From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marek Marczykowski Subject: Re: [PATCH 1/5] xen/bitmap: fix bitmap_fill with zero-sized bitmap Date: Tue, 7 May 2019 17:19:45 +0200 Message-ID: <20190507151945.GZ1502@mail-itl> References: <5CD13D6C020000780022C5CA@prv1-mh.provo.novell.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4590294856483203615==" Return-path: Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1hO1sm-0000gX-MX for xen-devel@lists.xenproject.org; Tue, 07 May 2019 15:19:52 +0000 In-Reply-To: <5CD13D6C020000780022C5CA@prv1-mh.provo.novell.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" To: Jan Beulich Cc: Stefano Stabellini , Wei Liu , Konrad Rzeszutek Wilk , George Dunlap , Andrew Cooper , Ian Jackson , Tim Deegan , Julien Grall , xen-devel List-Id: xen-devel@lists.xenproject.org --===============4590294856483203615== Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="dA3KA1Bq6vhZBZVs" Content-Disposition: inline --dA3KA1Bq6vhZBZVs Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 07, 2019 at 02:10:20AM -0600, Jan Beulich wrote: > >>> On 06.05.19 at 16:50, wrote: > > Found while debugging framebuffer located above 4GB. In that case 32bit > > variable for it overflows and framebuffer initialization zeroed > > unrelated memory. Specifically, it hit mbi->mods_count, so later on > > bitmap_fill(module_map, mbi->mods_count) in __start_xen() crashed. >=20 > The origin of your problem being a truncation one, it seems pretty > clear to me that if we want to be able to gracefully handle that, > then we need to stop using plain int in all the involved functions. > I'm curious though which bitmap_fill() it was that you saw misbehave: > There's no such call at all in xen/drivers/video/, and I'm also having > a hard time seeing how the address (rather than the size) of the > frame buffer could be involved here. Truncated framebuffer address (0x0) caused memset() in vesa_init() to zero (among other things) mbi->mods_count. This triggered the crash as described above. Obviously, bitmap_fill() crash was just a fallout here, not the root cause. --=20 Best Regards, Marek Marczykowski-G=C3=B3recki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? --dA3KA1Bq6vhZBZVs Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlzRohEACgkQ24/THMrX 1yzPsggAj2gO+ZICqYmXZHyVYEJVYaNpJjFeTvJ/yLeON6OhXQJf0a4179QMEN7t e4KzfZR6tNSm9Tu4QDsoxn942Qzq98G7P2jg4X4/b6IDUBckB1jQ/sJJAhy/SZSc /PaQBOH4Rb/cLlSPt4dc5sKMVEI7wdamqcb8tJBxIXsOwSFdHJdcByuQs9p/TCHj yjAzia/+Be1WZOBW/SHf/j/On7G53VbxhxLPLca8oOllY02wkOM5ath3vcdvGuba VngNWkFiqhtuv3uZSc+V5MzCCsa0WZBw88gobuwSYp5B9hBrL13EbaLh18iBnoxv H+O4wv8dVyvIPrCsQHFtsuiJXeYalQ== =Psk7 -----END PGP SIGNATURE----- --dA3KA1Bq6vhZBZVs-- --===============4590294856483203615== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWRldmVs IG1haWxpbmcgbGlzdApYZW4tZGV2ZWxAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6Ly9saXN0 cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1kZXZlbA== --===============4590294856483203615==-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.3 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0FE70C004C9 for ; Tue, 7 May 2019 15:20:15 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D6750205ED for ; Tue, 7 May 2019 15:20:10 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b="x4HuWXGF" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D6750205ED Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=invisiblethingslab.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1hO1so-0000gf-96; Tue, 07 May 2019 15:19:54 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1hO1sm-0000gX-MX for xen-devel@lists.xenproject.org; Tue, 07 May 2019 15:19:52 +0000 X-Inumbo-ID: 8e6396a4-70db-11e9-b911-f72f26adfb74 Received: from out4-smtp.messagingengine.com (unknown [66.111.4.28]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id 8e6396a4-70db-11e9-b911-f72f26adfb74; Tue, 07 May 2019 15:19:50 +0000 (UTC) Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id CEA8522237; Tue, 7 May 2019 11:19:49 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute7.internal (MEProxy); Tue, 