From: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
To: peter.maydell@linaro.org
Cc: qemu-stable@nongnu.org, xen-devel@lists.xensource.com,
qemu-devel@nongnu.org, stefano.stabellini@eu.citrix.com
Subject: [Qemu-devel] [PULL 1/2] xen/blkif: Avoid double access to src->nr_segments
Date: Fri, 18 Dec 2015 15:17:56 +0000 [thread overview]
Message-ID: <1450451877-25157-1-git-send-email-stefano.stabellini@eu.citrix.com> (raw)
In-Reply-To: <alpine.DEB.2.02.1512181513460.17516@kaball.uk.xensource.com>
src is stored in shared memory and src->nr_segments is dereferenced
twice at the end of the function. If a compiler decides to compile this
into two separate memory accesses then the size limitation could be
bypassed.
Fix it by removing the double access to src->nr_segments.
This is part of XSA-155.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
---
hw/block/xen_blkif.h | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/hw/block/xen_blkif.h b/hw/block/xen_blkif.h
index 711b692..c68487cb 100644
--- a/hw/block/xen_blkif.h
+++ b/hw/block/xen_blkif.h
@@ -85,8 +85,10 @@ static inline void blkif_get_x86_32_req(blkif_request_t *dst, blkif_x86_32_reque
d->nr_sectors = s->nr_sectors;
return;
}
- if (n > src->nr_segments)
- n = src->nr_segments;
+ /* prevent the compiler from optimizing the code and using src->nr_segments instead */
+ barrier();
+ if (n > dst->nr_segments)
+ n = dst->nr_segments;
for (i = 0; i < n; i++)
dst->seg[i] = src->seg[i];
}
@@ -106,8 +108,10 @@ static inline void blkif_get_x86_64_req(blkif_request_t *dst, blkif_x86_64_reque
d->nr_sectors = s->nr_sectors;
return;
}
- if (n > src->nr_segments)
- n = src->nr_segments;
+ /* prevent the compiler from optimizing the code and using src->nr_segments instead */
+ barrier();
+ if (n > dst->nr_segments)
+ n = dst->nr_segments;
for (i = 0; i < n; i++)
dst->seg[i] = src->seg[i];
}
--
1.7.10.4
WARNING: multiple messages have this Message-ID (diff)
From: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
To: peter.maydell@linaro.org
Cc: qemu-stable@nongnu.org, xen-devel@lists.xensource.com,
qemu-devel@nongnu.org, stefano.stabellini@eu.citrix.com
Subject: [PULL 1/2] xen/blkif: Avoid double access to src->nr_segments
Date: Fri, 18 Dec 2015 15:17:56 +0000 [thread overview]
Message-ID: <1450451877-25157-1-git-send-email-stefano.stabellini@eu.citrix.com> (raw)
In-Reply-To: <alpine.DEB.2.02.1512181513460.17516@kaball.uk.xensource.com>
src is stored in shared memory and src->nr_segments is dereferenced
twice at the end of the function. If a compiler decides to compile this
into two separate memory accesses then the size limitation could be
bypassed.
Fix it by removing the double access to src->nr_segments.
This is part of XSA-155.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
---
hw/block/xen_blkif.h | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/hw/block/xen_blkif.h b/hw/block/xen_blkif.h
index 711b692..c68487cb 100644
--- a/hw/block/xen_blkif.h
+++ b/hw/block/xen_blkif.h
@@ -85,8 +85,10 @@ static inline void blkif_get_x86_32_req(blkif_request_t *dst, blkif_x86_32_reque
d->nr_sectors = s->nr_sectors;
return;
}
- if (n > src->nr_segments)
- n = src->nr_segments;
+ /* prevent the compiler from optimizing the code and using src->nr_segments instead */
+ barrier();
+ if (n > dst->nr_segments)
+ n = dst->nr_segments;
for (i = 0; i < n; i++)
dst->seg[i] = src->seg[i];
}
@@ -106,8 +108,10 @@ static inline void blkif_get_x86_64_req(blkif_request_t *dst, blkif_x86_64_reque
d->nr_sectors = s->nr_sectors;
return;
}
- if (n > src->nr_segments)
- n = src->nr_segments;
+ /* prevent the compiler from optimizing the code and using src->nr_segments instead */
+ barrier();
+ if (n > dst->nr_segments)
+ n = dst->nr_segments;
for (i = 0; i < n; i++)
dst->seg[i] = src->seg[i];
}
--
1.7.10.4
next prev parent reply other threads:[~2015-12-18 15:18 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-18 15:17 [Qemu-devel] [PULL 0/2] xsa155 Stefano Stabellini
2015-12-18 15:17 ` Stefano Stabellini
2015-12-18 15:17 ` Stefano Stabellini [this message]
2015-12-18 15:17 ` [PULL 1/2] xen/blkif: Avoid double access to src->nr_segments Stefano Stabellini
2015-12-18 15:17 ` [Qemu-devel] [PULL 2/2] xenfb: avoid reading twice the same fields from the shared page Stefano Stabellini
2015-12-18 15:17 ` Stefano Stabellini
2015-12-18 15:33 ` [Qemu-devel] [PULL 0/2] xsa155 Stefano Stabellini
2015-12-18 15:33 ` Stefano Stabellini
2015-12-18 16:04 ` [Qemu-devel] " Peter Maydell
2015-12-18 16:04 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1450451877-25157-1-git-send-email-stefano.stabellini@eu.citrix.com \
--to=stefano.stabellini@eu.citrix.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.