULL, ctx, name, node, true, NULL);

Shouldn't we throw a message if we can't retrieve @...?

Cheers,

-- 
Julien Grall

Re: [PATCH 13/20] tools/xenstore: don't allow creating too many nodes in a transaction

[Julien Grall]

Hi Juergen,

On 01/11/2022 15:28, Juergen Gross wrote:
> The accounting for the number of nodes of a domain in an active
> transaction is not working correctly, as it allows to create arbitrary
> number of nodes. The transaction will finally fail due to exceeding
> the number of nodes quota, but before closing the transaction an
> unprivileged guest could cause Xenstore to use a lot of memory.

I have already made some of comments on the security ML when this was 
initially set. The arguments still don't sound right to me.

For a first, since XSA-326, we have a cap in place for the memory a 
domain can consume. So this surely can't be a "lot of memory". Otherwise 
we are saying that our limit (there are other way to hit it) were wrong...

In addition to that, this is quite pointless to check the number of 
entry a domain currently owned because this can change before the 
transaction is committed by another "external" command. Therefore, this 
would add some randomness in the command which could make more difficult 
to diagnose.

Lastly, there are other very easy way to use memory (just create 
multiple transaction in parallel).

So based on the commit message, the change doesn't help at all to make 
better Xenstored.

Note that I don't particularly mind the code change (even though it adds 
more complexity). I just strongly dislike the current justifications.

At the moment, I can't find a justification that would make the change 
whorthwhile.

Cheers,

-- 
Julien Grall

Re: [PATCH 17/20] tools/xenstore: switch hashtable to use the talloc framework

[Julien Grall]

Hi Juergen,

On 01/11/2022 15:28, Juergen Gross wrote:
> Instead of using malloc() and friends, let the hashtable implementation
> use the talloc framework.

Can you outline why switching to talloc() is better?

Cheers,

-- 
Julien Grall

Re: [PATCH 19/20] tools/xenstore: introduce trace classes

[Julien Grall]

Hi Juergen,

I haven't yet look at the code itself. I wanted to comment on the 
external interfaces.


On 01/11/2022 15:28, Juergen Gross wrote:
> Make the xenstored internal trace configurable by adding classes
> which can be switched on and off independently from each other.
> 
> Define the following classes:
> 
> - obj: Creation and deletion of interesting "objects" (watch,
>    transaction, connection)
> - io: incoming requests and outgoing responses
> - wrl: write limiting
> 
> Per default "obj" and "io" are switched on.
> 
> Entries written via trace() will always be printed (if tracing is on
> at all).
> 
> Rename the misnamed xenstore-control commands "logfile" to "tracefile"
> and "log" to "trace".

While I understand this may be misnamed, this also means that there is 
an ABI breakage between current Xenstored and the future one.

I am not convinced this is justified. Therefore, I think we should at 
minimum keep the compatibility.

> 
> Add the capability to control the trace settings via the "trace"
> command and via a new "--trace-control" command line option.
> 
> Add a missing trace_create() call for creating a transaction.
> 
> Signed-off-by: Juergen Gross <jgross@suse.com>
> ---
>   docs/misc/xenstore.txt                 | 18 +++++++----
>   tools/xenstore/xenstored_control.c     | 41 +++++++++++++++++++-----
>   tools/xenstore/xenstored_core.c        | 44 +++++++++++++++++++++++---
>   tools/xenstore/xenstored_core.h        |  6 ++++
>   tools/xenstore/xenstored_domain.c      | 27 ++++++++--------
>   tools/xenstore/xenstored_transaction.c |  1 +
>   6 files changed, 105 insertions(+), 32 deletions(-)
> 
> diff --git a/docs/misc/xenstore.txt b/docs/misc/xenstore.txt
> index 44428ae3a7..9db0385120 100644
> --- a/docs/misc/xenstore.txt
> +++ b/docs/misc/xenstore.txt
> @@ -409,14 +409,8 @@ CONTROL			<command>|[<parameters>|]
>   		error string in case of failure. -s can return "BUSY" in case
>   		of an active transaction, a retry of -s can be done in that
>   		case.
> -	log|on
> -		turn xenstore logging on
> -	log|off
> -		turn xenstore logging off
> -	logfile|<file-name>
> -		log to specified file

Technically xenstore.txt is meant to describe an interface that is 
implementation agnostics. Can you outline in the documentation why 
removing them is fine?

>   	memreport|[<file-name>]
> -		print memory statistics to logfile (no <file-name>
> +		print memory statistics to tracefile (no <file-name>
>   		specified) or to specific file
>   	print|<string>
>   		print <string> to syslog (xenstore runs as daemon) or
> @@ -432,6 +426,16 @@ CONTROL			<command>|[<parameters>|]
>   		the domain <domid>
>   	quota-soft|[set <name> <val>]
>   		like the "quota" command, but for soft-quota.
> +	trace|[+|-<switch>]

The regex here is a bit ambiguous because it technically means either 
"+" or "-<switch>". Furthermore, within this docs, there are case where 
| is included in between [] to indicate the this is terminated by a \0.

So it would be better to define it over 3 lines:

trace
trace|+<switch>
trace|-<switch>

I think it would be fine if there is only one paragraph of explanation 
for the 3.

> +		without parameters: show possible trace switches
> +		+<switch> activates trace entries for <switch>,
> +		-<switch> deactivates trace entries for <switch>
> +	trace|on
> +		turn xenstore tracing on
> +	trace|off
> +		turn xenstore tracing off
> +	tracefile|<file-name>
> +		trace to specified file
>   	help			<supported-commands>
>   		return list of supported commands for CONTROL
>   

Cheers,

-- 
Julien Grall

Re: [PATCH 03/20] tools/xenstore: let talloc_free() preserve errno

[Juergen Gross]

[-- Attachment #1.1.1: Type: text/plain, Size: 2047 bytes --]

On 06.11.22 22:08, Julien Grall wrote:
> Hi Juergen,
> 
> On 01/11/2022 15:28, Juergen Gross wrote:
>> Today talloc_free() is not guaranteed to preserve errno, especially in
>> case a custom destructor is being used.
>>
>> Change that by renaming talloc_free() to _talloc_free() in talloc.c and
>> adding a wrapper to talloc.c.
>>
>> This allows to remove some errno saving outside of talloc.c.
>>
>> Signed-off-by: Juergen Gross <jgross@suse.com>
>> ---
>>   tools/xenstore/talloc.c         | 25 ++++++++++++++++++-------
>>   tools/xenstore/xenstored_core.c |  2 --
>>   2 files changed, 18 insertions(+), 9 deletions(-)
>>
>> diff --git a/tools/xenstore/talloc.c b/tools/xenstore/talloc.c
>> index d7edcf3a93..5fbefdf091 100644
>> --- a/tools/xenstore/talloc.c
>> +++ b/tools/xenstore/talloc.c
>> @@ -103,6 +103,8 @@ struct talloc_chunk {
>>       unsigned flags;
>>   };
>> +static int _talloc_free(void *ptr);
>> +
>>   /* 16 byte alignment seems to keep everyone happy */
>>   #define TC_HDR_SIZE ((sizeof(struct talloc_chunk)+15)&~15)
>>   #define TC_PTR_FROM_CHUNK(tc) ((void *)(TC_HDR_SIZE + (char*)tc))
>> @@ -245,7 +247,7 @@ static int talloc_reference_destructor(void *ptr)
>>           tc1->destructor = NULL;
>>       }
>>       _TLIST_REMOVE(tc2->refs, handle);
>> -    talloc_free(handle);
>> +    _talloc_free(handle);
> 
>  From the commit message, it is not clear to me why we are calling the 
> underscore version here. Same for the others below.

I was targeting only talloc_free() calls from xenstored to preserve errno.

I can see your point that we could just do the same for talloc internal
calls, preserving errno in other cases, too.

OTOH the only relevant case would be the call from talloc_unlink() via
talloc_unreference(), which is at least currently no problem regarding
errno.

Do you have any preferences? I'm leaning towards dropping the wrapper
and do the errno preserving just inside talloc_free().


Juergen

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3149 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: [PATCH 06/20] tools/xenstore: remove all watches when a domain has stopped

[Juergen Gross]

[-- Attachment #1.1.1: Type: text/plain, Size: 770 bytes --]

On 06.11.22 22:18, Julien Grall wrote:
> Hi Juergen,
> 
> On 01/11/2022 15:28, Juergen Gross wrote:
>> When a domain has been recognized to have stopped, remove all its
>> registered watches. This avoids sending watch events to the dead domain
>> when all the nodes related to it are being removed by the Xen tools.
> 
>  From my understanding, shutdown doesn't mean dead. It may be used during 
> migration (or snapshotting), where we don't want to touch the state in case of a 
> cancellation (or resume).
> 
> For instance, see the command XS_RESUME which will clear domain->shutdown.

