Xen project Mailing List

Re: [PATCH 9/9] gnttab: don't silently truncate GFNs in compat setup-table handling

To: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>

Date: Mon, 10 Oct 2022 10:46:46 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=oGnypTq7vraWhIQ+AdGroi5WfAv95mzqI6SjBXcQulM=; b=fpzSY1NwAbLMbKB0j67TkBmOMAKBk5qDJC1reRvZX3aFP3vCqhAiluJGciGkY4iGffL4Er0QQdAUAy+cdJp1SobDDk5V07PDvefQNBBT8YfUp5N8tcEOZVb9TSxYKQxRFiIoQSBqGjyQmnDsZugJvZe6y0szZNsLeIu0/nMx3ZtK6yUbjM8CceUQRKO9mQiyKVmw3bmMTUX3zBYOwXR06eVEE/+4U1QihYmFERl8W7Mn+P667Cc+8NR5w+jb9I8XUfya8kquoubTGN80BgdQeuPFJUycUJs/NlLxzX0FplmEM97kf5z/O00NgwXxsFBdTfywSmzvycMej1mbK7BVbA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=f1Z8UztMWdQ20c5Pwi6sfh0mlpfMSVW3J7nLeJAZnegK4keCdpnaUJWEqPwzeuYHLBnZzDtpCFg5yy5DHdXvg2oNZ+TpHRl0nKY4YqfjNqrUWhW+/bE6wELq2Kf2Rc5tCnXnzRL4pwVSvKMzyqWEZlbKq0A/bxGA0oYiGT3rrPYUyz6VBOryzlAuB7Sr7+seN8Vq53oGwH3ds1RLrUnpcIMFivI+qHEch/4U0+IdUM5gd4hElPwbr+EJPGD6BuqJXxx4XcxYGQgc3ZCCESLuhHKLJ4JWSDr5fkIj7C606zwICyBnmurYdOFXyN42dzYWv34lvj0OzrdQBRWPhk2EQA==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: George Dunlap <George.Dunlap@xxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Mon, 10 Oct 2022 08:46:50 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 07.10.2022 21:57, Andrew Cooper wrote: > On 26/08/2021 11:15, Jan Beulich wrote: >> --- a/xen/common/compat/grant_table.c >> +++ b/xen/common/compat/grant_table.c >> @@ -175,8 +175,15 @@ int compat_grant_table_op(unsigned int c >> i < (_s_)->nr_frames; ++i ) \ >> { \ >> compat_pfn_t frame = (_s_)->frame_list.p[i]; \ >> - if ( __copy_to_compat_offset((_d_)->frame_list, \ >> - i, &frame, 1) ) \ >> + if ( frame != (_s_)->frame_list.p[i] ) \ >> + { \ >> + if ( VALID_M2P((_s_)->frame_list.p[i]) ) \ >> + (_s_)->status = GNTST_address_too_big; \ >> + else \ >> + frame |= 0x80000000U;\ > > Space before the \. (This is one reason why I hate this style. The > borderline illegibility makes it almost impossible to spot style problems.) There is a (imo severe) downsides to backslashes on the far right as well: It's easier to miss adding one on a newly added line, which may or may not result in a build failure. > With the adjustment from the previous patch, you'll need a break in here. Can do. Question then is whether to go further right here and adjust the loop header and the other setting of (_s_)->status at the same time. > But for !valid case, shouldn't we saturate to ~0u ? I recall from the > migration work that various kernels disagree on what constitutes an > invalid MFN. > > Then again, I can't see what legitimate case we'd have for a truncation > and an invalid M2P entry needing translating. I've dropped the use of VALID_M2P(). It's a bogus check anyway (I don't actually recall how I came to think of doing this sort of check), and there's indeed no reason to report back an (overflow) error in this way. Furthermore I've noticed that the updating of "frame" was actually dead code - the updated variable wasn't really used for anything; we would have left both ->status and the array slot untouched, misguiding the caller. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.