From: David Gibson <david@gibson.dropbear.id.au>
To: Greg Kurz <groug@kaod.org>
Cc: mst@redhat.com, qemu-devel@nongnu.org,
David Hildenbrand <david@redhat.com>,
qemu-ppc@nongnu.org
Subject: Re: [Qemu-devel] [Qemu-ppc] [PATCH 2/5] virtio-balloon: Corrections to address verification
Date: Wed, 27 Feb 2019 10:20:12 +1100 [thread overview]
Message-ID: <20190226232012.GT6872@umbus.fritz.box> (raw)
In-Reply-To: <20190225102651.762e2520@bahia.lan>
[-- Attachment #1: Type: text/plain, Size: 4383 bytes --]
On Mon, Feb 25, 2019 at 10:26:51AM +0100, Greg Kurz wrote:
> On Mon, 25 Feb 2019 10:37:11 +1100
> David Gibson <david@gibson.dropbear.id.au> wrote:
>
> > On Fri, Feb 22, 2019 at 10:08:22AM +0100, Greg Kurz wrote:
> > > On Thu, 14 Feb 2019 15:39:13 +1100
> > > David Gibson <david@gibson.dropbear.id.au> wrote:
> > >
> > > > The virtio-balloon device's verification of the address given to it by the
> > > > guest has a number of faults:
> > > > * The addresses here are guest physical addresses, which should be
> > > > 'hwaddr' rather than 'ram_addr_t' (the distinction is admittedly
> > > > pretty subtle and confusing)
> > > > * We don't check for section.mr being NULL, which is the main way that
> > > > memory_region_find() reports basic failures. We really need to check
> > > > that before looking at any other section fields, because
> > > > memory_region_find() doesn't initialize them on the failure path
> > > > * We're passing a length of '1' to memory_region_find(), but really the
> > > > guest is requesting that we put the entire page into the balloon,
> > > > so it makes more sense to call it with BALLOON_PAGE_SIZE
> > > >
> > > > Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> > > > Reviewed-by: David Hildenbrand <david@redhat.com>
> > > > Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
> > > > ---
> > > > hw/virtio/virtio-balloon.c | 17 ++++++++++-------
> > > > 1 file changed, 10 insertions(+), 7 deletions(-)
> > > >
> > > > diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
> > > > index 43af521884..eb357824d8 100644
> > > > --- a/hw/virtio/virtio-balloon.c
> > > > +++ b/hw/virtio/virtio-balloon.c
> > > > @@ -221,17 +221,20 @@ static void virtio_balloon_handle_output(VirtIODevice *vdev, VirtQueue *vq)
> > > > }
> > > >
> > > > while (iov_to_buf(elem->out_sg, elem->out_num, offset, &pfn, 4) == 4) {
> > > > - ram_addr_t pa;
> > > > - ram_addr_t addr;
> > > > + hwaddr pa;
> > > > + hwaddr addr;
> > > > int p = virtio_ldl_p(vdev, &pfn);
> > > >
> > > > - pa = (ram_addr_t) p << VIRTIO_BALLOON_PFN_SHIFT;
> > > > + pa = (hwaddr) p << VIRTIO_BALLOON_PFN_SHIFT;
> > > > offset += 4;
> > > >
> > > > - /* FIXME: remove get_system_memory(), but how? */
> > > > - section = memory_region_find(get_system_memory(), pa, 1);
> > > > - if (!int128_nz(section.size) ||
> > > > - !memory_region_is_ram(section.mr) ||
> > > > + section = memory_region_find(get_system_memory(), pa,
> > > > + BALLOON_PAGE_SIZE);
> > > > + if (!section.mr) {
> > > > + trace_virtio_balloon_bad_addr(pa);
> > > > + continue;
> > > > + }
> > >
> > > memory_region_unref(section.mr) with section.mr == NULL is safe and
> > > resolves to a nop. Not sure you need a separate if to handle this
> > > case.
> >
> > memory_region_is_ram() and friends are not, however - they will
> > dereference their argument unconditionally.