Oh, good catch!

I need to additionally check the "shutdown reason". I can remove the
watches only in case of the reason not having been "suspend".


Juergen


[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3149 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: [PATCH 09/20] tools/xenstore: introduce dummy nodes for special watch paths

[Juergen Gross]

[-- Attachment #1.1.1: Type: text/plain, Size: 5898 bytes --]

On 06.11.22 22:38, Julien Grall wrote:
> Hi Juergen,
> 
> On 01/11/2022 15:28, Juergen Gross wrote:
>> Instead of special casing the permission handling and watch event
>> firing for the special watch paths "@introduceDomain" and
>> "@releaseDomain", use static dummy nodes added to the data base when
>> starting Xenstore.
> 
> A few questions I think needs to be answered in the commit message:

Okay. Will add.

>    - Does this means we could write data in "@..."  node?
>    - How about creating sub nodes?

Normal Xenstore operations won't succeed due to path name checks.

But I just realized that at some time a chunk of the patch must have been
lost, as I originally had special checks for set/get permissions in place.
Those are no longer there and need to be re-added.

>    - What does it mean for the accounting? Before, it was accounted to no-one 
> but now it seems to be accounted to the owner (which may not be dom0).

Yes. And this is how it should be.

>> This allows to simplify quite some code.
> 
> The diff is quite nice to have, but I am not entirely convinced this is making 
> the code easier to understand.
> 
> Is this patch helping you for another goal?

It will allow to add more fine grained permissions when adding the support
for reporting the domid in special events (e.g. allowing a stubdom to watch
the @release event of its target domain).

> 
>>
>> Note that this requires to rework the calls of fire_watches() for the
>> special events in order to avoid leaking memory.
>>
>> Signed-off-by: Juergen Gross <jgross@suse.com>
>> ---
>>   tools/xenstore/xenstored_control.c |   3 -
>>   tools/xenstore/xenstored_core.c    |  67 +++++++-----
>>   tools/xenstore/xenstored_domain.c  | 162 ++++-------------------------
>>   tools/xenstore/xenstored_domain.h  |   6 --
>>   tools/xenstore/xenstored_watch.c   |  17 +--
>>   5 files changed, 63 insertions(+), 192 deletions(-)
>>
>> diff --git a/tools/xenstore/xenstored_control.c 
>> b/tools/xenstore/xenstored_control.c
>> index d1aaa00bf4..41e6992591 100644
>> --- a/tools/xenstore/xenstored_control.c
>> +++ b/tools/xenstore/xenstored_control.c
>> @@ -676,9 +676,6 @@ static const char *lu_dump_state(const void *ctx, struct 
>> connection *conn)
>>       if (ret)
>>           goto out;
>>       ret = dump_state_connections(fp);
>> -    if (ret)
>> -        goto out;
>> -    ret = dump_state_special_nodes(fp);
>>       if (ret)
>>           goto out;
>>       ret = dump_state_nodes(fp, ctx);
>> diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
>> index 1650821922..cadb339486 100644
>> --- a/tools/xenstore/xenstored_core.c
>> +++ b/tools/xenstore/xenstored_core.c
>> @@ -616,7 +616,8 @@ static void get_acc_data(TDB_DATA *key, struct 
>> node_account_data *acc)
>>   static unsigned int get_acc_domid(struct connection *conn, TDB_DATA *key,
>>                     unsigned int domid)
>>   {
>> -    return (!conn || key->dptr[0] == '/') ? domid : conn->id;
>> +    return (!conn || key->dptr[0] == '/' || key->dptr[0] == '@')
> 
> The comment above says it is sufficient to check for '/'. But now, you are also 
> checking for '@'.

Will fix the comment.

> 
>> +           ? domid : conn->id;
>>   }
>>   int do_tdb_write(struct connection *conn, TDB_DATA *key, TDB_DATA *data,
>> @@ -1780,14 +1781,6 @@ static int do_set_perms(const void *ctx, struct 
>> connection *conn,
>>       if (perms.p[0].perms & XS_PERM_IGNORE)
>>           return ENOENT;
>> -    /* First arg is node name. */
>> -    if (strstarts(in->buffer, "@")) {
>> -        if (set_perms_special(conn, in->buffer, &perms))
>> -            return errno;
>> -        send_ack(conn, XS_SET_PERMS);
>> -        return 0;
>> -    }
> 
> So there are a slight change in behavior here. Before, the permission would be 
> directly set even if we are in a transaction. Now, this will only be set if the 
> transaction has been committed.
> 
> I am split on whether this would be considered as an ABI breakage. The new 
> behavior seems better, but anyone rely on the (bogus?) previous behavior would 
> have a surprise. At minimum, the change should at least be pointed out in the 
> commit message.

I don't think this will be a real problem, as the old behavior was more like
a bug. I'll spell it out in the commit message.

> 
> [...]
> 
>>   static int domain_tree_remove_sub(const void *ctx, struct connection *conn,
>>                     struct node *node, void *arg)
>>   {
>> @@ -297,8 +273,24 @@ static void domain_tree_remove(struct domain *domain)
>>                      "error when looking for orphaned nodes\n");
>>       }
>> -    remove_domid_from_perm(&dom_release_perms, domain);
>> -    remove_domid_from_perm(&dom_introduce_perms, domain);
>> +    walk_node_tree(domain, NULL, "@releaseDomain", &walkfuncs, domain);
>> +    walk_node_tree(domain, NULL, "@introduceDomain", &walkfuncs, domain);
>> +}
>> +
>> +static void fire_special_watches(const char *name)
>> +{
>> +    void *ctx = talloc_new(NULL);
>> +    struct node *node;
> 
> I can foresee how one may want to abuse for this function. So I would add an 
> assert(name[0] == '@') to match clear this should only for watches starting with 
> '@'.

Okay.

> 
>> +
>> +    if (!ctx)
>> +        return;
>> +
>> +    node = read_node(NULL, ctx, name);
>> +
>> +    if (node)
>> +        fire_watches(NULL, ctx, name, node, true, NULL);
> 
> Shouldn't we throw a message if we can't retrieve @...?


Yes, I can add that.


Juergen

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3149 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: [PATCH 13/20] tools/xenstore: don't allow creating too many nodes in a transaction

[Juergen Gross]

[-- Attachment #1.1.1: Type: text/plain, Size: 2039 bytes --]

On 06.11.22 23:00, Julien Grall wrote:
> Hi Juergen,
> 
> On 01/11/2022 15:28, Juergen Gross wrote:
>> The accounting for the number of nodes of a domain in an active
>> transaction is not working correctly, as it allows to create arbitrary
>> number of nodes. The transaction will finally fail due to exceeding
>> the number of nodes quota, but before closing the transaction an
>> unprivileged guest could cause Xenstore to use a lot of memory.
> 
> I have already made some of comments on the security ML when this was initially 
> set. The arguments still don't sound right to me.
> 
> For a first, since XSA-326, we have a cap in place for the memory a domain can 
> consume. So this surely can't be a "lot of memory". Otherwise we are saying that 
> our limit (there are other way to hit it) were wrong...

Yeah, maybe I should rework the commit message.

The reason I still want to keep the patch is that in a transaction without any
conflicts and without hitting any transaction specific limits (number of nodes
accessed), the errors returned due to a single operation should be the same as
with the same operation performed outside a transaction.

> In addition to that, this is quite pointless to check the number of entry a 
> domain currently owned because this can change before the transaction is 
> committed by another "external" command. Therefore, this would add some 
> randomness in the command which could make more difficult to diagnose.

In the scope of the transaction the tests are correct.

> Lastly, there are other very easy way to use memory (just create multiple 
> transaction in parallel).
> 
> So based on the commit message, the change doesn't help at all to make better 
> Xenstored.
> 
> Note that I don't particularly mind the code change (even though it adds more 
> complexity). I just strongly dislike the current justifications.
> 
> At the moment, I can't find a justification that would make the change whorthwhile.

See above reasoning.


Juergen


[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3149 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: [PATCH 17/20] tools/xenstore: switch hashtable to use the talloc framework

[Juergen Gross]

[-- Attachment #1.1.1: Type: text/plain, Size: 413 bytes --]

On 06.11.22 23:02, Julien Grall wrote:
> Hi Juergen,
> 
> On 01/11/2022 15:28, Juergen Gross wrote:
>> Instead of using malloc() and friends, let the hashtable implementation
>> use the talloc framework.
> 
> Can you outline why switching to talloc() is better?

