* [PATCH v2] xen/cmdline: Fix buggy strncmp(s, LITERAL, ss - s) construct
@ 2019-01-04 17:17 Andrew Cooper
2019-01-07 8:59 ` Jan Beulich
2019-01-14 15:17 ` PING ARM " Andrew Cooper
0 siblings, 2 replies; 14+ messages in thread
From: Andrew Cooper @ 2019-01-04 17:17 UTC (permalink / raw)
To: Xen-devel
Cc: Stefano Stabellini, Wei Liu, Andrew Cooper, Julien Grall,
Jan Beulich, Roger Pau Monné
When the command line parsing was updated to use const strings and no longer
tokenise with NUL characters, string matches could no longer be made with
strcmp().
Unfortunately, the replacement was buggy. strncmp(s, "opt", ss - s) matches
"o", "op" and "opt" on the command line, as ss - s may be shorter than the
passed literal. Furthermore, parse_bool() is affected by this, so substrings
such as "d", "e" and "o" are considered valid, with the latter being ambiguous
between "on" and "off".
Introduce a new strcmp-like function for the task, which looks for exact
string matches, but declares success when the NUL of the literal matches a
comma, colon or semicolon in the command line fragment.
No change to the intended parsing functionality, but fixes cases where a
partial string on the command line will inadvertently trigger options.
A few areas were more than just a trivial change:
* fdt_add_uefi_nodes(), while not command line parsing, had the same broken
strncmp() pattern. As a fix, perform an explicit length check first.
* parse_irq_vector_map_param() gained some style corrections.
* parse_vpmu_params() was rewritten to use the normal list-of-options form,
rather than just fixing up parse_vpmu_param() and leaving the parsing being
hard to follow.
* Instead of making the trivial fix of adding an explicit length check in
parse_bool(), use the length to select which token to we search for, which
is more efficient than the previous linear search over all possible tokens.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Wei Liu <wei.liu2@citrix.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Julien Grall <julien.grall@arm.com>
v2:
* Fix inverted check in parse_bool() for "no". Drop extranious else's.
* Fix cmdline_strcmp() to not have implementation defined results.
---
xen/arch/arm/cpuerrata.c | 6 +--
xen/arch/arm/efi/efi-boot.h | 2 +-
xen/arch/x86/cpu/vpmu.c | 49 ++++++++--------------
xen/arch/x86/irq.c | 12 +++---
xen/arch/x86/psr.c | 4 +-
xen/arch/x86/spec_ctrl.c | 6 +--
xen/arch/x86/x86_64/mmconfig-shared.c | 4 +-
xen/common/efi/boot.c | 4 +-
xen/common/kernel.c | 79 ++++++++++++++++++++++++++++-------
xen/drivers/cpufreq/cpufreq.c | 6 +--
xen/drivers/passthrough/iommu.c | 28 ++++++-------
xen/drivers/passthrough/pci.c | 4 +-
xen/include/xen/lib.h | 7 ++++
13 files changed, 125 insertions(+), 86 deletions(-)
diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c
index adf88e7..f4815ca 100644
--- a/xen/arch/arm/cpuerrata.c
+++ b/xen/arch/arm/cpuerrata.c
@@ -257,11 +257,11 @@ static int __init parse_spec_ctrl(const char *s)
{
s += 5;
- if ( !strncmp(s, "force-disable", ss - s) )
+ if ( !cmdline_strcmp(s, "force-disable") )
ssbd_state = ARM_SSBD_FORCE_DISABLE;
- else if ( !strncmp(s, "runtime", ss - s) )
+ else if ( !cmdline_strcmp(s, "runtime") )
ssbd_state = ARM_SSBD_RUNTIME;
- else if ( !strncmp(s, "force-enable", ss - s) )
+ else if ( !cmdline_strcmp(s, "force-enable") )
ssbd_state = ARM_SSBD_FORCE_ENABLE;
else
rc = -EINVAL;
diff --git a/xen/arch/arm/efi/efi-boot.h b/xen/arch/arm/efi/efi-boot.h
