From: Marek Marczykowski <marmarek@invisiblethingslab.com>
To: Jan Beulich <JBeulich@suse.com>
Cc: Stefano Stabellini <sstabellini@kernel.org>,
Wei Liu <wei.liu2@citrix.com>,
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
George Dunlap <George.Dunlap@eu.citrix.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Ian Jackson <Ian.Jackson@eu.citrix.com>, Tim Deegan <tim@xen.org>,
Julien Grall <julien.grall@arm.com>,
xen-devel <xen-devel@lists.xenproject.org>
Subject: Re: [PATCH 1/5] xen/bitmap: fix bitmap_fill with zero-sized bitmap
Date: Tue, 7 May 2019 17:19:45 +0200 [thread overview]
Message-ID: <20190507151945.GZ1502@mail-itl> (raw)
In-Reply-To: <5CD13D6C020000780022C5CA@prv1-mh.provo.novell.com>
[-- Attachment #1.1: Type: text/plain, Size: 1318 bytes --]
On Tue, May 07, 2019 at 02:10:20AM -0600, Jan Beulich wrote:
> >>> On 06.05.19 at 16:50, <marmarek@invisiblethingslab.com> wrote:
> > Found while debugging framebuffer located above 4GB. In that case 32bit
> > variable for it overflows and framebuffer initialization zeroed
> > unrelated memory. Specifically, it hit mbi->mods_count, so later on
> > bitmap_fill(module_map, mbi->mods_count) in __start_xen() crashed.
>
> The origin of your problem being a truncation one, it seems pretty
> clear to me that if we want to be able to gracefully handle that,
> then we need to stop using plain int in all the involved functions.
> I'm curious though which bitmap_fill() it was that you saw misbehave:
> There's no such call at all in xen/drivers/video/, and I'm also having
> a hard time seeing how the address (rather than the size) of the
> frame buffer could be involved here.
Truncated framebuffer address (0x0) caused memset() in vesa_init() to
zero (among other things) mbi->mods_count. This triggered the crash as
described above.
Obviously, bitmap_fill() crash was just a fallout here, not the root
cause.
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
[-- Attachment #2: Type: text/plain, Size: 157 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
WARNING: multiple messages have this Message-ID (diff)
From: Marek Marczykowski <marmarek@invisiblethingslab.com>
To: Jan Beulich <JBeulich@suse.com>
Cc: Stefano Stabellini <sstabellini@kernel.org>,
Wei Liu <wei.liu2@citrix.com>,
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
George Dunlap <George.Dunlap@eu.citrix.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Ian Jackson <Ian.Jackson@eu.citrix.com>, Tim Deegan <tim@xen.org>,
Julien Grall <julien.grall@arm.com>,
xen-devel <xen-devel@lists.xenproject.org>
Subject: Re: [Xen-devel] [PATCH 1/5] xen/bitmap: fix bitmap_fill with zero-sized bitmap
Date: Tue, 7 May 2019 17:19:45 +0200 [thread overview]
Message-ID: <20190507151945.GZ1502@mail-itl> (raw)
Message-ID: <20190507151945.2VZuyGVwUhDqPYBr33vMmW7px_7zk5HWoMD2MT7paKo@z> (raw)
In-Reply-To: <5CD13D6C020000780022C5CA@prv1-mh.provo.novell.com>
[-- Attachment #1.1: Type: text/plain, Size: 1318 bytes --]
On Tue, May 07, 2019 at 02:10:20AM -0600, Jan Beulich wrote:
> >>> On 06.05.19 at 16:50, <marmarek@invisiblethingslab.com> wrote:
> > Found while debugging framebuffer located above 4GB. In that case 32bit
> > variable for it overflows and framebuffer initialization zeroed
> > unrelated memory. Specifically, it hit mbi->mods_count, so later on
> > bitmap_fill(module_map, mbi->mods_count) in __start_xen() crashed.
>
> The origin of your problem being a truncation one, it seems pretty
> clear to me that if we want to be able to gracefully handle that,
> then we need to stop using plain int in all the involved functions.
> I'm curious though which bitmap_fill() it was that you saw misbehave:
> There's no such call at all in xen/drivers/video/, and I'm also having
> a hard time seeing how the address (rather than the size) of the
> frame buffer could be involved here.
Truncated framebuffer address (0x0) caused memset() in vesa_init() to
zero (among other things) mbi->mods_count. This triggered the crash as
described above.
Obviously, bitmap_fill() crash was just a fallout here, not the root
cause.