It is more consistent within xenstored, and it allows to track memory
usage easier (see "xenstore-control memreport" output).


Juergen

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3149 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: [PATCH 19/20] tools/xenstore: introduce trace classes

[Juergen Gross]

[-- Attachment #1.1.1: Type: text/plain, Size: 3884 bytes --]

On 06.11.22 23:18, Julien Grall wrote:
> Hi Juergen,
> 
> I haven't yet look at the code itself. I wanted to comment on the external 
> interfaces.
> 
> 
> On 01/11/2022 15:28, Juergen Gross wrote:
>> Make the xenstored internal trace configurable by adding classes
>> which can be switched on and off independently from each other.
>>
>> Define the following classes:
>>
>> - obj: Creation and deletion of interesting "objects" (watch,
>>    transaction, connection)
>> - io: incoming requests and outgoing responses
>> - wrl: write limiting
>>
>> Per default "obj" and "io" are switched on.
>>
>> Entries written via trace() will always be printed (if tracing is on
>> at all).
>>
>> Rename the misnamed xenstore-control commands "logfile" to "tracefile"
>> and "log" to "trace".
> 
> While I understand this may be misnamed, this also means that there is an ABI 
> breakage between current Xenstored and the future one.
> 
> I am not convinced this is justified. Therefore, I think we should at minimum 
> keep the compatibility.

Hmm, I can see your point. Given that this might be one of the most
common used xenstore-control commands I'm not opposed to keep the current
names.

> 
>>
>> Add the capability to control the trace settings via the "trace"
>> command and via a new "--trace-control" command line option.
>>
>> Add a missing trace_create() call for creating a transaction.
>>
>> Signed-off-by: Juergen Gross <jgross@suse.com>
>> ---
>>   docs/misc/xenstore.txt                 | 18 +++++++----
>>   tools/xenstore/xenstored_control.c     | 41 +++++++++++++++++++-----
>>   tools/xenstore/xenstored_core.c        | 44 +++++++++++++++++++++++---
>>   tools/xenstore/xenstored_core.h        |  6 ++++
>>   tools/xenstore/xenstored_domain.c      | 27 ++++++++--------
>>   tools/xenstore/xenstored_transaction.c |  1 +
>>   6 files changed, 105 insertions(+), 32 deletions(-)
>>
>> diff --git a/docs/misc/xenstore.txt b/docs/misc/xenstore.txt
>> index 44428ae3a7..9db0385120 100644
>> --- a/docs/misc/xenstore.txt
>> +++ b/docs/misc/xenstore.txt
>> @@ -409,14 +409,8 @@ CONTROL            <command>|[<parameters>|]
>>           error string in case of failure. -s can return "BUSY" in case
>>           of an active transaction, a retry of -s can be done in that
>>           case.
>> -    log|on
>> -        turn xenstore logging on
>> -    log|off
>> -        turn xenstore logging off
>> -    logfile|<file-name>
>> -        log to specified file
> 
> Technically xenstore.txt is meant to describe an interface that is 
> implementation agnostics. Can you outline in the documentation why removing them 
> is fine?
> 
>>       memreport|[<file-name>]
>> -        print memory statistics to logfile (no <file-name>
>> +        print memory statistics to tracefile (no <file-name>
>>           specified) or to specific file
>>       print|<string>
>>           print <string> to syslog (xenstore runs as daemon) or
>> @@ -432,6 +426,16 @@ CONTROL            <command>|[<parameters>|]
>>           the domain <domid>
>>       quota-soft|[set <name> <val>]
>>           like the "quota" command, but for soft-quota.
>> +    trace|[+|-<switch>]
> 
> The regex here is a bit ambiguous because it technically means either "+" or 
> "-<switch>". Furthermore, within this docs, there are case where | is included 
> in between [] to indicate the this is terminated by a \0.
> 
> So it would be better to define it over 3 lines:
> 
> trace
> trace|+<switch>
> trace|-<switch>
> 
> I think it would be fine if there is only one paragraph of explanation for the 3.

Okay.


Juergen

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3149 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: [PATCH 06/20] tools/xenstore: remove all watches when a domain has stopped

[Julien Grall]

On 07/11/2022 07:54, Juergen Gross wrote:
> On 06.11.22 22:18, Julien Grall wrote:
>> Hi Juergen,
>>
>> On 01/11/2022 15:28, Juergen Gross wrote:
>>> When a domain has been recognized to have stopped, remove all its
>>> registered watches. This avoids sending watch events to the dead domain
>>> when all the nodes related to it are being removed by the Xen tools.
>>
>>  From my understanding, shutdown doesn't mean dead. It may be used 
>> during migration (or snapshotting), where we don't want to touch the 
>> state in case of a cancellation (or resume).
>>
>> For instance, see the command XS_RESUME which will clear 
>> domain->shutdown.
> 
> Oh, good catch!
> 
> I need to additionally check the "shutdown reason". I can remove the
> watches only in case of the reason not having been "suspend".

This is quite fragile because we may add new shutdown code in the future 
that could resume.

I think it would be better to only delete the watches if the domain is 
effectively dying (I don't think it can come back from that state)

Cheers,

-- 
Julien Grall

Re: [PATCH 13/20] tools/xenstore: don't allow creating too many nodes in a transaction

[Julien Grall]

On 07/11/2022 08:34, Juergen Gross wrote:
> On 06.11.22 23:00, Julien Grall wrote:
>> Hi Juergen,
>>
>> On 01/11/2022 15:28, Juergen Gross wrote:
>>> The accounting for the number of nodes of a domain in an active
>>> transaction is not working correctly, as it allows to create arbitrary
>>> number of nodes. The transaction will finally fail due to exceeding
>>> the number of nodes quota, but before closing the transaction an
>>> unprivileged guest could cause Xenstore to use a lot of memory.
>>
>> I have already made some of comments on the security ML when this was 
>> initially set. The arguments still don't sound right to me.
>>
>> For a first, since XSA-326, we have a cap in place for the memory a 
>> domain can consume. So this surely can't be a "lot of memory". 
>> Otherwise we are saying that our limit (there are other way to hit it) 
>> were wrong...
> 
> Yeah, maybe I should rework the commit message.
> 
> The reason I still want to keep the patch is that in a transaction 
> without any
> conflicts and without hitting any transaction specific limits (number of 
> nodes
> accessed), the errors returned due to a single operation should be the 
> same as
> with the same operation performed outside a transaction.

This seems to be a very niche use case. So it is not clear to me why 
this matter and we want to add extra check for everyone.

Cheers,

-- 
Julien Grall

Re: [PATCH 06/20] tools/xenstore: remove all watches when a domain has stopped

[Juergen Gross]

[-- Attachment #1.1.1: Type: text/plain, Size: 1268 bytes --]

On 07.11.22 19:33, Julien Grall wrote:
> 
> 
> On 07/11/2022 07:54, Juergen Gross wrote:
>> On 06.11.22 22:18, Julien Grall wrote:
>>> Hi Juergen,
>>>
>>> On 01/11/2022 15:28, Juergen Gross wrote:
>>>> When a domain has been recognized to have stopped, remove all its
>>>> registered watches. This avoids sending watch events to the dead domain
>>>> when all the nodes related to it are being removed by the Xen tools.
>>>
>>>  From my understanding, shutdown doesn't mean dead. It may be used during 
>>> migration (or snapshotting), where we don't want to touch the state in case 
>>> of a cancellation (or resume).
>>>
>>> For instance, see the command XS_RESUME which will clear domain->shutdown.
>>
>> Oh, good catch!
>>
>> I need to additionally check the "shutdown reason". I can remove the
>> watches only in case of the reason not having been "suspend".
> 
> This is quite fragile because we may add new shutdown code in the future that 
> could resume.
> 
> I think it would be better to only delete the watches if the domain is 
> effectively dying (I don't think it can come back from that state)

This is how it is done today.

The domain's Xenstore entries are removed before the domain is being
destroyed.


