[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 1/5] xen/bitmap: fix bitmap_fill with zero-sized bitmap

To: "Marek Marczykowski" <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
From: "Jan Beulich" <JBeulich@xxxxxxxx>
Date: Tue, 07 May 2019 02:10:20 -0600
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
Delivery-date: Tue, 07 May 2019 08:10:40 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

>>> On 06.05.19 at 16:50, <marmarek@xxxxxxxxxxxxxxxxxxxxxx> wrote:
> When bitmap_fill(..., 0) is called, do not try to write anything. Before
> this patch, it tried to write almost LONG_MAX, surely overwriting
> something.
> 
> Signed-off-by: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>

I'm embarrassed, seeing that commit d8a7694e5a ("bitmap_*() should
cope with zero size bitmaps") changed the code to its present shape,
but left the issue un-addressed here despite its title.

Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>

> Found while debugging framebuffer located above 4GB. In that case 32bit
> variable for it overflows and framebuffer initialization zeroed
> unrelated memory. Specifically, it hit mbi->mods_count, so later on
> bitmap_fill(module_map, mbi->mods_count) in __start_xen() crashed.

The origin of your problem being a truncation one, it seems pretty
clear to me that if we want to be able to gracefully handle that,
then we need to stop using plain int in all the involved functions.
I'm curious though which bitmap_fill() it was that you saw misbehave:
There's no such call at all in xen/drivers/video/, and I'm also having
a hard time seeing how the address (rather than the size) of the
frame buffer could be involved here.

Jan

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH 1/5] xen/bitmap: fix bitmap_fill with zero-sized bitmap
  - From: Marek Marczykowski

References:
- [Xen-devel] [PATCH 0/5] Fixes for large framebuffer, placed above 4GB
  - From: Marek Marczykowski-Górecki
- [Xen-devel] [PATCH 1/5] xen/bitmap: fix bitmap_fill with zero-sized bitmap
  - From: Marek Marczykowski-Górecki

Prev by Date: Re: [Xen-devel] [xen-unstable bisection] complete test-amd64-i386-xl-qemut-ws16-amd64
Next by Date: Re: [Xen-devel] [PATCH 2/9] x86/IRQ: deal with move cleanup count state in fixup_irqs()
Previous by thread: Re: [Xen-devel] [PATCH 1/5] xen/bitmap: fix bitmap_fill with zero-sized bitmap
Next by thread: Re: [Xen-devel] [PATCH 1/5] xen/bitmap: fix bitmap_fill with zero-sized bitmap
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.