| blob | 1d134a686648577eb68bf8a567af2cf4b196e26f |
1 /*
2 * QEMU Xen emulation: The actual implementation of XenStore
3 *
4 * Copyright © 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
5 *
6 * Authors: David Woodhouse <dwmw2@infradead.org>, Paul Durrant <paul@xen.org>
7 *
8 * This work is licensed under the terms of the GNU GPL, version 2 or later.
9 * See the COPYING file in the top-level directory.
10 */
22 #define XS_MAX_WATCHES 128
23 #define XS_MAX_DOMAIN_NODES 1000
24 #define XS_MAX_NODE_SIZE 2048
25 #define XS_MAX_TRANSACTIONS 10
26 #define XS_MAX_PERMS_PER_NODE 5
30 "0123456789-/_"
41 #ifdef XS_NODE_UNIT_TEST
43 #endif
73 };
77 {
82 /* Transactions based on XBT_NULL will always fail */
84 }
85 }
88 {
91 /* Find the next TX id which isn't either XBT_NULL or in use. */
97 /*
98 * It is vanishingly unlikely, but ensure that no outstanding transaction
99 * is based on the (previous incarnation of the) newly-allocated TX id.
100 */
104 }
107 {
111 #ifdef XS_NODE_UNIT_TEST
112 nr_xs_nodes++;
114 #endif
116 }
119 {
120 /* With just 10 transactions, it can never get anywhere near this. */
126 }
129 {
132 }
136 }
140 }
143 }
146 }
147 #ifdef XS_NODE_UNIT_TEST
149 nr_xs_nodes--;
151 #endif
153 }
156 {
173 }
176 }
179 {
181 }
184 {
187 #ifdef XS_NODE_UNIT_TEST
190 }
191 #endif
196 }
198 /* For copying from one hash table to another using g_hash_table_foreach() */
200 {
202 }
205 {
210 #ifdef XS_NODE_UNIT_TEST
213 }
214 #endif
221 }
224 }
227 }
229 }
231 /* Returns true if it made a change to the hash table */
233 {
239 }
241 #ifdef XS_NODE_UNIT_TEST
244 #endif
248 }
250 /*
251 * The documentation for g_hash_table_insert() says that it "returns a
252 * boolean value to indicate whether the newly added value was already
253 * in the hash table or not."
254 *
255 * It could perhaps be clearer that returning TRUE means it wasn't,
256 */
258 }
271 /* The number of nodes which will exist in the tree if this op succeeds. */
274 /*
275 * This is maintained on the way *down* the walk to indicate
276 * whether nodes can be modified in place or whether COW is
277 * required. It starts off being true, as we're always going to
278 * replace the root node. If we walk into a shared subtree it
279 * becomes false. If we start *creating* new nodes for a write,
280 * it becomes true again.
281 *
282 * Do not use it on the way back up.
283 */
289 /* Tracking during recursion so we know which is first. */
291 };
294 {
300 }
304 }
309 /* Fire the parent nodes from 'op' if asked to */
313 }
319 }
320 }
323 {
327 /*
328 * The real XenStored includes permissions and names of child nodes
329 * in the calculated datasize but life's too short. For a single
330 * tenant internal XenStore, we don't have to be quite as pedantic.
331 */
334 }
335 }
336 /* We *are* the node to be written. Either this or a copy. */
341 }
345 }
349 }
351 }
354 {
364 }
367 }
370 {
379 }
387 }
390 /*
391 * Fire watches on *this* node but not the parents because they are
392 * going to be deleted too, so the watch will fire for them anyway.
393 */
397 /*
398 * Actually deleting the child here is just an optimisation; if we
399 * don't then the final unref on the topmost victim will just have
400 * to cascade down again repeating all the g_hash_table_foreach()
401 * calls.
402 */
404 }
408 gpointer user_data)
409 {
414 /*
415 * Reinsert the deleted_in_tx copy of the node into the parent's
416 * 'children' hash table. Having stashed it from op->op_opaque2
417 * before the recursive call to xs_node_copy_deleted() scribbled
418 * over it.