Juergen

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3149 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: [PATCH 13/20] tools/xenstore: don't allow creating too many nodes in a transaction

[Juergen Gross]

[-- Attachment #1.1.1: Type: text/plain, Size: 1696 bytes --]

On 07.11.22 19:37, Julien Grall wrote:
> 
> 
> On 07/11/2022 08:34, Juergen Gross wrote:
>> On 06.11.22 23:00, Julien Grall wrote:
>>> Hi Juergen,
>>>
>>> On 01/11/2022 15:28, Juergen Gross wrote:
>>>> The accounting for the number of nodes of a domain in an active
>>>> transaction is not working correctly, as it allows to create arbitrary
>>>> number of nodes. The transaction will finally fail due to exceeding
>>>> the number of nodes quota, but before closing the transaction an
>>>> unprivileged guest could cause Xenstore to use a lot of memory.
>>>
>>> I have already made some of comments on the security ML when this was 
>>> initially set. The arguments still don't sound right to me.
>>>
>>> For a first, since XSA-326, we have a cap in place for the memory a domain 
>>> can consume. So this surely can't be a "lot of memory". Otherwise we are 
>>> saying that our limit (there are other way to hit it) were wrong...
>>
>> Yeah, maybe I should rework the commit message.
>>
>> The reason I still want to keep the patch is that in a transaction without any
>> conflicts and without hitting any transaction specific limits (number of nodes
>> accessed), the errors returned due to a single operation should be the same as
>> with the same operation performed outside a transaction.
> 
> This seems to be a very niche use case. So it is not clear to me why this matter 
> and we want to add extra check for everyone.

It is a matter of correctness.

Additionally, after the internal accounting rework this makes even more
sense, as the maximum values per domain seen are really correct, even when
queried while transactions are active.


Juergen

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3149 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: [PATCH 06/20] tools/xenstore: remove all watches when a domain has stopped

[Julien Grall]

Hi Juergen,

On 08/11/2022 07:54, Juergen Gross wrote:
> On 07.11.22 19:33, Julien Grall wrote:
>>
>>
>> On 07/11/2022 07:54, Juergen Gross wrote:
>>> On 06.11.22 22:18, Julien Grall wrote:
>>>> Hi Juergen,
>>>>
>>>> On 01/11/2022 15:28, Juergen Gross wrote:
>>>>> When a domain has been recognized to have stopped, remove all its
>>>>> registered watches. This avoids sending watch events to the dead 
>>>>> domain
>>>>> when all the nodes related to it are being removed by the Xen tools.
>>>>
>>>>  From my understanding, shutdown doesn't mean dead. It may be used 
>>>> during migration (or snapshotting), where we don't want to touch the 
>>>> state in case of a cancellation (or resume).
>>>>
>>>> For instance, see the command XS_RESUME which will clear 
>>>> domain->shutdown.
>>>
>>> Oh, good catch!
>>>
>>> I need to additionally check the "shutdown reason". I can remove the
>>> watches only in case of the reason not having been "suspend".
>>
>> This is quite fragile because we may add new shutdown code in the 
>> future that could resume.
>>
>> I think it would be better to only delete the watches if the domain is 
>> effectively dying (I don't think it can come back from that state)
> 
> This is how it is done today.

Not really. dominfo.dying is only set if the domain is dead (i.e. 
DOMDYING_dead). This is happening *after* everything has been 
relinquished. So this is quite late compare to what you seem to want.

> 
> The domain's Xenstore entries are removed before the domain is being
> destroyed.
Do you mean before domain_kill() is called? If so, maybe we should call 
domain_kill() before hand.

The other alternative, would be to notify the Xenstored that domain is 
never going to come back.

Cheers,

-- 
Julien Grall

Re: [PATCH 06/20] tools/xenstore: remove all watches when a domain has stopped

[Juergen Gross]

[-- Attachment #1.1.1: Type: text/plain, Size: 2332 bytes --]

On 09.11.22 11:46, Julien Grall wrote:
> Hi Juergen,
> 
> On 08/11/2022 07:54, Juergen Gross wrote:
>> On 07.11.22 19:33, Julien Grall wrote:
>>>
>>>
>>> On 07/11/2022 07:54, Juergen Gross wrote:
>>>> On 06.11.22 22:18, Julien Grall wrote:
>>>>> Hi Juergen,
>>>>>
>>>>> On 01/11/2022 15:28, Juergen Gross wrote:
>>>>>> When a domain has been recognized to have stopped, remove all its
>>>>>> registered watches. This avoids sending watch events to the dead domain
>>>>>> when all the nodes related to it are being removed by the Xen tools.
>>>>>
>>>>>  From my understanding, shutdown doesn't mean dead. It may be used during 
>>>>> migration (or snapshotting), where we don't want to touch the state in case 
>>>>> of a cancellation (or resume).
>>>>>
>>>>> For instance, see the command XS_RESUME which will clear domain->shutdown.
>>>>
>>>> Oh, good catch!
>>>>
>>>> I need to additionally check the "shutdown reason". I can remove the
>>>> watches only in case of the reason not having been "suspend".
>>>
>>> This is quite fragile because we may add new shutdown code in the future that 
>>> could resume.
>>>
>>> I think it would be better to only delete the watches if the domain is 
>>> effectively dying (I don't think it can come back from that state)
>>
>> This is how it is done today.
> 
> Not really. dominfo.dying is only set if the domain is dead (i.e. 
> DOMDYING_dead). This is happening *after* everything has been relinquished. So 
> this is quite late compare to what you seem to want.

I meant that the watches are removed today when the domain has been
detected to by dying (so when removing the struct domain in xenstored).

>> The domain's Xenstore entries are removed before the domain is being
>> destroyed.
> Do you mean before domain_kill() is called? If so, maybe we should call 
> domain_kill() before hand.

This would probably introduce a race: the domid would no longer be reserved
in the hypervisor, so a new domain with the same domid could show up and
removal of the old domain data and introduction of the new domain data could
interfere.

> The other alternative, would be to notify the Xenstored that domain is never 
> going to come back.

Yes, this should really work.

xs_release_domain() should probably do the job.


Juergen

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3149 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: [PATCH 13/20] tools/xenstore: don't allow creating too many nodes in a transaction

[Julien Grall]

Hi Juergen,

On 08/11/2022 08:09, Juergen Gross wrote:
> On 07.11.22 19:37, Julien Grall wrote:
>> On 07/11/2022 08:34, Juergen Gross wrote:
>>> On 06.11.22 23:00, Julien Grall wrote:
>>>> Hi Juergen,
>>>>
>>>> On 01/11/2022 15:28, Juergen Gross wrote:
>>>>> The accounting for the number of nodes of a domain in an active
>>>>> transaction is not working correctly, as it allows to create arbitrary
>>>>> number of nodes. The transaction will finally fail due to exceeding
>>>>> the number of nodes quota, but before closing the transaction an
>>>>> unprivileged guest could cause Xenstore to use a lot of memory.
>>>>
>>>> I have already made some of comments on the security ML when this 
>>>> was initially set. The arguments still don't sound right to me.
>>>>
>>>> For a first, since XSA-326, we have a cap in place for the memory a 
>>>> domain can consume. So this surely can't be a "lot of memory". 
>>>> Otherwise we are saying that our limit (there are other way to hit 
>>>> it) were wrong...
>>>
>>> Yeah, maybe I should rework the commit message.
>>>
>>> The reason I still want to keep the patch is that in a transaction 
>>> without any
>>> conflicts and without hitting any transaction specific limits (number 
>>> of nodes
>>> accessed), the errors returned due to a single operation should be 
>>> the same as
>>> with the same operation performed outside a transaction.
>>
>> This seems to be a very niche use case. So it is not clear to me why 
>> this matter and we want to add extra check for everyone.
> 
> It is a matter of correctness.

I think this is a matter of perspective. Transactions are inherently 
racy and I see no point of try to solve issues in the idealistic case 
(i.e. no conflict). The reasoning below...

> 
> Additionally, after the internal accounting rework this makes even more
> sense, as the maximum values per domain seen are really correct, even when
> queried while transactions are active.
... might be a better justification. But I will need to review the other 
patch in order to forge a more positive opinion. Can you point me to the 
patch?