index ca655ff..22a86ec 100644
--- a/xen/arch/arm/efi/efi-boot.h
+++ b/xen/arch/arm/efi/efi-boot.h
@@ -212,7 +212,7 @@ EFI_STATUS __init fdt_add_uefi_nodes(EFI_SYSTEM_TABLE *sys_table,
break;
type = fdt_getprop(fdt, node, "device_type", &len);
- if ( type && strncmp(type, "memory", len) == 0 )
+ if ( type && len == 6 && strncmp(type, "memory", 6) == 0 )
{
fdt_del_node(fdt, node);
continue;
diff --git a/xen/arch/x86/cpu/vpmu.c b/xen/arch/x86/cpu/vpmu.c
index 8a4f753..13da7d0 100644
--- a/xen/arch/x86/cpu/vpmu.c
+++ b/xen/arch/x86/cpu/vpmu.c
@@ -61,42 +61,31 @@ static unsigned vpmu_count;
static DEFINE_PER_CPU(struct vcpu *, last_vcpu);
-static int parse_vpmu_param(const char *s, unsigned int len)
-{
- if ( !*s || !len )
- return 0;
- if ( !strncmp(s, "bts", len) )
- vpmu_features |= XENPMU_FEATURE_INTEL_BTS;
- else if ( !strncmp(s, "ipc", len) )
- vpmu_features |= XENPMU_FEATURE_IPC_ONLY;
- else if ( !strncmp(s, "arch", len) )
- vpmu_features |= XENPMU_FEATURE_ARCH_ONLY;
- else
- return 1;
- return 0;
-}
-
static int __init parse_vpmu_params(const char *s)
{
- const char *sep, *p = s;
+ const char *ss;
switch ( parse_bool(s, NULL) )
{
case 0:
break;
default:
- for ( ; ; )
- {
- sep = strchr(p, ',');
- if ( sep == NULL )
- sep = strchr(p, 0);
- if ( parse_vpmu_param(p, sep - p) )
- goto error;
- if ( !*sep )
- /* reached end of flags */
- break;
- p = sep + 1;
- }
+ do {
+ ss = strchr(s, ',');
+ if ( !ss )
+ ss = strchr(s, '\0');
+
+ if ( !cmdline_strcmp(s, "bts") )
+ vpmu_features |= XENPMU_FEATURE_INTEL_BTS;
+ else if ( !cmdline_strcmp(s, "ipc") )
+ vpmu_features |= XENPMU_FEATURE_IPC_ONLY;
+ else if ( !cmdline_strcmp(s, "arch") )
+ vpmu_features |= XENPMU_FEATURE_ARCH_ONLY;
+ else
+ return -EINVAL;
+
+ s = ss + 1;
+ } while ( *ss );
/* fall through */
case 1:
/* Default VPMU mode */
@@ -105,10 +94,6 @@ static int __init parse_vpmu_params(const char *s)
break;
}
return 0;
-
- error:
- printk("VPMU: unknown flags: %s - vpmu disabled!\n", s);
- return -EINVAL;
}
void vpmu_lvtpc_update(uint32_t val)
diff --git a/xen/arch/x86/irq.c b/xen/arch/x86/irq.c
index 8b44d6c..23b4f42 100644
--- a/xen/arch/x86/irq.c
+++ b/xen/arch/x86/irq.c
@@ -70,12 +70,12 @@ static int __init parse_irq_vector_map_param(const char *s)
if ( !ss )
ss = strchr(s, '\0');
- if ( !strncmp(s, "none", ss - s))
- opt_irq_vector_map=OPT_IRQ_VECTOR_MAP_NONE;
- else if ( !strncmp(s, "global", ss - s))
- opt_irq_vector_map=OPT_IRQ_VECTOR_MAP_GLOBAL;
- else if ( !strncmp(s, "per-device", ss - s))
- opt_irq_vector_map=OPT_IRQ_VECTOR_MAP_PERDEV;
+ if ( !cmdline_strcmp(s, "none") )
+ opt_irq_vector_map = OPT_IRQ_VECTOR_MAP_NONE;
+ else if ( !cmdline_strcmp(s, "global") )
+ opt_irq_vector_map = OPT_IRQ_VECTOR_MAP_GLOBAL;
+ else if ( !cmdline_strcmp(s, "per-device") )
+ opt_irq_vector_map = OPT_IRQ_VECTOR_MAP_PERDEV;
else
rc = -EINVAL;
diff --git a/xen/arch/x86/psr.c b/xen/arch/x86/psr.c
index 0ba8ef8..5866a26 100644
--- a/xen/arch/x86/psr.c
+++ b/xen/arch/x86/psr.c
@@ -591,13 +591,13 @@ static int __init parse_psr_param(const char *s)
if ( val_delim > ss )
val_delim = ss;
- if ( *val_delim && !strncmp(s, "rmid_max", val_delim - s) )
+ if ( *val_delim && !cmdline_strcmp(s, "rmid_max") )
{
opt_rmid_max = simple_strtoul(val_delim + 1, &q, 0);
if ( *q && *q != ',' )
rc = -EINVAL;
}
- else if ( *val_delim && !strncmp(s, "cos_max", val_delim - s) )
+ else if ( *val_delim && !cmdline_strcmp(s, "cos_max") )
