[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/4] dt-overlay: Fix NULL pointer dereference


  • To: Julien Grall <julien@xxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Michal Orzel <michal.orzel@xxxxxxx>
  • Date: Mon, 30 Sep 2024 16:04:45 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=xen.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1/Cihx+mOiWwNiDdPgqjRJfU+bp0JRfWWwnxfI/UAFM=; b=BX0FE2/rbZ45mV1gZG9txEgJ81Qi+ayyjUNNJyApm4/ANyp+AjnhWW3PEfo8TiaJ5HF3Kp+PCMun+oPY/03Ub+DJsbwnDKEXDHOtQ/O12scwYWXAg4VzqHLMhgGZfq3X38xpii4wwp6tn4Ua9KxrEhWGDYlY46cA9Zuw/8a/kD1Zr6boT0GxREWg/5unGnaq8F2SDr8bqVTV2T3apNigm2+VYp+8qN6+OxAD9cBK7n/7a0YiQlLYyskjA1SEmO8G4ON8iIyOLob673vy9Ev7s1HXhvDNuMxvTh5pi8kCXNeawazUqQh8/OSBpwSOdcLqegYQzVdzNrnYsnmC6U1meQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=nJJpUwQHocqocwaxPDuQWIrEqQJjTol5ZySjDvlIJEUokcQ+86ZuCZyPi20HQfv7NdQZ/skXZhS3BUcnN4Yh1chafayCIsGqdF9tjOlibSsqe/DP8v9Oi6E4hvbNZM7jpP9EcmyM8MdzAu5xvTY2ccvsVOdOOLomVpVpIQ1LUtqfrXvVXdcgvtI09M21EFfSXUfm6px+pTG37aYrmXhqsz693eE++10WlR212rFuTXFXqY3mQJWDio7jOrX52SBy3l3or1lSpJ1et1jg/5gyH0Y94ifzJQyZWkQr3j7x/rhnflJe+dUNRQAAUnHrEPaJ8hpH6hb2RbCdT+k9jjtuig==
  • Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>
  • Delivery-date: Mon, 30 Sep 2024 14:05:42 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi Julien,

On 30/09/2024 12:37, Julien Grall wrote:
> 
> 
> On 23/09/2024 12:05, Michal Orzel wrote:
>> Hi Julien,
> 
> Hi Michal,
> 
>> On 20/09/2024 10:29, Julien Grall wrote:
>>>
>>>
>>> Hi Michal,
>>>
>>> On 19/09/2024 12:42, Michal Orzel wrote:
>>>> Attempt to attach an overlay (xl dt-overlay attach) to a domain without
>>>> first adding this overlay to Xen (xl dt-overlay add) results in an
>>>> overlay track entry being NULL in handle_attach_overlay_nodes(). This
>>>> leads to NULL pointer dereference and the following data abort crash:
>>>>
>>>> (XEN) Cannot find any matching tracker with input dtbo. Operation is 
>>>> supported only for prior added dtbo.
>>>> (XEN) Data Abort Trap. Syndrome=0x5
>>>> (XEN) Walking Hypervisor VA 0x40 on CPU0 via TTBR 0x0000000046948000
>>>> (XEN) 0TH[0x000] = 0x46940f7f
>>>> (XEN) 1ST[0x000] = 0x0
>>>> (XEN) CPU0: Unexpected Trap: Data Abort
>>>> (XEN) ----[ Xen-4.20-unstable  arm64  debug=y  Not tainted ]----
>>>> ...
>>>> (XEN) Xen call trace:
>>>> (XEN)    [<00000a0000208b30>] dt_overlay_domctl+0x304/0x370 (PC)
>>>> (XEN)    [<00000a0000208b30>] dt_overlay_domctl+0x304/0x370 (LR)
>>>> (XEN)    [<00000a0000274b7c>] arch_do_domctl+0x48/0x328
>>>>
>>>> Fixes: 4c733873b5c2 ("xen/arm: Add XEN_DOMCTL_dt_overlay and device 
>>>> attachment to domains")
>>>> Signed-off-by: Michal Orzel <michal.orzel@xxxxxxx>
>>>> ---
>>>>    xen/common/dt-overlay.c | 7 +++++--
>>>>    1 file changed, 5 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/xen/common/dt-overlay.c b/xen/common/dt-overlay.c
>>>> index d53b4706cd2f..8606b14d1e8e 100644
>>>> --- a/xen/common/dt-overlay.c
>>>> +++ b/xen/common/dt-overlay.c
>>>> @@ -908,8 +908,11 @@ static long handle_attach_overlay_nodes(struct domain 
>>>> *d,
>>>>     out:
>>>>        spin_unlock(&overlay_lock);
>>>>
>>>> -    rangeset_destroy(entry->irq_ranges);
>>>> -    rangeset_destroy(entry->iomem_ranges);
>>>> +    if ( entry )
>>>> +    {
>>>> +        rangeset_destroy(entry->irq_ranges);
>>>> +        rangeset_destroy(entry->iomem_ranges);
>>>> +    }
>>>
>>> While looking at the error paths in handle_attach_overlay_nodes(), I
>>> noticed we don't revert any partial changes made by handle_device().
>>>
>>> In this case, I am wondering whether it is correct to destroy the
>>> rangeset. How would you be able to revert the changes?
>> I guess the same story applies as for the partial add/remove which was 
>> stated by Vikram
>> in the commit msg of 7e5c4a8b86f12942de0566b1d61f71d15774364b meaning 
>> partial success withe some
>> failures may lead to other failures and might need a system reboot. I did 
>> not carefully look into
>> this series, my plan was to fix the issues without changing the functional 
>> behavior.
> 
> Do you mean in this series or forever? If the former, would you be able
> to outline what you expect after the end of this series? What should
> work? What should not work?
The goal of this series is to fix the issues I encountered while doing some 
other DT overlay work
as stated in the patch 0. The goal of each patch is clearly outlined in the 
commit message
by stating what is being fixed and why. The first 3 patches contain "Fixes" 
tag, therefore there
is no functional behavior change - only fixing what should have been fixed by 
the original series.
Patch 4 does not have "Fixes" tag although in theory it could. There is no doc 
mentioning that adding
nodes right into "/" is forbidden. Linux supports it so I added support for Xen 
as well.

After end of *this* series I expect the issues mentioned in each patch to be 
fixed + the ability to add
nodes directly under root node.

It's definitely not the end of fixes for this series. I have already written at 
least 1 more fix that allows
to have other nodes in the overlay tree that should be ignored (at the moment 
the code assumes that each node
one level below root, needs to specify target-path. This is wrong as we can 
have __fixups__, __symbols__, and other
nodes that we should simply ignore according to docs.

> 
>> FWICS, we do not
>> yet support detachment (only add/remove and attach) and removal of nodes and 
>> ranges is only
>> possible if the nodes are assigned to hwdom.
> 
> I need some clarifications. By "we do not yet support detachment", do
> you mean while a guest is running or do you also include a domain
> shutting down?In order to reason about detachment we need to go back to see 
> what is supported in terms of attachment.
At the moment, we can only attach dtbo to 1:1 domUs, therefore we can stop 
talking about libxl domUs for now.
For dom0less domUs, we also cannot really shut down them. So it leaves us with 
dom0 whose reboot implies system
reboot. At the moment there is no code that would release IRQs and unmap MMIOs.

~Michal



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.