Cheers,

-- 
Julien Grall

Re: [PATCH 07/20] tools/xenstore: enhance hashtable implementation

[Julien Grall]

Hi Juergen,

On 01/11/2022 15:28, Juergen Gross wrote:
> Today it is possible to set a flag when calling hashtable_destroy() in
> order to specify whether the data associated with the hashtable entries
> should be freed or not. The keys of the entries will always be freed.
> 
> Change that by replacing the flag of hashtable_destroy() by two flags
> for create_hashtable() which will specify whether the data and/or the
> key of each entry should be freed or not.
> 
> This will enable users to have the key e.g. as part of the data.
> 
> Add a new function hashtable_iterate() to call a user specified
> function for each entry in the hashtable.
> 
> Add new primes to the primetable in order to support smaller sizes of
> the hashtable. The primes are selected according to:
> 
> https://planetmath.org/goodhashtableprimes
> 
> Signed-off-by: Juergen Gross <jgross@suse.com>
> ---
>   tools/xenstore/hashtable.c      | 66 +++++++++++++++++++++++----------
>   tools/xenstore/hashtable.h      | 35 +++++++++++++++--
>   tools/xenstore/xenstored_core.c |  7 ++--
>   3 files changed, 82 insertions(+), 26 deletions(-)
> 
> diff --git a/tools/xenstore/hashtable.c b/tools/xenstore/hashtable.c
> index 6ac336eff1..7a1548c490 100644
> --- a/tools/xenstore/hashtable.c
> +++ b/tools/xenstore/hashtable.c
> @@ -16,6 +16,7 @@ struct entry
>   
>   struct hashtable {
>       unsigned int tablelength;
> +    unsigned int flags;
>       struct entry **table;
>       unsigned int entrycount;
>       unsigned int loadlimit;
> @@ -25,12 +26,11 @@ struct hashtable {
>   };
>   
>   /*
> -Credit for primes table: Aaron Krowne
> - http://br.endernet.org/~akrowne/
> - http://planetmath.org/encyclopedia/GoodHashTablePrimes.html
> -*/
> + * Credit for primes table: Aaron Krowne
> + * https://planetmath.org/goodhashtableprimes
> + */

You don't seem to explain in the commit message why the URLs have been 
modified. Other than that:

Reviewed-by: Julien Grall <jgrall@amazon.com>

Cheers,

-- 
Julien Grall

Re: [PATCH 08/20] tools/xenstore: add hashlist for finding struct domain by domid

[Julien Grall]

Hi Juergen,

On 01/11/2022 15:28, Juergen Gross wrote:
> @@ -341,49 +339,56 @@ static bool get_domain_info(unsigned int domid, xc_dominfo_t *dominfo)
>   	       dominfo->domid == domid;
>   }
>   
> -void check_domains(void)
> +static int check_domain(void *k, void *v, void *arg)

Looking at this callback, shouldn't 'k' be const? If not, wouldn't this 
mean a caller could potentially mess up with the hashtable?

>   {
>   	xc_dominfo_t dominfo;
> -	struct domain *domain;
>   	struct connection *conn;
> -	int notify = 0;
>   	bool dom_valid;
> +	struct domain *domain = v;
> +	bool *notify = arg;
>   
> - again:
> -	list_for_each_entry(domain, &domains, list) {
> -		dom_valid = get_domain_info(domain->domid, &dominfo);
> -		if (!domain->introduced) {
> -			if (!dom_valid) {
> -				talloc_free(domain);
> -				goto again;
> -			}
> -			continue;
> -		}
> -		if (dom_valid) {
> -			if ((dominfo.crashed || dominfo.shutdown)
> -			    && !domain->shutdown) {
> -				domain->shutdown = true;
> -				notify = 1;
> -				/*
> -				 * Avoid triggering watch events when the
> -				 * domain's nodes are being deleted.
> -				 */
> -				if (domain->conn)
> -					conn_delete_all_watches(domain->conn);
> -			}
> -			if (!dominfo.dying)
> -				continue;
> +	dom_valid = get_domain_info(domain->domid, &dominfo);
> +	if (!domain->introduced) {
> +		if (!dom_valid) {
> +			talloc_free(domain);
> +			return 1;

You are only freeing one domain here. So shouldn't we return 0? If not 
please explain in a comment.

>   		}
> -		if (domain->conn) {
> -			/* domain is a talloc child of domain->conn. */
> -			conn = domain->conn;
> -			domain->conn = NULL;
> -			talloc_unlink(talloc_autofree_context(), conn);
> -			notify = 0; /* destroy_domain() fires the watch */
> -			goto again;
> +		return 0;
> +	}
> +	if (dom_valid) {
> +		if ((dominfo.crashed || dominfo.shutdown)
> +		    && !domain->shutdown) {
> +			domain->shutdown = true;
> +			*notify = true;
> +			/*
> +			 * Avoid triggering watch events when the domain's
> +			 * nodes are being deleted.
> +			 */
> +			if (domain->conn)
> +				conn_delete_all_watches(domain->conn);
>   		}
> +		if (!dominfo.dying)
> +			return 0;
> +	}
> +	if (domain->conn) {
> +		/* domain is a talloc child of domain->conn. */
> +		conn = domain->conn;
> +		domain->conn = NULL;
> +		talloc_unlink(talloc_autofree_context(), conn);
> +		*notify = false; /* destroy_domain() fires the watch */
> +		return 1;

Can you add a comment explaining why 1 is returned here? Is this because 
we may free two domains?

>   	}
>   
> +	return 0;
> +}

Cheers,

-- 
Julien Grall

Re: [PATCH 10/20] tools/xenstore: replace watch->relative_path with a prefix length

[Julien Grall]

Hi Juergen,

On 01/11/2022 15:28, Juergen Gross wrote:
> @@ -324,8 +312,7 @@ const char *dump_state_watches(FILE *fp, struct connection *conn,
>   		head.length = sizeof(sw);
>   
>   		sw.conn_id = conn_id;
> -		path = get_watch_path(watch, watch->node);
> -		sw.path_length = strlen(path) + 1;
> +		sw.path_length = strlen(watch->node + watch->prefix_len) + 1;

Why are you open-coding get_watch_path()?

>   		sw.token_length = strlen(watch->token) + 1;
>   		head.length += sw.path_length + sw.token_length;
>   		head.length = ROUNDUP(head.length, 3);
> @@ -334,7 +321,8 @@ const char *dump_state_watches(FILE *fp, struct connection *conn,
>   		if (fwrite(&sw, sizeof(sw), 1, fp) != 1)
>   			return "Dump watch state error";
>   
> -		if (fwrite(path, sw.path_length, 1, fp) != 1)
> +		if (fwrite(watch->node + watch->prefix_len, sw.path_length,
> +			   1, fp) != 1)
>   			return "Dump watch path error";
>   		if (fwrite(watch->token, sw.token_length, 1, fp) != 1)
>   			return "Dump watch token error";

Cheers,

-- 
Julien Grall

Re: [PATCH 11/20] tools/xenstore: move changed domain handling

[Julien Grall]

Hi Juergen,

On 01/11/2022 15:28, Juergen Gross wrote:
>   static bool check_indexes(XENSTORE_RING_IDX cons, XENSTORE_RING_IDX prod)
> @@ -492,8 +504,12 @@ static struct domain *find_or_alloc_existing_domain(unsigned int domid)
>   	xc_dominfo_t dominfo;
>   
>   	domain = find_domain_struct(domid);
> -	if (!domain && get_domain_info(domid, &dominfo))
> -		domain = alloc_domain(NULL, domid);
> +	if (!domain) {
> +		if (!get_domain_info(domid, &dominfo))
> +			errno = ENOENT;
> +		else
> +			domain = alloc_domain(NULL, domid);
> +	}

I don't understand how this change is related to this commit.

[...]

> +int acc_add_dom_nbentry(const void *ctx, struct list_head *head, int val,
> +			unsigned int domid)
> +{
> +	struct changed_domain *cd;
> +
> +	cd = acc_get_changed_domain(ctx, head, domid);
> +	if (!cd)
> +		return errno;
> +
> +	cd->nbentry += val;

As a future improvement, it would be worth considering to check for 
underflow/overflow.

Cheers,

-- 
Julien Grall

Re: [PATCH 14/20] tools/xenstore: replace literal domid 0 with dom0_domid

[Julien Grall]

Hi Juergen,

On 01/11/2022 15:28, Juergen Gross wrote:
> There are some places left where dom0 is associated with domid 0.
> 
> Use dom0_domid instead.
> 
> Signed-off-by: Juergen Gross <jgross@suse.com>

Reviewed-by: Julien Grall <jgrall@amazon.com>

Cheers,

-- 
Julien Grall

Re: [PATCH 15/20] tools/xenstore: make domain_is_unprivileged() an inline function

[Julien Grall]

Hi Juergen,

On 01/11/2022 15:28, Juergen Gross wrote:
> clang is complaining about a NULL dereference for constructs like:
> 
>    domain_is_unprivileged(conn) ? conn->in : NULL

I have just build xenstored with clang 11 and didn't get a complain. So 
can you provide more details?