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
[-- Attachment #2: Type: text/plain, Size: 157 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
next prev parent reply other threads:[~2019-05-07 15:19 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-06 14:50 [PATCH 0/5] Fixes for large framebuffer, placed above 4GB Marek Marczykowski-Górecki
2019-05-06 14:50 ` [Xen-devel] " Marek Marczykowski-Górecki
2019-05-06 14:50 ` [PATCH 1/5] xen/bitmap: fix bitmap_fill with zero-sized bitmap Marek Marczykowski-Górecki
2019-05-06 14:50 ` [Xen-devel] " Marek Marczykowski-Górecki
2019-05-06 15:19 ` Andrew Cooper
2019-05-06 15:19 ` [Xen-devel] " Andrew Cooper
2019-05-07 8:10 ` Jan Beulich
2019-05-07 8:10 ` [Xen-devel] " Jan Beulich
2019-05-07 15:19 ` Marek Marczykowski [this message]
2019-05-07 15:19 ` Marek Marczykowski
2019-05-06 14:50 ` [PATCH 2/5] drivers/video: drop unused limits Marek Marczykowski-Górecki
2019-05-06 14:50 ` [Xen-devel] " Marek Marczykowski-Górecki
2019-05-06 15:19 ` Andrew Cooper
2019-05-06 15:19 ` [Xen-devel] " Andrew Cooper
2019-05-07 8:52 ` Jan Beulich
2019-05-07 8:52 ` [Xen-devel] " Jan Beulich
2019-05-06 14:50 ` [PATCH 3/5] drivers/video: Drop framebuffer size constraints Marek Marczykowski-Górecki
2019-05-06 14:50 ` [Xen-devel] " Marek Marczykowski-Górecki
2019-05-06 15:09 ` Olaf Hering
2019-05-06 15:09 ` [Xen-devel] " Olaf Hering
2019-05-06 15:33 ` Andrew Cooper
2019-05-06 15:33 ` [Xen-devel] " Andrew Cooper
2019-05-07 8:55 ` Jan Beulich
2019-05-07 8:55 ` [Xen-devel] " Jan Beulich
2019-05-06 14:50 ` [PATCH 4/5] xen: fix handling framebuffer located above 4GB Marek Marczykowski-Górecki
2019-05-06 14:50 ` [Xen-devel] " Marek Marczykowski-Górecki
2019-05-06 15:15 ` Juergen Gross
2019-05-06 15:15 ` [Xen-devel] " Juergen Gross
2019-05-06 15:32 ` Marek Marczykowski-Górecki
2019-05-06 15:32 ` [Xen-devel] " Marek Marczykowski-Górecki
2019-05-07 5:07 ` Juergen Gross
2019-05-07 5:07 ` [Xen-devel] " Juergen Gross
2019-05-07 9:10 ` Jan Beulich
2019-05-07 9:10 ` [Xen-devel] " Jan Beulich
2019-05-07 15:38 ` Marek Marczykowski
2019-05-07 15:38 ` [Xen-devel] " Marek Marczykowski
2019-05-07 16:12 ` Jan Beulich
2019-05-07 16:12 ` [Xen-devel] " Jan Beulich
2019-05-07 16:43 ` Marek Marczykowski
2019-05-07 16:43 ` [Xen-devel] " Marek Marczykowski
2019-05-08 9:54 ` Jan Beulich
2019-05-08 9:54 ` [Xen-devel] " Jan Beulich
2019-05-08 12:06 ` Marek Marczykowski
2019-05-08 12:06 ` [Xen-devel] " Marek Marczykowski
2019-05-08 12:45 ` Jan Beulich
2019-05-08 12:45 ` [Xen-devel] " Jan Beulich
2019-05-06 15:28 ` Andrew Cooper
2019-05-06 15:28 ` [Xen-devel] " Andrew Cooper
2019-05-07 9:07 ` Jan Beulich
2019-05-07 9:07 ` [Xen-devel] " Jan Beulich
2019-05-09 0:22 ` Marek Marczykowski
2019-05-09 0:22 ` [Xen-devel] " Marek Marczykowski
2019-05-09 8:59 ` Jan Beulich
2019-05-09 8:59 ` [Xen-devel] " Jan Beulich
2019-05-06 14:50 ` [PATCH 5/5] drivers/video: use vlfb_info consistently Marek Marczykowski-Górecki
2019-05-06 14:50 ` [Xen-devel] " Marek Marczykowski-Górecki
2019-05-06 15:33 ` Andrew Cooper
2019-05-06 15:33 ` [Xen-devel] " Andrew Cooper
2019-05-06 15:37 ` [PATCH 0/5] Fixes for large framebuffer, placed above 4GB Andrew Cooper
2019-05-06 15:37 ` [Xen-devel] " Andrew Cooper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190507151945.GZ1502@mail-itl \
--to=marmarek@invisiblethingslab.com \
--cc=George.Dunlap@eu.citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=julien.grall@arm.com \
--cc=konrad.wilk@oracle.com \
--cc=sstabellini@kernel.org \
--cc=tim@xen.org \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.