> >
>
> Indeed but the two ifs can be merged anyway:
>
> if (!section.mr ||
> !memory_region_is_ram(section.mr) ||
> memory_region_is_rom(section.mr) ||
> memory_region_is_romd(section.mr)) {
> trace_virtio_balloon_bad_addr(pa);
> memory_region_unref(section.mr);
> continue;
> }
Oh, I see what you mean. Hrm, I still kind of prefer visually
separating the validity check from tests which depend on that validity.
>
> > >
> > > Apart from that,
> > >
> > > Reviewed-by: Greg Kurz <groug@kaod.org>
> > >
> > > > + if (!memory_region_is_ram(section.mr) ||
> > > > memory_region_is_rom(section.mr) ||
> > > > memory_region_is_romd(section.mr)) {
> > > > trace_virtio_balloon_bad_addr(pa);
> > >
> >
>
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2019-02-26 23:37 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-14 4:39 [Qemu-devel] [PATCH 0/5] Improve balloon handling of pagesizes other than 4kiB David Gibson
2019-02-14 4:39 ` [Qemu-devel] [PATCH 1/5] virtio-balloon: Remove unnecessary MADV_WILLNEED on deflate David Gibson
2019-02-28 13:36 ` Michael S. Tsirkin
2019-03-05 0:52 ` David Gibson
2019-03-05 2:29 ` Michael S. Tsirkin
2019-03-05 5:03 ` David Gibson
2019-03-05 14:41 ` Michael S. Tsirkin
2019-03-05 23:35 ` David Gibson
2019-03-06 0:14 ` Michael S. Tsirkin
2019-03-06 0:58 ` David Gibson
2019-02-14 4:39 ` [Qemu-devel] [PATCH 2/5] virtio-balloon: Corrections to address verification David Gibson
2019-02-22 9:08 ` [Qemu-devel] [Qemu-ppc] " Greg Kurz
2019-02-24 23:37 ` David Gibson
2019-02-25 9:26 ` Greg Kurz
2019-02-26 23:20 ` David Gibson [this message]
2019-02-28 9:09 ` Greg Kurz
2019-02-14 4:39 ` [Qemu-devel] [PATCH 3/5] virtio-balloon: Rework ballon_page() interface David Gibson
2019-02-14 4:39 ` [Qemu-devel] [PATCH 4/5] virtio-balloon: Use ram_block_discard_range() instead of raw madvise() David Gibson
2019-02-14 4:39 ` [Qemu-devel] [PATCH 5/5] virtio-balloon: Safely handle BALLOON_PAGE_SIZE < host page size David Gibson
2019-03-05 16:06 ` [Qemu-devel] [PULL 23/26] " Peter Maydell
2019-03-05 23:33 ` David Gibson
2019-02-28 13:39 ` [Qemu-devel] [PATCH 0/5] Improve balloon handling of pagesizes other than 4kiB Michael S. Tsirkin
2019-03-05 0:53 ` David Gibson
2019-03-05 2:13 ` Michael S. Tsirkin
2019-03-05 4:55 ` David Gibson
2019-02-22 2:40 [Qemu-devel] [PULL 00/26] pci, pc, virtio: fixes, cleanups, tests Michael S. Tsirkin
2019-02-22 15:47 ` Peter Maydell
2019-02-22 15:53 ` Michael S. Tsirkin
2019-02-22 16:34 ` Peter Maydell
2019-02-24 0:34 ` Michael S. Tsirkin
2019-02-24 10:21 ` Peter Maydell
2019-02-24 16:41 ` Michael S. Tsirkin
2019-02-25 16:23 ` Philippe Mathieu-Daudé
2019-02-25 17:27 ` Peter Maydell
2019-02-24 22:49 ` David Gibson
2019-02-25 15:19 ` [Qemu-devel] [PULL v2 resend " Michael S. Tsirkin
2019-03-04 10:55 ` Paolo Bonzini
2019-03-04 13:38 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190226232012.GT6872@umbus.fritz.box \
--to=david@gibson.dropbear.id.au \
--cc=david@redhat.com \
--cc=groug@kaod.org \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.