{
opt_cos_max = simple_strtoul(val_delim + 1, &q, 0);
if ( *q && *q != ',' )
diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
index a36bcef..ad72ecd 100644
--- a/xen/arch/x86/spec_ctrl.c
+++ b/xen/arch/x86/spec_ctrl.c
@@ -138,11 +138,11 @@ static int __init parse_spec_ctrl(const char *s)
{
s += 10;
- if ( !strncmp(s, "retpoline", ss - s) )
+ if ( !cmdline_strcmp(s, "retpoline") )
opt_thunk = THUNK_RETPOLINE;
- else if ( !strncmp(s, "lfence", ss - s) )
+ else if ( !cmdline_strcmp(s, "lfence") )
opt_thunk = THUNK_LFENCE;
- else if ( !strncmp(s, "jmp", ss - s) )
+ else if ( !cmdline_strcmp(s, "jmp") )
opt_thunk = THUNK_JMP;
else
rc = -EINVAL;
diff --git a/xen/arch/x86/x86_64/mmconfig-shared.c b/xen/arch/x86/x86_64/mmconfig-shared.c
index 8675dbd..9e1c81d 100644
--- a/xen/arch/x86/x86_64/mmconfig-shared.c
+++ b/xen/arch/x86/x86_64/mmconfig-shared.c
@@ -46,8 +46,8 @@ static int __init parse_mmcfg(const char *s)
case 1:
break;
default:
- if ( !strncmp(s, "amd_fam10", ss - s) ||
- !strncmp(s, "amd-fam10", ss - s) )
+ if ( !cmdline_strcmp(s, "amd_fam10") ||
+ !cmdline_strcmp(s, "amd-fam10") )
pci_probe |= PCI_CHECK_ENABLE_AMD_MMCONF;
else
rc = -EINVAL;
diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c
index 2ed5403..1e1a551 100644
--- a/xen/common/efi/boot.c
+++ b/xen/common/efi/boot.c
@@ -1401,14 +1401,14 @@ static int __init parse_efi_param(const char *s)
if ( !ss )
ss = strchr(s, '\0');
- if ( !strncmp(s, "rs", ss - s) )
+ if ( !cmdline_strcmp(s, "rs") )
{
if ( val )
__set_bit(EFI_RS, &efi_flags);
else
__clear_bit(EFI_RS, &efi_flags);
}
- else if ( !strncmp(s, "attr=uc", ss - s) )
+ else if ( !cmdline_strcmp(s, "attr=uc") )
efi_map_uc = val;
else
rc = -EINVAL;
diff --git a/xen/common/kernel.c b/xen/common/kernel.c
index 5766a0f..053c31d 100644
--- a/xen/common/kernel.c
+++ b/xen/common/kernel.c
@@ -221,25 +221,51 @@ void __init cmdline_parse(const char *cmdline)
int parse_bool(const char *s, const char *e)
{
- unsigned int len;
+ size_t len = e ? ({ ASSERT(e >= s); e - s; }) : strlen(s);
- len = e ? ({ ASSERT(e >= s); e - s; }) : strlen(s);
- if ( !len )
- return -1;
+ switch ( len )
+ {
+ case 1:
+ if ( *s == '1' )
+ return 1;
+ if ( *s == '0' )
+ return 0;
+ break;
- if ( !strncmp("no", s, len) ||
- !strncmp("off", s, len) ||
- !strncmp("false", s, len) ||
- !strncmp("disable", s, len) ||
- !strncmp("0", s, len) )
- return 0;
+ case 2:
+ if ( !strncmp("on", s, 2) )
+ return 1;
+ if ( !strncmp("no", s, 2) )
+ return 0;
+ break;
+
+ case 3:
+ if ( !strncmp("yes", s, 3) )
+ return 1;
+ if ( !strncmp("off", s, 3) )
+ return 0;
+ break;
+
+ case 4:
+ if ( !strncmp("true", s, 4) )
+ return 1;
+ break;
+
+ case 5:
+ if ( !strncmp("false", s, 5) )
+ return 0;
+ break;
- if ( !strncmp("yes", s, len) ||
- !strncmp("on", s, len) ||
- !strncmp("true", s, len) ||
- !strncmp("enable", s, len) ||
- !strncmp("1", s, len) )
- return 1;
+ case 6:
+ if ( !strncmp("enable", s, 6) )
+ return 1;
+ break;
+
+ case 7:
+ if ( !strncmp("disable", s, 7) )
+ return 0;
+ break;
+ }
return -1;
}
@@ -271,6 +297,27 @@ int parse_boolean(const char *name, const char *s, const char *e)
return -1;
}
+int cmdline_strcmp(const char *frag, const char *name)
+{
+ for ( ; ; frag++, name++ )
+ {
+ unsigned char f = *frag, n = *name;
+ int res = f - n;
+
+ if ( res || n == '\0' )
+ {
+ /*
+ * NUL in 'name' matching a comma, colon or semicolon in 'frag'
+ * implies success.