419 */
421 }
424 {
429 #ifdef XS_NODE_UNIT_TEST
432 }
433 #endif
440 }
443 }
445 /* If it gets resurrected we only fire a watch if it lost its content */
448 }
451 }
454 {
458 /* It's not trivial to do inplace handling for this one */
463 }
465 /* Fire watches for, and count, nodes in the subtree which get deleted */
468 }
473 }
476 }
479 {
487 }
490 {
494 }
497 {
505 }
510 /*
511 * The dom_id of the first perm is the owner, and the owner always has
512 * read-write access.
513 */
517 }
519 /*
520 * The letter of the first perm specified the default access for all other
521 * domains.
522 */
528 }
530 }
533 }
536 {
543 /* A guest may not change permissions on nodes it does not own */
546 }
548 /* A guest may not change the owner of a node it owns. */
552 }
556 }
557 }
559 /* We *are* the node to be written. Either this or a copy. */
564 }
568 }
572 }
574 }
576 /*
577 * Passed a full reference in *n which it may free if it needs to COW.
578 *
579 * When changing the tree, the op->inplace flag indicates whether this
580 * node may be modified in place (i.e. it and all its parents had a
581 * refcount of one). If walking down the tree we find a node whose
582 * refcount is higher, we must clear op->inplace and COW from there
583 * down. Unless we are creating new nodes as scaffolding for a write
584 * (which works like 'mkdir -p' does). In which case those newly
585 * created nodes can (and must) be modified in place again.
586 */
588 {
600 /* Is there a child, or do we hit the double-NUL termination? */
607 }
609 }
611 /* If we walk into a subtree which is shared, we must COW */
614 }
622 }
624 /* This is the actual node on which the operation shall be performed */
628 }
630 }
632 /* op->inplace will be further modified during the recursion */
637 /* This is a *weak* reference to 'child', owned by the hash table */
638 }
643 /* Cannot actually set child->deleted_in_tx = false until later */
644 }
646 /*
647 * Now we own it too. But if we can modify inplace, that's going to
648 * foil the check and force it to COW. We want to be the *only* owner
649 * so that it can be modified in place, so remove it from the hash
650 * table in that case. We'll add it (or its replacement) back later.
651 */
655 }
662 }
667 }
672 /*
673 * If we're creating a new child, we can clearly modify it (and its
674 * children) in place from here on down.
675 */
680 }
682 /*
683 * If there's a watch on this node, add it to the list to be fired
684 * (with the correct full pathname for the modified node) at the end.
685 */
688 }
690 /*
691 * Except for the temporary child-stealing as noted, our node has not
692 * changed yet. We don't yet know the overall operation will complete.
693 */
698 }
702 /* Put it back as it was. */
706 }
708 }
710 /*
711 * Now we know the operation has completed successfully and we're on
712 * the way back up. Make the change, substituting 'child' in the
713 * node at our level.
714 */
718 }
720 /*
721 * If we resurrected a deleted_in_tx node, we can mark it as no longer
722 * deleted now that we know the overall operation has succeeded.
723 */
727 }
729 /*
730 * The child may be NULL here, for a remove operation. Either way,
731 * xs_node_add_child() will do the right thing and return a value
732 * indicating whether it changed the parent's hash table or not.
733 *
734 * We bump the parent gencnt if it adds a child that we *didn't*
735 * steal from it in the first place, or if child==NULL and was
736 * thus removed (whether we stole it earlier and didn't put it
737 * back, or xs_node_add_child() actually removed it now).
738 */
741 }
743 out:
747 /*
748 * On completing the recursion back up the path walk and reaching the
749 * top, assign the new node count if the operation was successful. If
750 * the main tree was changed, bump its tx ID so that outstanding
751 * transactions correctly fail. But don't bump it every time; only
752 * if it makes a difference.