07 May 2019 11:19:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=3DYDQU J4FuhD5FK/7/1v9yO6bDPcHrEjkMSYA0UbI5w=; b=x4HuWXGFG8z1mW9lmoEdT0 xavICydNIo/VQq12AoEKAf2l0dnLMuTkir8uAerxB8y7sU7x2LoGIr/NHJYWZSKV lyMxcHcX1Z2WRdcejPMPDZVbmh2TUV45TNZ/p/0cnpF6DySHCibwvzKMYzTtt7T3 g+ObXZhRBOhyb3/xhF0MsiMZv2e0SWuCjhnh1uYmBeOhhdW4aI0ChzmUOFLL6/X0 DVOo+YcWqaLZPTDyB1p/YCslmF6FdwYzZHhaEAr161RiAKs+NeSLGg/lvIph+U1I gXnG9oxegs68ObGYzcMMqCMsKprNMxL2Ol1H8+EFs5SAqzGhmZTCzqo8CaUsLmsw == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddrkedtgdelvdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpeffhffvuffkfhggtggujggfsehgtderredtreejnecuhfhrohhmpeforghrvghk ucforghrtgiihihkohifshhkihcuoehmrghrmhgrrhgvkhesihhnvhhishhisghlvghthh hinhhgshhlrggsrdgtohhmqeenucfkphepledurdeihedrfeegrdeffeenucfrrghrrghm pehmrghilhhfrhhomhepmhgrrhhmrghrvghksehinhhvihhsihgslhgvthhhihhnghhslh grsgdrtghomhenucevlhhushhtvghrufhiiigvpedt X-ME-Proxy: Received: from mail-itl (ip5b412221.dynamic.kabel-deutschland.de [91.65.34.33]) by mail.messagingengine.com (Postfix) with ESMTPA id B4CC4103C8; Tue, 7 May 2019 11:19:47 -0400 (EDT) Date: Tue, 7 May 2019 17:19:45 +0200 From: Marek Marczykowski To: Jan Beulich Message-ID: <20190507151945.GZ1502@mail-itl> References: <5CD13D6C020000780022C5CA@prv1-mh.provo.novell.com> MIME-Version: 1.0 In-Reply-To: <5CD13D6C020000780022C5CA@prv1-mh.provo.novell.com> User-Agent: Mutt/1.11.1+94 (9b965fac) (2019-01-05) Subject: Re: [Xen-devel] [PATCH 1/5] xen/bitmap: fix bitmap_fill with zero-sized bitmap X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Stefano Stabellini , Wei Liu , Konrad Rzeszutek Wilk , George Dunlap , Andrew Cooper , Ian Jackson , Tim Deegan , Julien Grall , xen-devel Content-Type: multipart/mixed; boundary="===============4590294856483203615==" Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" Message-ID: <20190507151945.2VZuyGVwUhDqPYBr33vMmW7px_7zk5HWoMD2MT7paKo@z> --===============4590294856483203615== Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="dA3KA1Bq6vhZBZVs" Content-Disposition: inline --dA3KA1Bq6vhZBZVs Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 07, 2019 at 02:10:20AM -0600, Jan Beulich wrote: > >>> On 06.05.19 at 16:50, wrote: > > Found while debugging framebuffer located above 4GB. In that case 32bit > > variable for it overflows and framebuffer initialization zeroed > > unrelated memory. Specifically, it hit mbi->mods_count, so later on > > bitmap_fill(module_map, mbi->mods_count) in __start_xen() crashed. >=20 > The origin of your problem being a truncation one, it seems pretty > clear to me that if we want to be able to gracefully handle that, > then we need to stop using plain int in all the involved functions. > I'm curious though which bitmap_fill() it was that you saw misbehave: > There's no such call at all in xen/drivers/video/, and I'm also having > a hard time seeing how the address (rather than the size) of the > frame buffer could be involved here. Truncated framebuffer address (0x0) caused memset() in vesa_init() to zero (among other things) mbi->mods_count. This triggered the crash as described above. Obviously, bitmap_fill() crash was just a fallout here, not the root cause. --=20 Best Regards, Marek Marczykowski-G=C3=B3recki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? --dA3KA1Bq6vhZBZVs Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlzRohEACgkQ24/THMrX 1yzPsggAj2gO+ZICqYmXZHyVYEJVYaNpJjFeTvJ/yLeON6OhXQJf0a4179QMEN7t e4KzfZR6tNSm9Tu4QDsoxn942Qzq98G7P2jg4X4/b6IDUBckB1jQ/sJJAhy/SZSc /PaQBOH4Rb/cLlSPt4dc5sKMVEI7wdamqcb8tJBxIXsOwSFdHJdcByuQs9p/TCHj yjAzia/+Be1WZOBW/SHf/j/On7G53VbxhxLPLca8oOllY02wkOM5ath3vcdvGuba VngNWkFiqhtuv3uZSc+V5MzCCsa0WZBw88gobuwSYp5B9hBrL13EbaLh18iBnoxv H+O4wv8dVyvIPrCsQHFtsuiJXeYalQ== =Psk7 -----END PGP SIGNATURE----- --dA3KA1Bq6vhZBZVs-- --===============4590294856483203615== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWRldmVs IG1haWxpbmcgbGlzdApYZW4tZGV2ZWxAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6Ly9saXN0 cy54ZW5wcm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1kZXZlbA== --===============4590294856483203615==--