+ */
+ if ( n == '\0' && (f == ',' || f == ':' || f == ';') )
+ res = 0;
+
+ return res;
+ }
+ }
+}
+
unsigned int tainted;
/**
diff --git a/xen/drivers/cpufreq/cpufreq.c b/xen/drivers/cpufreq/cpufreq.c
index 4d6badc..ba9897a 100644
--- a/xen/drivers/cpufreq/cpufreq.c
+++ b/xen/drivers/cpufreq/cpufreq.c
@@ -73,7 +73,7 @@ static int __init setup_cpufreq_option(const char *str)
arg = strchr(str, '\0');
choice = parse_bool(str, arg);
- if ( choice < 0 && !strncmp(str, "dom0-kernel", arg - str) )
+ if ( choice < 0 && !cmdline_strcmp(str, "dom0-kernel") )
{
xen_processor_pmbits &= ~XEN_PROCESSOR_PM_PX;
cpufreq_controller = FREQCTL_dom0_kernel;
@@ -81,14 +81,14 @@ static int __init setup_cpufreq_option(const char *str)
return 0;
}
- if ( choice == 0 || !strncmp(str, "none", arg - str) )
+ if ( choice == 0 || !cmdline_strcmp(str, "none") )
{
xen_processor_pmbits &= ~XEN_PROCESSOR_PM_PX;
cpufreq_controller = FREQCTL_none;
return 0;
}
- if ( choice > 0 || !strncmp(str, "xen", arg - str) )
+ if ( choice > 0 || !cmdline_strcmp(str, "xen") )
{
xen_processor_pmbits |= XEN_PROCESSOR_PM_PX;
cpufreq_controller = FREQCTL_xen;
diff --git a/xen/drivers/passthrough/iommu.c b/xen/drivers/passthrough/iommu.c
index caff3ab..f097394 100644
--- a/xen/drivers/passthrough/iommu.c
+++ b/xen/drivers/passthrough/iommu.c
@@ -98,36 +98,36 @@ static int __init parse_iommu_param(const char *s)
b = parse_bool(s, ss);
if ( b >= 0 )
iommu_enable = b;
- else if ( !strncmp(s, "force", ss - s) ||
- !strncmp(s, "required", ss - s) )
+ else if ( !cmdline_strcmp(s, "force") ||
+ !cmdline_strcmp(s, "required") )
force_iommu = val;
- else if ( !strncmp(s, "workaround_bios_bug", ss - s) )
+ else if ( !cmdline_strcmp(s, "workaround_bios_bug") )
iommu_workaround_bios_bug = val;
- else if ( !strncmp(s, "igfx", ss - s) )
+ else if ( !cmdline_strcmp(s, "igfx") )
iommu_igfx = val;
- else if ( !strncmp(s, "verbose", ss - s) )
+ else if ( !cmdline_strcmp(s, "verbose") )
iommu_verbose = val;
- else if ( !strncmp(s, "snoop", ss - s) )
+ else if ( !cmdline_strcmp(s, "snoop") )
iommu_snoop = val;
- else if ( !strncmp(s, "qinval", ss - s) )
+ else if ( !cmdline_strcmp(s, "qinval") )
iommu_qinval = val;
- else if ( !strncmp(s, "intremap", ss - s) )
+ else if ( !cmdline_strcmp(s, "intremap") )
iommu_intremap = val;
- else if ( !strncmp(s, "intpost", ss - s) )
+ else if ( !cmdline_strcmp(s, "intpost") )
iommu_intpost = val;
- else if ( !strncmp(s, "debug", ss - s) )
+ else if ( !cmdline_strcmp(s, "debug") )
{
iommu_debug = val;
if ( val )
iommu_verbose = 1;
}
- else if ( !strncmp(s, "amd-iommu-perdev-intremap", ss - s) )
+ else if ( !cmdline_strcmp(s, "amd-iommu-perdev-intremap") )
amd_iommu_perdev_intremap = val;
- else if ( !strncmp(s, "dom0-passthrough", ss - s) )
+ else if ( !cmdline_strcmp(s, "dom0-passthrough") )
iommu_hwdom_passthrough = val;
- else if ( !strncmp(s, "dom0-strict", ss - s) )