Cheers,

-- 
Julien Grall

Re: [PATCH 16/20] tools/xenstore: let chk_domain_generation() return a bool

[Julien Grall]

Hi Juergen,

On 01/11/2022 15:28, Juergen Gross wrote:
> Instead of returning 0 or 1 let chk_domain_generation() return a
> boolean value.
> 
> Simplify the only caller by removing the ret variable.
> 
> Signed-off-by: Juergen Gross <jgross@suse.com>

Reviewed-by: Julien Grall <jgrall@amazon.com>

Cheers,

-- 
Julien Grall

Re: [PATCH 18/20] tools/xenstore: make log macro globally available

[Julien Grall]

Hi Juergen,

On 01/11/2022 15:28, Juergen Gross wrote:
> Move the definition of the log() macro to xenstored_core.h in order
> to make it usable from other source files, too.
> 
> While at it preserve errno from being modified.
> 
> Signed-off-by: Juergen Gross <jgross@suse.com>

Reviewed-by: Julien Grall <jgrall@amazon.com>

Cheers,

-- 
Julien Grall

Re: [PATCH 08/20] tools/xenstore: add hashlist for finding struct domain by domid

[Juergen Gross]

[-- Attachment #1.1.1: Type: text/plain, Size: 4314 bytes --]

On 01.12.22 22:34, Julien Grall wrote:
> Hi Juergen,
> 
> On 01/11/2022 15:28, Juergen Gross wrote:
>> @@ -341,49 +339,56 @@ static bool get_domain_info(unsigned int domid, 
>> xc_dominfo_t *dominfo)
>>              dominfo->domid == domid;
>>   }
>> -void check_domains(void)
>> +static int check_domain(void *k, void *v, void *arg)
> 
> Looking at this callback, shouldn't 'k' be const? If not, wouldn't this mean a 
> caller could potentially mess up with the hashtable?

I have modified the previous patch to make k const. I hope you are
fine with me having kept your "Reviewed-by:".

> 
>>   {
>>       xc_dominfo_t dominfo;
>> -    struct domain *domain;
>>       struct connection *conn;
>> -    int notify = 0;
>>       bool dom_valid;
>> +    struct domain *domain = v;
>> +    bool *notify = arg;
>> - again:
>> -    list_for_each_entry(domain, &domains, list) {
>> -        dom_valid = get_domain_info(domain->domid, &dominfo);
>> -        if (!domain->introduced) {
>> -            if (!dom_valid) {
>> -                talloc_free(domain);
>> -                goto again;
>> -            }
>> -            continue;
>> -        }
>> -        if (dom_valid) {
>> -            if ((dominfo.crashed || dominfo.shutdown)
>> -                && !domain->shutdown) {
>> -                domain->shutdown = true;
>> -                notify = 1;
>> -                /*
>> -                 * Avoid triggering watch events when the
>> -                 * domain's nodes are being deleted.
>> -                 */
>> -                if (domain->conn)
>> -                    conn_delete_all_watches(domain->conn);
>> -            }
>> -            if (!dominfo.dying)
>> -                continue;
>> +    dom_valid = get_domain_info(domain->domid, &dominfo);
>> +    if (!domain->introduced) {
>> +        if (!dom_valid) {
>> +            talloc_free(domain);
>> +            return 1;
> 
> You are only freeing one domain here. So shouldn't we return 0? If not please 
> explain in a comment.

Oh, good catch. That was a leftover from a previous state where even
removing the entry itself wasn't allowed.

> 
>>           }
>> -        if (domain->conn) {
>> -            /* domain is a talloc child of domain->conn. */
>> -            conn = domain->conn;
>> -            domain->conn = NULL;
>> -            talloc_unlink(talloc_autofree_context(), conn);
>> -            notify = 0; /* destroy_domain() fires the watch */
>> -            goto again;
>> +        return 0;
>> +    }
>> +    if (dom_valid) {
>> +        if ((dominfo.crashed || dominfo.shutdown)
>> +            && !domain->shutdown) {
>> +            domain->shutdown = true;
>> +            *notify = true;
>> +            /*
>> +             * Avoid triggering watch events when the domain's
>> +             * nodes are being deleted.
>> +             */
>> +            if (domain->conn)
>> +                conn_delete_all_watches(domain->conn);
>>           }
>> +        if (!dominfo.dying)
>> +            return 0;
>> +    }
>> +    if (domain->conn) {
>> +        /* domain is a talloc child of domain->conn. */
>> +        conn = domain->conn;
>> +        domain->conn = NULL;
>> +        talloc_unlink(talloc_autofree_context(), conn);
>> +        *notify = false; /* destroy_domain() fires the watch */
>> +        return 1;
> 
> Can you add a comment explaining why 1 is returned here? Is this because we may 
> free two domains?

Should be the same case as above.

In the initial version I just mapped the removed "goto again" to a restart of
hashtable_iterate().


Juergen

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3149 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: [PATCH 08/20] tools/xenstore: add hashlist for finding struct domain by domid

[Julien Grall]

Hi Juergen,

On 12/12/2022 12:08, Juergen Gross wrote:
> On 01.12.22 22:34, Julien Grall wrote:
>> Hi Juergen,
>>
>> On 01/11/2022 15:28, Juergen Gross wrote:
>>> @@ -341,49 +339,56 @@ static bool get_domain_info(unsigned int domid, 
>>> xc_dominfo_t *dominfo)
>>>              dominfo->domid == domid;
>>>   }
>>> -void check_domains(void)
>>> +static int check_domain(void *k, void *v, void *arg)
>>
>> Looking at this callback, shouldn't 'k' be const? If not, wouldn't 
>> this mean a caller could potentially mess up with the hashtable?
> 
> I have modified the previous patch to make k const. I hope you are
> fine with me having kept your "Reviewed-by:".

Yes I am fine with that.

Cheers,

-- 
Julien Grall

Re: [PATCH 08/20] tools/xenstore: add hashlist for finding struct domain by domid

[Juergen Gross]

[-- Attachment #1.1.1: Type: text/plain, Size: 4068 bytes --]

On 01.12.22 22:34, Julien Grall wrote:
> Hi Juergen,
> 
> On 01/11/2022 15:28, Juergen Gross wrote:
>> @@ -341,49 +339,56 @@ static bool get_domain_info(unsigned int domid, 
>> xc_dominfo_t *dominfo)
>>              dominfo->domid == domid;
>>   }
>> -void check_domains(void)
>> +static int check_domain(void *k, void *v, void *arg)
> 
> Looking at this callback, shouldn't 'k' be const? If not, wouldn't this mean a 
> caller could potentially mess up with the hashtable?
> 
>>   {
>>       xc_dominfo_t dominfo;
>> -    struct domain *domain;
>>       struct connection *conn;
>> -    int notify = 0;
>>       bool dom_valid;
>> +    struct domain *domain = v;
>> +    bool *notify = arg;
>> - again:
>> -    list_for_each_entry(domain, &domains, list) {
>> -        dom_valid = get_domain_info(domain->domid, &dominfo);
>> -        if (!domain->introduced) {
>> -            if (!dom_valid) {
>> -                talloc_free(domain);
>> -                goto again;
>> -            }
>> -            continue;
>> -        }
>> -        if (dom_valid) {
>> -            if ((dominfo.crashed || dominfo.shutdown)
>> -                && !domain->shutdown) {
>> -                domain->shutdown = true;
>> -                notify = 1;
>> -                /*
>> -                 * Avoid triggering watch events when the
>> -                 * domain's nodes are being deleted.
>> -                 */
>> -                if (domain->conn)
>> -                    conn_delete_all_watches(domain->conn);
>> -            }
>> -            if (!dominfo.dying)
>> -                continue;
>> +    dom_valid = get_domain_info(domain->domid, &dominfo);
>> +    if (!domain->introduced) {
>> +        if (!dom_valid) {
>> +            talloc_free(domain);
>> +            return 1;
> 
> You are only freeing one domain here. So shouldn't we return 0? If not please 
> explain in a comment.
> 
>>           }
>> -        if (domain->conn) {
>> -            /* domain is a talloc child of domain->conn. */
>> -            conn = domain->conn;
>> -            domain->conn = NULL;
>> -            talloc_unlink(talloc_autofree_context(), conn);
>> -            notify = 0; /* destroy_domain() fires the watch */
>> -            goto again;
>> +        return 0;
>> +    }
>> +    if (dom_valid) {
>> +        if ((dominfo.crashed || dominfo.shutdown)
>> +            && !domain->shutdown) {
>> +            domain->shutdown = true;
>> +            *notify = true;
>> +            /*
>> +             * Avoid triggering watch events when the domain's
>> +             * nodes are being deleted.
>> +             */
>> +            if (domain->conn)
>> +                conn_delete_all_watches(domain->conn);
>>           }
>> +        if (!dominfo.dying)
>> +            return 0;
>> +    }
>> +    if (domain->conn) {
>> +        /* domain is a talloc child of domain->conn. */
>> +        conn = domain->conn;
>> +        domain->conn = NULL;
>> +        talloc_unlink(talloc_autofree_context(), conn);
>> +        *notify = false; /* destroy_domain() fires the watch */
>> +        return 1;
> 
> Can you add a comment explaining why 1 is returned here? Is this because we may 
> free two domains?

