| a1896967 | 03-Mar-2025 |
Andrew Jeffery <andrew@codeconstruct.com.au> |
msgbuf: Rework error handling to improve soundness
Design the implementation to uphold the invariant that a non-negative
remaining value implies the cursor pointer is valid, and that under
other con
msgbuf: Rework error handling to improve soundness
Design the implementation to uphold the invariant that a non-negative
remaining value implies the cursor pointer is valid, and that under
other conditions error values must be observed by the msgbuf user. The
former is tested with assertions in the implementation. The latter is
enforced by construction.
With this change, all msgbuf instances for which
pldm_msgbuf_init_errno() succeeds must be either completed or discarded
by calls to the pldm_msgbuf_complete*() or pldm_msgbuf_discard() APIs
respectively.
We then build on the properties that:
- pldm_msgbuf_init_errno() is marked with the warn_unused_result
function attribute
- pldm_msgbuf_init_errno() returns errors for invalid buffer
configurations
- The complete and discard APIs are marked with the warn_unused_result
function attribute
- The complete APIs test for negative remaining values and return an
error if encountered.
- The discard API propagates the provided error code
Together these provide the foundation to ensure that buffer access
errors are (eventually) detected.
A msgbuf object is always in one of the uninitialized, valid, invalid,
or completed states. The states are defined as follows:
- Uninitialized: Undefined values for remaining and cursor
- Valid: cursor points to a valid object, remaining is both non-negative
and describes a range contained within the object pointed to
by cursor
- Invalid: The value of remaining is negative. The value of cursor is
unspecified.
- Completed: the value of remaining is INTMAX_MIN and cursor is NULL
msgbuf instances must always be in the completed state by the time
their storage is reclaimed. To enforce this, PLDM_MSGBUF_DEFINE_P()
is introduced both to simplify definition of related variables, and
to exploit the compiler's 'cleanup' attribute. The cleanup function
associated with the msgbuf object asserts that the referenced object is
in the completed state.
From there, update the implementations of the msgbuf APIs such that
exceeding implementation type limits forces the msgbuf object to the
invalid state (in addition to returning an error value) to relieve the
caller from testing the result of all API invocations.
Change-Id: I4d78ddc5f567d4148f2f6d8f3e7570e97c316bbb
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
show more ...
|
| 2628990b | 12-Feb-2025 |
Matt Johnston <matt@codeconstruct.com.au> |
firmware fd: FD_T1 timeout in FD-driven states
FD_T1 timeout should also take effect when waiting for UA responses to
RequestFirmwareData, VerifyComplete, ApplyCompete, and ApplyComplete.
Previousl
firmware fd: FD_T1 timeout in FD-driven states
FD_T1 timeout should also take effect when waiting for UA responses to
RequestFirmwareData, VerifyComplete, ApplyCompete, and ApplyComplete.
Previously the timeout was only used when waiting for UA-initiated
requests.
Fixes: 8c2bfb141d11 ("libpldm: Add firmware update FD responder")
Change-Id: Id43fb0b991a30b613f1e4e92e42481dea3f8adce
Signed-off-by: Matt Johnston <matt@codeconstruct.com.au>
show more ...
|