+ else if ( !cmdline_strcmp(s, "dom0-strict") )
iommu_hwdom_strict = val;
- else if ( !strncmp(s, "sharept", ss - s) )
+ else if ( !cmdline_strcmp(s, "sharept") )
iommu_hap_pt_share = val;
else
rc = -EINVAL;
diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c
index 1277ce2..93c20b9 100644
--- a/xen/drivers/passthrough/pci.c
+++ b/xen/drivers/passthrough/pci.c
@@ -213,12 +213,12 @@ static int __init parse_pci_param(const char *s)
if ( !ss )
ss = strchr(s, '\0');
- if ( !strncmp(s, "serr", ss - s) )
+ if ( !cmdline_strcmp(s, "serr") )
{
cmd_mask = PCI_COMMAND_SERR;
brctl_mask = PCI_BRIDGE_CTL_SERR | PCI_BRIDGE_CTL_DTMR_SERR;
}
- else if ( !strncmp(s, "perr", ss - s) )
+ else if ( !cmdline_strcmp(s, "perr") )
{
cmd_mask = PCI_COMMAND_PARITY;
brctl_mask = PCI_BRIDGE_CTL_PARITY;
diff --git a/xen/include/xen/lib.h b/xen/include/xen/lib.h
index 972fc84..89939f4 100644
--- a/xen/include/xen/lib.h
+++ b/xen/include/xen/lib.h
@@ -79,6 +79,13 @@ int parse_bool(const char *s, const char *e);
*/
int parse_boolean(const char *name, const char *s, const char *e);
+/**
+ * Very similar to strcmp(), but will declare a match if the NUL in 'name'
+ * lines up with comma, colon or semicolon in 'frag'. Designed for picking
+ * exact string matches out of a delimited command line list.
+ */
+int cmdline_strcmp(const char *frag, const char *name);
+
/*#define DEBUG_TRACE_DUMP*/
#ifdef DEBUG_TRACE_DUMP
extern void debugtrace_dump(void);
--
2.1.4
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH v2] xen/cmdline: Fix buggy strncmp(s, LITERAL, ss - s) construct
2019-01-04 17:17 [PATCH v2] xen/cmdline: Fix buggy strncmp(s, LITERAL, ss - s) construct Andrew Cooper
@ 2019-01-07 8:59 ` Jan Beulich
2019-01-07 17:28 ` Andrew Cooper
2019-01-14 15:17 ` PING ARM " Andrew Cooper
1 sibling, 1 reply; 14+ messages in thread
From: Jan Beulich @ 2019-01-07 8:59 UTC (permalink / raw)
To: Andrew Cooper
Cc: Julien Grall, Stefano Stabellini, Wei Liu, Xen-devel, Roger Pau Monne
>>> On 04.01.19 at 18:17, <andrew.cooper3@citrix.com> wrote:
> --- a/xen/arch/arm/efi/efi-boot.h
> +++ b/xen/arch/arm/efi/efi-boot.h
> @@ -212,7 +212,7 @@ EFI_STATUS __init fdt_add_uefi_nodes(EFI_SYSTEM_TABLE *sys_table,
> break;
>
> type = fdt_getprop(fdt, node, "device_type", &len);
> - if ( type && strncmp(type, "memory", len) == 0 )
> + if ( type && len == 6 && strncmp(type, "memory", 6) == 0 )
So why not memcmp() then, which is generally cheaper?
> @@ -271,6 +297,27 @@ int parse_boolean(const char *name, const char *s, const char *e)
> return -1;
> }
>
> +int cmdline_strcmp(const char *frag, const char *name)
So you've decided to retain the strcmp()-like return type and value,
despite them being of no interest to any caller, and it being
vanishingly unlikely for a caller to appear which would care. Fine
for now, but I'd still like to understand why.
