[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN PATCH] xen/vpci: Fix UB in mask_write



On Thu, Nov 07, 2024 at 10:25:02AM +0100, Jan Beulich wrote:
> On 06.11.2024 13:26, Mykyta Poturai wrote:
> > On 06.11.2024 10:07, Roger Pau Monné wrote:>
> >> Wait - how can msi->vectors ever be 0?  AFAICT there's no way in the
> >> MSI logic to configure 0 vectors, there will always be at least 1 vector
> >> enabled.
> >>
> >> Maybe what you want, if this fix is for compliance reasons, is an
> >> assert unreachable that msi->vectors > 0?
> > 
> > I did some investigation and figured out that the value of 0 is being
> > set by guest writing to msi_control_reg. As far as I understand, the
> > control_write() function only checks that vectors are not greater than
> > the maximum allowed value, but does not check for 0.
> 
> How that? How could it even check for 0, when 0 isn't possible? Quoting
> the code there:
> 
>     unsigned int vectors = min_t(uint8_t,
>                                  1u << MASK_EXTR(val, PCI_MSI_FLAGS_QSIZE),
>                                  pdev->msi_maxvec);
> 
> "val" in the guest written value. As that's used as a shift count, how
> could 0 result there? The only way I can see 0 ending up in vectors is
> when pdev->msi_maxvec was still zero. Yet that's then a bug in device
> initialization.

See followup emails, I've arrived at the same conclusion and Mykyta
confirmed it's msi_maxvec that's indeed 0.  Still waiting for them to
figure out why msi_maxvec is 0.

Thanks, Roger.



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.