[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN v2] Xen: Ensure "xenheap_bits - PAGE_SHIFT" can be used to shift "unsigned long"

  • To: Ayan Kumar Halder <ayankuma@xxxxxxx>, Ayan Kumar Halder <ayan.kumar.halder@xxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Fri, 2 Dec 2022 10:51:20 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=EnrYcpoi+EIwmNJI8pIVh+mWFl/EPyQUHosVtgDwBsA=; b=c6DpXJPPBD+DDmDOMrW1Qj86ZfrXY1ES3TIEAwbP3yWkP38ij3AFpIreRSI4J+W2tlF/oy47ixYIq1eFzk5fut2HqPzJOFPpehU6Mjf9SqF96p+C5XdzvCSTmY6u+LdlahcHCR749D8Yl/b7kG/ZYBGvAerpJd4kOfkMppBMBXC4MgGNS3qcJ2CCPqFrWcS3TAbyIPl+PSXumMbRmdYF5Vr1BJYTJRpKbCeTGCz5KH2pNFtMeS6guX1P3fuLZRA2LPbM18ZPyS5OepsVlThoiD0saSBCN/UaAW6qd23RB+tY4O42YzWldf2UN9YnDd2B+my5ytC3oWR1MBzf67lgUw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=j5qRQNYbjzF/xRNNVgGQhD4g1RkO+7nbGpU8QgdqirTMDFIbwnRaxyaNDMYZGZdWdwla38WrfNpDIMb6QJl/hLQb9th3sDXFifU8Bk36sBIVjYGWg39LzgdHALuOduxEJFT882cBMr/IwDyJ8Ku1PFxEY1RMejla4Cv7c509kOPgN21ZXjvibE2x4IoOSXyIoO/MTANLryBhkXTD5ckgNSPj+hi+2pytDiO4VBS9ijS1ZKWoWGsfFIl8S4wDfLN7PcF/e6pZF8dxnVTL/kIBGMweZw1jpIv9Ga4iSu1aRiwpFz48klyAFzPEVGHUahTqwa/Dt3vzf/f/w7JtjL3IIQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: sstabellini@xxxxxxxxxx, stefanos@xxxxxxxxxx, julien@xxxxxxx, andrew.cooper3@xxxxxxxxxx, george.dunlap@xxxxxxxxxx, wl@xxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Fri, 02 Dec 2022 09:51:28 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 02.12.2022 10:30, Ayan Kumar Halder wrote:
> Hi Jan,
> 
> On 02/12/2022 08:31, Jan Beulich wrote:
>> On 01.12.2022 19:11, Ayan Kumar Halder wrote:
>>> Machine frame number (mfn) is used to represent the hardware page address.
>>> This is an unsigned long variable. We need to check if it can hold the 
>>> complete
>>> range of hardware page addresses. To ensure this we check that the count of 
>>> bits
>>> represented by 'unsigned long' added to the bit index of page size, should 
>>> be
>>> less than the count of bits required to represent the maximum physical 
>>> address.
>> I'm afraid I can't connect the description with ...
>>
>>> --- a/xen/common/page_alloc.c
>>> +++ b/xen/common/page_alloc.c
>>> @@ -2245,7 +2245,7 @@ void __init xenheap_max_mfn(unsigned long mfn)
>>>   {
>>>       ASSERT(!first_node_initialised);
>>>       ASSERT(!xenheap_bits);
>>> -    BUILD_BUG_ON(PADDR_BITS >= BITS_PER_LONG);
>>> +    BUILD_BUG_ON((PADDR_BITS - PAGE_SHIFT) >= BITS_PER_LONG);
>> ... the actual change made. Julien, when replying to v1, already gave
>> a clear hint what is relevant: The use of (xenheap_bits - PAGE_SHIFT)
>> in right hand operands of shift operators. As relevant is of course
>> the absence of uses directly as shift counts, which otherwise could
>> still be UB (and which iirc is why the adjustment by PAGE_SHIFT was
>> left out in the original check).
> 
> I could see the following uses of xenheap_bits in page_alloc.c
> 
> 1. init_node_heap()
> 
>                (!xenheap_bits ||
>                 !((mfn + nr - 1) >> (xenheap_bits - PAGE_SHIFT))) )
> 
>                 (!xenheap_bits ||
>                 !((mfn + needed - 1) >> (xenheap_bits - PAGE_SHIFT))) )
> 
> 2. In alloc_xenheap_pages()
> 
>      if ( xenheap_bits && (memflags >> _MEMF_bits) > xenheap_bits )
>          memflags &= ~MEMF_bits(~0U);
>      if ( !(memflags >> _MEMF_bits) )
>          memflags |= MEMF_bits(xenheap_bits);
> 
>  From what I see, whenever "xenheap_bits" is used as a right hand 
> operand of shift operator, it is always used as "(xenheap_bits - 
> PAGE_SHIFT)".
> 
> So, is it correct to say this :-
> 
> Ensure (xenheap_bits - PAGE_SHIFT) can be used as a rhs operand of a 
> shift operator
> 
> We want to ensure that "xenheap_bits - PAGE_SHIFT" is strictly less than 
> the number of bits to represent unsigned long as it is used a rhs 
> operand to shift mfn.

Yes. Plus, as said, it is also important to note that the value is never
used to shift an address (rather than a frame number), and going forward
then also shouldn't be (perhaps unless further precautions are taken).

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.