Oh, just detected you are right: this might free 2 domains, so a return
value other than 0 is required. Will add a comment.


Juergen


[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3149 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: [PATCH 10/20] tools/xenstore: replace watch->relative_path with a prefix length

[Juergen Gross]

[-- Attachment #1.1.1: Type: text/plain, Size: 571 bytes --]

On 01.12.22 22:51, Julien Grall wrote:
> Hi Juergen,
> 
> On 01/11/2022 15:28, Juergen Gross wrote:
>> @@ -324,8 +312,7 @@ const char *dump_state_watches(FILE *fp, struct connection 
>> *conn,
>>           head.length = sizeof(sw);
>>           sw.conn_id = conn_id;
>> -        path = get_watch_path(watch, watch->node);
>> -        sw.path_length = strlen(path) + 1;
>> +        sw.path_length = strlen(watch->node + watch->prefix_len) + 1;
> 
> Why are you open-coding get_watch_path()?

Will fix it.


Juergen

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3149 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: [PATCH 11/20] tools/xenstore: move changed domain handling

[Juergen Gross]

[-- Attachment #1.1.1: Type: text/plain, Size: 1571 bytes --]

On 01.12.22 22:58, Julien Grall wrote:
> Hi Juergen,
> 
> On 01/11/2022 15:28, Juergen Gross wrote:
>>   static bool check_indexes(XENSTORE_RING_IDX cons, XENSTORE_RING_IDX prod)
>> @@ -492,8 +504,12 @@ static struct domain 
>> *find_or_alloc_existing_domain(unsigned int domid)
>>       xc_dominfo_t dominfo;
>>       domain = find_domain_struct(domid);
>> -    if (!domain && get_domain_info(domid, &dominfo))
>> -        domain = alloc_domain(NULL, domid);
>> +    if (!domain) {
>> +        if (!get_domain_info(domid, &dominfo))
>> +            errno = ENOENT;
>> +        else
>> +            domain = alloc_domain(NULL, domid);
>> +    }
> 
> I don't understand how this change is related to this commit.

It is directly related to the hunk below. Returning errno in
acc_add_dom_nbentry() requires it to be set correctly in
find_or_alloc_existing_domain().

I'll add a remark in the commit message.

> 
> [...]
> 
>> +int acc_add_dom_nbentry(const void *ctx, struct list_head *head, int val,
>> +            unsigned int domid)
>> +{
>> +    struct changed_domain *cd;
>> +
>> +    cd = acc_get_changed_domain(ctx, head, domid);
>> +    if (!cd)
>> +        return errno;
>> +
>> +    cd->nbentry += val;
> 
> As a future improvement, it would be worth considering to check for 
> underflow/overflow.

Do you really think we need to make sure not to add/remove more than
2 billion nodes owned by a single domain?


Juergen

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3149 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: [PATCH 11/20] tools/xenstore: move changed domain handling

[Juergen Gross]

[-- Attachment #1.1.1: Type: text/plain, Size: 1133 bytes --]

On 13.12.22 07:53, Juergen Gross wrote:
> On 01.12.22 22:58, Julien Grall wrote:
>> Hi Juergen,
>>
>> On 01/11/2022 15:28, Juergen Gross wrote:
>>>   static bool check_indexes(XENSTORE_RING_IDX cons, XENSTORE_RING_IDX prod)
>>> @@ -492,8 +504,12 @@ static struct domain 
>>> *find_or_alloc_existing_domain(unsigned int domid)
>>>       xc_dominfo_t dominfo;
>>>       domain = find_domain_struct(domid);
>>> -    if (!domain && get_domain_info(domid, &dominfo))
>>> -        domain = alloc_domain(NULL, domid);
>>> +    if (!domain) {
>>> +        if (!get_domain_info(domid, &dominfo))
>>> +            errno = ENOENT;
>>> +        else
>>> +            domain = alloc_domain(NULL, domid);
>>> +    }
>>
>> I don't understand how this change is related to this commit.
> 
> It is directly related to the hunk below. Returning errno in
> acc_add_dom_nbentry() requires it to be set correctly in
> find_or_alloc_existing_domain().

Wait, that was nonsense. This change is probably a leftover of a
previous version. Will remove it.


Juergen

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3149 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: [PATCH 13/20] tools/xenstore: don't allow creating too many nodes in a transaction

[Juergen Gross]

[-- Attachment #1.1.1: Type: text/plain, Size: 2364 bytes --]

On 01.12.22 20:25, Julien Grall wrote:
> Hi Juergen,
> 
> On 08/11/2022 08:09, Juergen Gross wrote:
>> On 07.11.22 19:37, Julien Grall wrote:
>>> On 07/11/2022 08:34, Juergen Gross wrote:
>>>> On 06.11.22 23:00, Julien Grall wrote:
>>>>> Hi Juergen,
>>>>>
>>>>> On 01/11/2022 15:28, Juergen Gross wrote:
>>>>>> The accounting for the number of nodes of a domain in an active
>>>>>> transaction is not working correctly, as it allows to create arbitrary
>>>>>> number of nodes. The transaction will finally fail due to exceeding
>>>>>> the number of nodes quota, but before closing the transaction an
>>>>>> unprivileged guest could cause Xenstore to use a lot of memory.
>>>>>
>>>>> I have already made some of comments on the security ML when this was 
>>>>> initially set. The arguments still don't sound right to me.
>>>>>
>>>>> For a first, since XSA-326, we have a cap in place for the memory a domain 
>>>>> can consume. So this surely can't be a "lot of memory". Otherwise we are 
>>>>> saying that our limit (there are other way to hit it) were wrong...
>>>>
>>>> Yeah, maybe I should rework the commit message.
>>>>
>>>> The reason I still want to keep the patch is that in a transaction without any
>>>> conflicts and without hitting any transaction specific limits (number of nodes
>>>> accessed), the errors returned due to a single operation should be the same as
>>>> with the same operation performed outside a transaction.
>>>
>>> This seems to be a very niche use case. So it is not clear to me why this 
>>> matter and we want to add extra check for everyone.
>>
>> It is a matter of correctness.
> 
> I think this is a matter of perspective. Transactions are inherently racy and I 
> see no point of try to solve issues in the idealistic case (i.e. no conflict).
> The reasoning below...
> 
>>
>> Additionally, after the internal accounting rework this makes even more
>> sense, as the maximum values per domain seen are really correct, even when
>> queried while transactions are active.
> ... might be a better justification. But I will need to review the other patch 
> in order to forge a more positive opinion. Can you point me to the patch?

The main changes are in patches 2-4 of the 2nd series [1].


Juergen

[1]: https://lists.xen.org/archives/html/xen-devel/2022-11/msg00050.html


[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3149 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: [PATCH 15/20] tools/xenstore: make domain_is_unprivileged() an inline function

[Juergen Gross]

[-- Attachment #1.1.1: Type: text/plain, Size: 875 bytes --]

On 01.12.22 23:05, Julien Grall wrote:
> Hi Juergen,
> 
> On 01/11/2022 15:28, Juergen Gross wrote:
>> clang is complaining about a NULL dereference for constructs like:
>>
>>    domain_is_unprivileged(conn) ? conn->in : NULL
> 
> I have just build xenstored with clang 11 and didn't get a complain. So can you 
> provide more details?

It was reported by Edwin during development of the XSA series:

On 11/08/2022 19:01, Edwin Torok wrote:
 > xenstored_watch.c:152:39: warning: Access to field 'in' results in a 
dereference of a null pointer (loaded from variable 'conn') [core.NullDereference]
 >          req = domain_is_unprivileged(conn) ? conn->in : NULL;
 >                                               ^~~~~~~~
 > 1 warning generated.
 >
 > clang 14 says this is a NULL dereference ...

You even responded to that report, BTW.