753 */
758 }
765 }
766 }
767 }
769 }
772 gpointer user_data)
773 {
777 }
779 /* Populates items with char * names which caller must free. */
781 {
789 }
793 }
796 }
800 {
805 }
809 }
810 }
814 }
819 }
821 userpath);
822 }
824 }
830 {
834 }
836 /*
837 * We use *two* NUL terminators at the end of the path, as during the walk
838 * we will temporarily turn each '/' into a NUL to allow us to use that
839 * path element for the lookup.
840 */
860 }
864 }
867 }
871 {
872 /*
873 * The data GByteArray shall exist, and will be freed by caller.
874 * Just g_byte_array_append() to it.
875 */
883 }
887 }
891 {
892 /*
893 * The data GByteArray shall exist, will be freed by caller. You are
894 * free to use g_byte_array_steal() and keep the data. Or just ref it.
895 */
903 }
909 }
914 {
915 /*
916 * The items are (char *) to be freed by caller. Although it's consumed
917 * immediately so if you want to change it to (const char *) and keep
918 * them, go ahead and change the caller.
919 */
927 }
932 }
936 {
941 }
945 }
958 }
961 }
964 gpointer user_data)
965 {
975 }
978 /*
979 * We fire watches on our parents if we are the *first* node
980 * to be deleted (the topmost one). This matches the behaviour
981 * when deleting in the live tree.
982 */
985 /* Only used on the way down so no need to clear it later */
987 }
996 }
1000 }
1004 }
1006 /*
1007 * Don't fire watches if this node was only copied because a
1008 * descendent was changed. The modified_in_tx flag indicates the
1009 * ones which were really changed.
1010 */
1014 }
1017 /* Deleted nodes really do get expunged when we commit */
1019 }
1022 {
1029 }
1037 /*
1038 * There are two reasons why init_walk_op() may fail: an invalid tx_id,
1039 * or an invalid path. We pass XBT_NULL and "/", and it cannot fail.
1040 * If it does, the world is broken. And returning 'ret' would be weird
1041 * because the transaction *was* committed, and all this tree walk is
1042 * trying to do is fire the resulting watches on newly-committed nodes.
1043 */
1049 /*
1050 * Walk the new root and fire watches on any node which has a
1051 * refcount of one (which is therefore unique to this transaction).
1052 */
1055 }
1058 }
1062 {
1069 }
1073 }
1079 }
1081 }
1085 {
1093 }
1097 }
1101 {
1109 }
1113 }
1116 {
1124 }
1129 }
1141 }
1142 }
1146 {
1154 }
1159 }
1164 }
1169 }
1175 {
1183 }
1185 /* Check for duplicates */
1191 }
1193 }
1197 }
1206 /* l was looked up above when checking for duplicates */
1212 }
1215 }
1218 }
1222 {
1226 /* A new watch should fire immediately */
1228 }
1231 }
1234 {
1240 }
1246 }
1251 {
1259 }
1264 }
1266 /*
1267 * The hash table contains the first element of a list of
1268 * watches. Removing the first element in the list is a
1269 * special case because we have to update the hash table to
1270 * point to the next (or remove it if there's nothing left).
1271 */
1275 /* Insert the previous 'next' into the hash table */
1278 /* Nothing left; remove from hash table */
1280 }
1283 }
1285 /*
1286 * We're all done messing with the hash table because the element
1287 * it points to has survived the cull. Now it's just a simple
1288 * linked list removal operation.
1289 */
1297 }
1298 }
1301 }
1304 {
1306 guint nr_watch_paths;
1307 guint i;
1316 /*
1317 * w1 is the original list. The hash table has this pointer.
1318 * w2 is the head of our newly-filtered list.
1319 * w and l are temporary for processing. w is somewhat redundant
1320 * with *l but makes my eyes bleed less.
1321 */
1327 /* If we're freeing the head of the list, bump w2 */
1330 }
1334 }
1336 }
1337 /*
1338 * If the head of the list survived the cull, we don't need to
1339 * touch the hash table and we're done with this path. Else...
1340 */
1344 /*
1345 * It was already freed. (Don't worry, this whole thing is
1346 * single-threaded and nobody saw it in the meantime). And
1347 * having *stolen* it, we now own the watch_paths[i] string
1348 * so if we don't give it back to the hash table, we need
1349 * to free it.