> +{
> + for ( ; ; frag++, name++ )
> + {
> + unsigned char f = *frag, n = *name;
> + int res = f - n;
> +
> + if ( res || n == '\0' )
> + {
> + /*
> + * NUL in 'name' matching a comma, colon or semicolon in 'frag'
> + * implies success.
> + */
> + if ( n == '\0' && (f == ',' || f == ':' || f == ';') )
> + res = 0;
> +
> + return res;
> + }
> + }
> +}
Down the road I think we should consider further uses of the function
(in the generic parsing routines) and then whether to treat - and _
equally in command line options. Even more so with such an extension,
but already with the behavior above I wonder whether "strcmp" as
part of the name is really appropriate; cmdline_compare() or some such
might be more to the point, and then retaining the return type just to
match up with strcmp() would also disappear as an argument.
Anyway, for the immediate purpose
Reviewed-by: Jan Beulich <jbeulich@suse.com>
with or without the Arm related adjustment (decision there is with the
Arm maintainers anyway).
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] xen/cmdline: Fix buggy strncmp(s, LITERAL, ss - s) construct
2019-01-07 8:59 ` Jan Beulich
@ 2019-01-07 17:28 ` Andrew Cooper
2019-01-08 8:31 ` Jan Beulich
0 siblings, 1 reply; 14+ messages in thread
From: Andrew Cooper @ 2019-01-07 17:28 UTC (permalink / raw)
To: Jan Beulich
Cc: Julien Grall, Stefano Stabellini, Wei Liu, Xen-devel, Roger Pau Monne
On 07/01/2019 08:59, Jan Beulich wrote:
>> @@ -271,6 +297,27 @@ int parse_boolean(const char *name, const char *s, const char *e)
>> return -1;
>> }
>>
>> +int cmdline_strcmp(const char *frag, const char *name)
> So you've decided to retain the strcmp()-like return type and value,
> despite them being of no interest to any caller, and it being
> vanishingly unlikely for a caller to appear which would care. Fine
> for now, but I'd still like to understand why.
You already asked this, and give no objection to my answer, I presumed
you were satisfied with the concrete usecase I gave, citing a patch
needing this behaviour which has already been posted to the list.
<bff3c33d-a244-362a-529c-32f91b5f3965@citrix.com>
~Andrew
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] xen/cmdline: Fix buggy strncmp(s, LITERAL, ss - s) construct
2019-01-07 17:28 ` Andrew Cooper
@ 2019-01-08 8:31 ` Jan Beulich
2019-01-16 12:08 ` George Dunlap
0 siblings, 1 reply; 14+ messages in thread
From: Jan Beulich @ 2019-01-08 8:31 UTC (permalink / raw)
To: Andrew Cooper
Cc: Julien Grall, Stefano Stabellini, Wei Liu, Xen-devel, Roger Pau Monne
>>> On 07.01.19 at 18:28, <andrew.cooper3@citrix.com> wrote:
> On 07/01/2019 08:59, Jan Beulich wrote:
>>> @@ -271,6 +297,27 @@ int parse_boolean(const char *name, const char *s,
> const char *e)
>>> return -1;
>>> }
>>>
>>> +int cmdline_strcmp(const char *frag, const char *name)
>> So you've decided to retain the strcmp()-like return type and value,
>> despite them being of no interest to any caller, and it being
>> vanishingly unlikely for a caller to appear which would care. Fine
>> for now, but I'd still like to understand why.
>
> You already asked this, and give no objection to my answer, I presumed
> you were satisfied with the concrete usecase I gave, citing a patch
> needing this behaviour which has already been posted to the list.
Well, for one I admit I didn't recall this answer of yours. Perhaps
largely because that (to me) was referring to yet to be posted
code, as (obviously) you can't have used cmdline_strcmp() there.
Now that you say this was posted already (with strncmp()
presumably), I can only remind you that ...
> <bff3c33d-a244-362a-529c-32f91b5f3965@citrix.com>
... neither my mail client nor the list archives allow me to search
for such a mail ID. Anyway - whether that binary searching is
reasonable in the first place depends heavily on when / how the
corresponding sorting gets done. Obviously the comparisons
used have to fully match up. If both use the C rules, that's fine
in an abstract sense (because locale setting ought to not matter),
but it would be better if both actually used the same piece of
(binary) code.
