[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] gnttab: avoid triggering assertion in radix_tree_ulong_to_ptr()

  • To: Jan Beulich <jbeulich@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Fri, 27 Aug 2021 09:45:32 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3zszDnhp2mtb+TX6xKAVeTyCFLf/tdg0sNoESyqAx2U=; b=QhpA79t6C1uxToof4BNHW32zu0QXyo7jYIdRgrG/WgIg2wP0uMNrf+MEXP/Rii+/43BpIjCeIRgHjhB1ZgQc4Hax1j07ZONPj21E6O23pj9YrzpgLPlgKuJBbFsqFOBPKs5HGMzro6jRqA2owWYmaW/3DwI4tjF6gx4nj8y6DhDc2vGQ17uE8NiciOPisd6paZF2ToCXRMa8NPGDGfv9c43mxo0+cBkeEBf6cRtH/mmnzmnel58sS0iNFo2Bgz15IEhFz63kVf1HpgDwRd17RfpPpPoGk0bCbtxmMsykpQWrGi3CE0PHBLITfygjj3AIYSzYaZPhHJztYwOsn1AUOA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=W6dQGfZitZhjRnGQ8UN6uvCV76GXYHP8d99wBoliQsCF/XGJ3cwl7aBT1+c8+IyV2qP/B+TxKhCr+0K9FM0gEhwfgkQsgRZqzvOUTYR4nKM/WoSTntEnvsR4cYHBn5cC3Exx4RvI1zDLWfzN4nu0A+H5wwTep0Pi38sWSjdb1UDz8e1h7TAKUB8O3jsDz6jHRmIc2wIei1lXmPequ87BPSH7XMUZKH9Rgl+3pSIAEWt3qHbvuSLA8j1zQzkF//1mAxo05nuhBOYwoSigneds8648mIrYih2quqBwCc0BXoH5asVFzw4A+WZF7egbXjvSxdV1h1PZoOPkCSxxncwErQ==
  • Authentication-results: esa3.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: George Dunlap <george.dunlap@xxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
  • Delivery-date: Fri, 27 Aug 2021 08:46:12 +0000
  • Ironport-hdrordr: A9a23:2c2OWaD15m4VyPflHegpsceALOsnbusQ8zAXPh9KJCC9I/bzqy nxpp8mPEfP+U4ssQIb6Ku90ci7MDnhHPtOjbX5Uo3SODUO1FHIEGgm1/qa/9SCIVyyygc+79 YGT0EWMrSZYjZHZITBkW+F+r0bsbq6GdWT9ILjJgBWPGNXgs9bjztRO0K+KAlbVQNGDZ02GN 63/cxcvQetfnwRc4CSGmQFd/KrnayFqLvWJTo9QzI34giHij2lrJTgFQKD4xsYWzRThZ8/7G n+lRDj7KnLiYD09vac7R6T031loqqj9jJxPr3PtiHTEESotu+cXvUgZ1RFhkFwnAjg0idsrD CGmWZbAy060QKtQojym2qg5+Co6kdT11byjVCfmnftusr/WXYzDNdAn5tQdl/D51Mnp8wU6t M844u1jesiMfr7plWL2zEIbWAbqmOk5X451eIDhX1WVoUTLLdXsIwE5UtQVJMNBjjz5owrGP RnSJi03ocfTXqKK3TC+mV/yt2lWXo+Wh+AX0gZo8SQlzxbhmpwwUcUzNEW2n0A6JU+QZ9Z4P msCNUgqJheCssNKa5tDuYIRsW6TmTLXBLXKWqXZU/qEakWUki93qIfII9Flt1CXaZ4h6fatK 6xLm+whFRCCH4GU/f+o6Gj2iq9MVmAYQ==
  • Ironport-sdr: 0G8RABUrA6Sg0qJVOh7KnYGXGu2eQoARN6sVp1NFwSop/GwB+82Co9uAKg9muANKXQoVVnV0uR qjOiR4Zs2DpDw+23jrLx74/Gip/ekZ6a+vYUoudoC+16XbQz3cSUSiAZaEioI8s2nEzRUwAlAc nQQLMqMc1jnO+R2h/XhZqonaK8xzC4ZL0q9vDyStg6EQvqt7zcjto3zrv/qqr6um+YelZUh1pN 3DrzesaHOBkT2afP9a1uQXLQEKRYFvgFQqeWi3UDJKrbbqLI8sRNtnnezjT1937kiHsZwi3Gro U+h9SDXuOw/F8+IZzxyiADjT
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 27/08/2021 09:21, Jan Beulich wrote:
> Relevant quotes from the C11 standard:
>
> "Except where explicitly stated otherwise, for the purposes of this
>  subclause unnamed members of objects of structure and union type do not
>  participate in initialization. Unnamed members of structure objects
>  have indeterminate value even after initialization."
>
> "If there are fewer initializers in a brace-enclosed list than there are
>  elements or members of an aggregate, [...], the remainder of the
>  aggregate shall be initialized implicitly the same as objects that have
>  static storage duration."
>
> "If an object that has static or thread storage duration is not
>  initialized explicitly, then:
>  [...]
>  — if it is an aggregate, every member is initialized (recursively)
>    according to these rules, and any padding is initialized to zero
>    bits;
>  [...]"
>
> "A bit-field declaration with no declarator, but only a colon and a
>  width, indicates an unnamed bit-field." Footnote: "An unnamed bit-field
>  structure member is useful for padding to conform to externally imposed
>  layouts."
>
> "There may be unnamed padding within a structure object, but not at its
>  beginning."
>
> Which makes me conclude:
> - Whether an unnamed bit-field member is an unnamed member or padding is
>   unclear, and hence also whether the last quote above would render the
>   big endian case of the structure declaration invalid.
> - Whether the number of members of an aggregate includes unnamed ones is
>   also not really clear.
> - The initializer in map_grant_ref() initializes all fields of the "cnt"
>   sub-structure of the union, so assuming the second quote above applies
>   here (indirectly), the compiler isn't required to implicitly
>   initialize the rest (i.e. in particular any padding) like would happen
>   for static storage duration objects.
>
> Gcc 7.4.1 can be observed (apparently in debug builds only) to translate
> aforementioned initializer to a read-modify-write operation of a stack
> variable, leaving unchanged the top two bits of whatever was previously
> in that stack slot. Clearly if either of the two bits were set,
> radix_tree_ulong_to_ptr()'s assertion would trigger.
>
> Therefore, to be on the safe side, add an explicit padding field for the
> non-big-endian-bitfields case and give a dummy name to both padding
> fields.
>
> Fixes: 9781b51efde2 ("gnttab: replace mapkind()")
> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>

Acked-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.