1350 */
1355 }
1356 }
1357 }
1360 }
1363 {
1367 }
1369 }
1372 {
1387 }
1391 {
1397 }
1398 }
1401 gpointer opaque)
1402 {
1406 }
1409 {
1412 }
1418 };
1420 #define MODIFIED_IN_TX (1U << 0)
1421 #define DELETED_IN_TX (1U << 1)
1422 #define NODE_REF (1U << 2)
1425 {
1431 /* Child nodes (i.e. anything but the root) have a name */
1434 }
1436 /*
1437 * If we already wrote this node, refer to the previous copy.
1438 * There's no rename/move in XenStore, so all we need to find
1439 * it is the tx_id of the transaction in which it exists. Which
1440 * may be the root tx.
1441 */
1452 }
1455 }
1463 }
1467 }
1468 /* NUL termination after perms */
1473 }
1474 /* NUL termination after children (child name is NUL) */
1476 }
1477 }
1480 {
1484 }
1487 {
1496 }
1499 {
1503 /* We only save the *guest* watches. */
1508 }
1509 }
1512 {
1517 /*
1518 * node = flags [ real_node / node_ref ]
1519 * flags = uint8_t (MODIFIED_IN_TX | DELETED_IN_TX | NODE_REF)
1520 * node_ref = tx_id (in which the original version of this node exists)
1521 * real_node = content perms child* NUL
1522 * content = len data
1523 * len = uint32_t
1524 * data = uint8_t{len}
1525 * perms = perm* NUL
1526 * perm = asciiz
1527 * child = name node
1528 * name = asciiz
1529 *
1530 * tree = tx_id node
1531 * tx_id = uint32_t
1532 *
1533 * transaction = base_tx_id dom_id tree
1534 * base_tx_id = uint32_t
1535 * dom_id = uint32_t
1536 *
1537 * tx_list = tree transaction* XBT_NULL
1538 *
1539 * watch = path token
1540 * path = asciiz
1541 * token = asciiz
1542 *
1543 * watch_list = watch* NUL
1544 *
1545 * xs_serialize_stream = last_tx tx_list watch_list
1546 * last_tx = uint32_t
1547 */
1549 /* Clear serialized_tx in every node. */
1553 }
1567 }
1576 };
1579 {
1584 }
1590 }
1593 {
1598 }
1603 }
1607 }
1610 }
1615 }
1618 {
1624 }
1628 }
1632 }
1636 }
1641 }
1643 }
1646 {
1650 }
1655 }
1658 }
1661 {
1669 }
1670 }
1674 {
1681 }
1692 }
1697 }
1701 }
1707 }
1712 }
1715 }
1720 }
1725 }
1735 }
1736 }
1745 }
1749 }
1752 }
1754 /* Now children */
1765 }
1769 }
1780 }
1783 }
1785 /*
1786 * If the node has no data and no children we still want to fire
1787 * a watch on it.
1788 */
1791 }
1792 }
1796 }
1800 }
1803 {
1809 }
1813 }
1818 }
1823 {
1843 }
1845 /*
1846 * Consume the base tree into a transaction so that watches can be
1847 * fired as we commit it. By setting us.root_walk we cause the nodes
1848 * to be marked as 'modified_in_tx' as they are created, so that the
1849 * watches are triggered on them.
1850 */
1857 }
1860 /*
1861 * Commit the transaction now while the refcount on all nodes is 1.
1862 * Note that we haven't yet reinstated the *guest* watches but that's
1863 * OK because we don't want the guest to see any changes. Even any
1864 * backend nodes which get recreated should be *precisely* as they
1865 * were before the migration. Back ends may have been instantiated
1866 * already, and will see the frontend magically blink into existence
1867 * now (well, from the aio_bh which fires the watches). It's their
1868 * responsibility to rebuild everything precisely as it was before.
1869 */
1873 }
1882 }
1885 }
1893 }
1897 }
1901 }
1903 }
1912 }
1915 }
1920 }
1924 }
1929 }
1930 }
1934 }
1937 }