In any event I'm not convinced this is proper justification for the
function here to behave strcmp()-like; that special purpose code
could as well tokenize its strings and use strcmp().
FAOD, none of the above is meant to invalidate my R-b.
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 14+ messages in thread
* PING ARM [PATCH v2] xen/cmdline: Fix buggy strncmp(s, LITERAL, ss - s) construct
2019-01-04 17:17 [PATCH v2] xen/cmdline: Fix buggy strncmp(s, LITERAL, ss - s) construct Andrew Cooper
2019-01-07 8:59 ` Jan Beulich
@ 2019-01-14 15:17 ` Andrew Cooper
2019-01-14 16:07 ` Julien Grall
1 sibling, 1 reply; 14+ messages in thread
From: Andrew Cooper @ 2019-01-14 15:17 UTC (permalink / raw)
To: Xen-devel; +Cc: Juergen Gross, Julien Grall, Stefano Stabellini
There are ARM changes in here, and this bugfix is needed for 4.12, and
for backporting.
The one change not represented here is switching strncmp() with memcmp()
as recommended by Jan.
~Andrew
On 04/01/2019 17:17, Andrew Cooper wrote:
> When the command line parsing was updated to use const strings and no longer
> tokenise with NUL characters, string matches could no longer be made with
> strcmp().
>
> Unfortunately, the replacement was buggy. strncmp(s, "opt", ss - s) matches
> "o", "op" and "opt" on the command line, as ss - s may be shorter than the
> passed literal. Furthermore, parse_bool() is affected by this, so substrings
> such as "d", "e" and "o" are considered valid, with the latter being ambiguous
> between "on" and "off".
>
> Introduce a new strcmp-like function for the task, which looks for exact
> string matches, but declares success when the NUL of the literal matches a
> comma, colon or semicolon in the command line fragment.
>
> No change to the intended parsing functionality, but fixes cases where a
> partial string on the command line will inadvertently trigger options.
>
> A few areas were more than just a trivial change:
>
> * fdt_add_uefi_nodes(), while not command line parsing, had the same broken
> strncmp() pattern. As a fix, perform an explicit length check first.
> * parse_irq_vector_map_param() gained some style corrections.
> * parse_vpmu_params() was rewritten to use the normal list-of-options form,
> rather than just fixing up parse_vpmu_param() and leaving the parsing being
> hard to follow.
> * Instead of making the trivial fix of adding an explicit length check in
> parse_bool(), use the length to select which token to we search for, which
> is more efficient than the previous linear search over all possible tokens.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> ---
> CC: Jan Beulich <JBeulich@suse.com>
> CC: Wei Liu <wei.liu2@citrix.com>
> CC: Roger Pau Monné <roger.pau@citrix.com>
> CC: Stefano Stabellini <sstabellini@kernel.org>
> CC: Julien Grall <julien.grall@arm.com>
>
> v2:
> * Fix inverted check in parse_bool() for "no". Drop extranious else's.
> * Fix cmdline_strcmp() to not have implementation defined results.
> ---
> xen/arch/arm/cpuerrata.c | 6 +--
> xen/arch/arm/efi/efi-boot.h | 2 +-
> xen/arch/x86/cpu/vpmu.c | 49 ++++++++--------------
> xen/arch/x86/irq.c | 12 +++---
> xen/arch/x86/psr.c | 4 +-
> xen/arch/x86/spec_ctrl.c | 6 +--
> xen/arch/x86/x86_64/mmconfig-shared.c | 4 +-
> xen/common/efi/boot.c | 4 +-
> xen/common/kernel.c | 79 ++++++++++++++++++++++++++++-------
> xen/drivers/cpufreq/cpufreq.c | 6 +--
> xen/drivers/passthrough/iommu.c | 28 ++++++-------
> xen/drivers/passthrough/pci.c | 4 +-