Juergen

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3149 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: [PATCH 11/20] tools/xenstore: move changed domain handling

[Julien Grall]

Hi Juergen,

On 13/12/2022 06:53, Juergen Gross wrote:
> On 01.12.22 22:58, Julien Grall wrote:
>> Hi Juergen,
>>
>> On 01/11/2022 15:28, Juergen Gross wrote:
>>>   static bool check_indexes(XENSTORE_RING_IDX cons, XENSTORE_RING_IDX 
>>> prod)
>>> @@ -492,8 +504,12 @@ static struct domain 
>>> *find_or_alloc_existing_domain(unsigned int domid)
>>>       xc_dominfo_t dominfo;
>>>       domain = find_domain_struct(domid);
>>> -    if (!domain && get_domain_info(domid, &dominfo))
>>> -        domain = alloc_domain(NULL, domid);
>>> +    if (!domain) {
>>> +        if (!get_domain_info(domid, &dominfo))
>>> +            errno = ENOENT;
>>> +        else
>>> +            domain = alloc_domain(NULL, domid);
>>> +    }
>>
>> I don't understand how this change is related to this commit.
> 
> It is directly related to the hunk below. Returning errno in
> acc_add_dom_nbentry() requires it to be set correctly in
> find_or_alloc_existing_domain().
> 
> I'll add a remark in the commit message.
> 
>>
>> [...]
>>
>>> +int acc_add_dom_nbentry(const void *ctx, struct list_head *head, int 
>>> val,
>>> +            unsigned int domid)
>>> +{
>>> +    struct changed_domain *cd;
>>> +
>>> +    cd = acc_get_changed_domain(ctx, head, domid);
>>> +    if (!cd)
>>> +        return errno;
>>> +
>>> +    cd->nbentry += val;
>>
>> As a future improvement, it would be worth considering to check for 
>> underflow/overflow.
> 
> Do you really think we need to make sure not to add/remove more than
> 2 billion nodes owned by a single domain?
No and that's not my point. If you look at domain_entry_fix() we have an 
assert() to check if the sum is still over 0.

This assert() was actually triggered a few times while testing the 
previous XSAs batch. So I think it would be worth to carry a similar 
check (maybe not an assert()) just in case we mess up with accounting in 
the future.

Cheers,

-- 
Julien Grall

Re: [PATCH 15/20] tools/xenstore: make domain_is_unprivileged() an inline function

[Julien Grall]

Hi,

On 13/12/2022 07:57, Juergen Gross wrote:
> On 01.12.22 23:05, Julien Grall wrote:
>> Hi Juergen,
>>
>> On 01/11/2022 15:28, Juergen Gross wrote:
>>> clang is complaining about a NULL dereference for constructs like:
>>>
>>>    domain_is_unprivileged(conn) ? conn->in : NULL
>>
>> I have just build xenstored with clang 11 and didn't get a complain. 
>> So can you provide more details?
> 
> It was reported by Edwin during development of the XSA series:
> 
> On 11/08/2022 19:01, Edwin Torok wrote:
>  > xenstored_watch.c:152:39: warning: Access to field 'in' results in a 
> dereference of a null pointer (loaded from variable 'conn') 
> [core.NullDereference]
>  >          req = domain_is_unprivileged(conn) ? conn->in : NULL;
>  >                                               ^~~~~~~~
>  > 1 warning generated.
>  >
>  > clang 14 says this is a NULL dereference ...
> 
> You even responded to that report, BTW.

I respond to a lot of e-mails and don't necessarily remember all of them 
:). That's why we have commit message.

In this case, you want to mention the compiler version in the commit 
message.

With that:

Acked-by: Julien Grall <jgrall@amazon.com>

Cheers,

-- 
Julien Grall

Re: [PATCH 11/20] tools/xenstore: move changed domain handling

[Juergen Gross]

[-- Attachment #1.1.1: Type: text/plain, Size: 2177 bytes --]

On 13.12.22 10:35, Julien Grall wrote:
> Hi Juergen,
> 
> On 13/12/2022 06:53, Juergen Gross wrote:
>> On 01.12.22 22:58, Julien Grall wrote:
>>> Hi Juergen,
>>>
>>> On 01/11/2022 15:28, Juergen Gross wrote:
>>>>   static bool check_indexes(XENSTORE_RING_IDX cons, XENSTORE_RING_IDX prod)
>>>> @@ -492,8 +504,12 @@ static struct domain 
>>>> *find_or_alloc_existing_domain(unsigned int domid)
>>>>       xc_dominfo_t dominfo;
>>>>       domain = find_domain_struct(domid);
>>>> -    if (!domain && get_domain_info(domid, &dominfo))
>>>> -        domain = alloc_domain(NULL, domid);
>>>> +    if (!domain) {
>>>> +        if (!get_domain_info(domid, &dominfo))
>>>> +            errno = ENOENT;
>>>> +        else
>>>> +            domain = alloc_domain(NULL, domid);
>>>> +    }
>>>
>>> I don't understand how this change is related to this commit.
>>
>> It is directly related to the hunk below. Returning errno in
>> acc_add_dom_nbentry() requires it to be set correctly in
>> find_or_alloc_existing_domain().
>>
>> I'll add a remark in the commit message.
>>
>>>
>>> [...]
>>>
>>>> +int acc_add_dom_nbentry(const void *ctx, struct list_head *head, int val,
>>>> +            unsigned int domid)
>>>> +{
>>>> +    struct changed_domain *cd;
>>>> +
>>>> +    cd = acc_get_changed_domain(ctx, head, domid);
>>>> +    if (!cd)
>>>> +        return errno;
>>>> +
>>>> +    cd->nbentry += val;
>>>
>>> As a future improvement, it would be worth considering to check for 
>>> underflow/overflow.
>>
>> Do you really think we need to make sure not to add/remove more than
>> 2 billion nodes owned by a single domain?
> No and that's not my point. If you look at domain_entry_fix() we have an 
> assert() to check if the sum is still over 0.
> 
> This assert() was actually triggered a few times while testing the previous XSAs 
> batch. So I think it would be worth to carry a similar check (maybe not an 
> assert()) just in case we mess up with accounting in the future.

Patch 2 of the 2nd series does that already.


Juergen

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3149 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: [PATCH 11/20] tools/xenstore: move changed domain handling

[Julien Grall]

On 13/12/2022 09:54, Juergen Gross wrote:
> On 13.12.22 10:35, Julien Grall wrote:
>> Hi Juergen,
>>
>> On 13/12/2022 06:53, Juergen Gross wrote:
>>> On 01.12.22 22:58, Julien Grall wrote:
>>>> Hi Juergen,
>>>>
>>>> On 01/11/2022 15:28, Juergen Gross wrote:
>>>>>   static bool check_indexes(XENSTORE_RING_IDX cons, 
>>>>> XENSTORE_RING_IDX prod)
>>>>> @@ -492,8 +504,12 @@ static struct domain 
>>>>> *find_or_alloc_existing_domain(unsigned int domid)
>>>>>       xc_dominfo_t dominfo;
>>>>>       domain = find_domain_struct(domid);
>>>>> -    if (!domain && get_domain_info(domid, &dominfo))
>>>>> -        domain = alloc_domain(NULL, domid);
>>>>> +    if (!domain) {
>>>>> +        if (!get_domain_info(domid, &dominfo))
>>>>> +            errno = ENOENT;
>>>>> +        else
>>>>> +            domain = alloc_domain(NULL, domid);
>>>>> +    }
>>>>
>>>> I don't understand how this change is related to this commit.
>>>
>>> It is directly related to the hunk below. Returning errno in
>>> acc_add_dom_nbentry() requires it to be set correctly in
>>> find_or_alloc_existing_domain().
>>>
>>> I'll add a remark in the commit message.
>>>
>>>>
>>>> [...]
>>>>
>>>>> +int acc_add_dom_nbentry(const void *ctx, struct list_head *head, 
>>>>> int val,
>>>>> +            unsigned int domid)
>>>>> +{
>>>>> +    struct changed_domain *cd;
>>>>> +
>>>>> +    cd = acc_get_changed_domain(ctx, head, domid);
>>>>> +    if (!cd)
>>>>> +        return errno;
>>>>> +
>>>>> +    cd->nbentry += val;
>>>>
>>>> As a future improvement, it would be worth considering to check for 
>>>> underflow/overflow.
>>>
>>> Do you really think we need to make sure not to add/remove more than
>>> 2 billion nodes owned by a single domain?
>> No and that's not my point. If you look at domain_entry_fix() we have 
>> an assert() to check if the sum is still over 0.
>>
>> This assert() was actually triggered a few times while testing the 
>> previous XSAs batch. So I think it would be worth to carry a similar 
>> check (maybe not an assert()) just in case we mess up with accounting 
>> in the future.
> 
> Patch 2 of the 2nd series does that already.

Ok. I will have a look.

Cheers,

-- 
Julien Grall