lguest: documentation IV: Launcher

Documentation: The Launcher Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Rusty Russell <rusty@rustcorp.com.au> 2007-07-26 13:41:03 -0400
committer: Linus Torvalds <torvalds@woody.linux-foundation.org> 2007-07-26 14:35:17 -0400
commit: dde797899ac17ebb812b7566044124d785e98dc7 (patch)
tree: 531ae7fd415d267e49acfedbbf4f03cf86e5eac1 /drivers/lguest/core.c
parent: e2c9784325490c878b7f69aeec1bed98b288bd97 (diff)
1 files changed, 22 insertions, 2 deletions
diff --git a/drivers/lguest/core.c b/drivers/lguest/core.c
index 2cea0c80c992..1eb05f9a56b6 100644
--- a/drivers/lguest/core.c
+++ b/drivers/lguest/core.c
@@ -208,24 +208,39 @@ static int emulate_insn(struct lguest *lg)
        return 1;
 }
+/*L:305
+ * Dealing With Guest Memory.
+ *
+ * When the Guest gives us (what it thinks is) a physical address, we can use
+ * the normal copy_from_user() & copy_to_user() on that address: remember,
+ * Guest physical == Launcher virtual.
+ *
+ * But we can't trust the Guest: it might be trying to access the Launcher
+ * code.  We have to check that the range is below the pfn_limit the Launcher
+ * gave us.  We have to make sure that addr + len doesn't give us a false
+ * positive by overflowing, too. */
 int lguest_address_ok(const struct lguest *lg,
                      unsigned long addr, unsigned long len)
 {
        return (addr+len) / PAGE_SIZE < lg->pfn_limit && (addr+len >= addr);
 }
-/* Just like get_user, but don't let guest access lguest binary. */
+/* This is a convenient routine to get a 32-bit value from the Guest (a very
+ * common operation).  Here we can see how useful the kill_lguest() routine we
+ * met in the Launcher can be: we return a random value (0) instead of needing
+ * to return an error. */
 u32 lgread_u32(struct lguest *lg, unsigned long addr)
 {
        u32 val = 0;
-        /* Don't let them access lguest binary */
+        /* Don't let them access lguest binary. */
        if (!lguest_address_ok(lg, addr, sizeof(val))
            || get_user(val, (u32 __user *)addr) != 0)
                kill_guest(lg, "bad read address %#lx", addr);
        return val;
 }
+/* Same thing for writing a value. */
 void lgwrite_u32(struct lguest *lg, unsigned long addr, u32 val)
 {
        if (!lguest_address_ok(lg, addr, sizeof(val))
@@ -233,6 +248,9 @@ void lgwrite_u32(struct lguest *lg, unsigned long addr, u32 val)
                kill_guest(lg, "bad write address %#lx", addr);
 }
+/* This routine is more generic, and copies a range of Guest bytes into a
+ * buffer.  If the copy_from_user() fails, we fill the buffer with zeroes, so
+ * the caller doesn't end up using uninitialized kernel memory. */
 void lgread(struct lguest *lg, void *b, unsigned long addr, unsigned bytes)
 {
        if (!lguest_address_ok(lg, addr, bytes)
@@ -243,6 +261,7 @@ void lgread(struct lguest *lg, void *b, unsigned long addr, unsigned bytes)
        }
 }
+/* Similarly, our generic routine to copy into a range of Guest bytes. */
 void lgwrite(struct lguest *lg, unsigned long addr, const void *b,
             unsigned bytes)
 {
@@ -250,6 +269,7 @@ void lgwrite(struct lguest *lg, unsigned long addr, const void *b,
            || copy_to_user((void __user *)addr, b, bytes) != 0)
                kill_guest(lg, "bad write address %#lx len %u", addr, bytes);
 }
+/* (end of memory access helper routines) :*/
 static void set_ts(void)
 {
author	Rusty Russell <rusty@rustcorp.com.au>	2007-07-26 13:41:03 -0400
committer	Linus Torvalds <torvalds@woody.linux-foundation.org>	2007-07-26 14:35:17 -0400
commit	dde797899ac17ebb812b7566044124d785e98dc7 (patch)
tree	531ae7fd415d267e49acfedbbf4f03cf86e5eac1 /drivers/lguest/core.c
parent	e2c9784325490c878b7f69aeec1bed98b288bd97 (diff)