> xen/include/xen/lib.h | 7 ++++
> 13 files changed, 125 insertions(+), 86 deletions(-)
>
> diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c
> index adf88e7..f4815ca 100644
> --- a/xen/arch/arm/cpuerrata.c
> +++ b/xen/arch/arm/cpuerrata.c
> @@ -257,11 +257,11 @@ static int __init parse_spec_ctrl(const char *s)
> {
> s += 5;
>
> - if ( !strncmp(s, "force-disable", ss - s) )
> + if ( !cmdline_strcmp(s, "force-disable") )
> ssbd_state = ARM_SSBD_FORCE_DISABLE;
> - else if ( !strncmp(s, "runtime", ss - s) )
> + else if ( !cmdline_strcmp(s, "runtime") )
> ssbd_state = ARM_SSBD_RUNTIME;
> - else if ( !strncmp(s, "force-enable", ss - s) )
> + else if ( !cmdline_strcmp(s, "force-enable") )
> ssbd_state = ARM_SSBD_FORCE_ENABLE;
> else
> rc = -EINVAL;
> diff --git a/xen/arch/arm/efi/efi-boot.h b/xen/arch/arm/efi/efi-boot.h
> index ca655ff..22a86ec 100644
> --- a/xen/arch/arm/efi/efi-boot.h
> +++ b/xen/arch/arm/efi/efi-boot.h
> @@ -212,7 +212,7 @@ EFI_STATUS __init fdt_add_uefi_nodes(EFI_SYSTEM_TABLE *sys_table,
> break;
>
> type = fdt_getprop(fdt, node, "device_type", &len);
> - if ( type && strncmp(type, "memory", len) == 0 )
> + if ( type && len == 6 && strncmp(type, "memory", 6) == 0 )
> {
> fdt_del_node(fdt, node);
> continue;
> diff --git a/xen/arch/x86/cpu/vpmu.c b/xen/arch/x86/cpu/vpmu.c
> index 8a4f753..13da7d0 100644
> --- a/xen/arch/x86/cpu/vpmu.c
> +++ b/xen/arch/x86/cpu/vpmu.c
> @@ -61,42 +61,31 @@ static unsigned vpmu_count;
>
> static DEFINE_PER_CPU(struct vcpu *, last_vcpu);
>
> -static int parse_vpmu_param(const char *s, unsigned int len)
> -{
> - if ( !*s || !len )
> - return 0;
> - if ( !strncmp(s, "bts", len) )
> - vpmu_features |= XENPMU_FEATURE_INTEL_BTS;
> - else if ( !strncmp(s, "ipc", len) )
> - vpmu_features |= XENPMU_FEATURE_IPC_ONLY;
> - else if ( !strncmp(s, "arch", len) )
> - vpmu_features |= XENPMU_FEATURE_ARCH_ONLY;
> - else
> - return 1;
> - return 0;
> -}
> -
> static int __init parse_vpmu_params(const char *s)
> {
> - const char *sep, *p = s;
> + const char *ss;
>
> switch ( parse_bool(s, NULL) )
> {
> case 0:
> break;
> default:
> - for ( ; ; )
> - {
> - sep = strchr(p, ',');
> - if ( sep == NULL )
> - sep = strchr(p, 0);
> - if ( parse_vpmu_param(p, sep - p) )
> - goto error;
> - if ( !*sep )
> - /* reached end of flags */
> - break;
> - p = sep + 1;
> - }
> + do {
> + ss = strchr(s, ',');
> + if ( !ss )
> + ss = strchr(s, '\0');
> +
> + if ( !cmdline_strcmp(s, "bts") )
> + vpmu_features |= XENPMU_FEATURE_INTEL_BTS;
> + else if ( !cmdline_strcmp(s, "ipc") )
> + vpmu_features |= XENPMU_FEATURE_IPC_ONLY;
> + else if ( !cmdline_strcmp(s, "arch") )
> + vpmu_features |= XENPMU_FEATURE_ARCH_ONLY;
> + else
> + return -EINVAL;
> +
> + s = ss + 1;
> + } while ( *ss );
> /* fall through */
> case 1:
> /* Default VPMU mode */
> @@ -105,10 +94,6 @@ static int __init parse_vpmu_params(const char *s)
> break;
> }
> return 0;
> -
> - error:
> - printk("VPMU: unknown flags: %s - vpmu disabled!\n", s);
> - return -EINVAL;
> }
>
> void vpmu_lvtpc_update(uint32_t val)
> diff --git a/xen/arch/x86/irq.c b/xen/arch/x86/irq.c
> index 8b44d6c..23b4f42 100644
> --- a/xen/arch/x86/irq.c
> +++ b/xen/arch/x86/irq.c
> @@ -70,12 +70,12 @@ static int __init parse_irq_vector_map_param(const char *s)
> if ( !ss )
> ss = strchr(s, '\0');
>
> - if ( !strncmp(s, "none", ss - s))
> - opt_irq_vector_map=OPT_IRQ_VECTOR_MAP_NONE;
> - else if ( !strncmp(s, "global", ss - s))
> - opt_irq_vector_map=OPT_IRQ_VECTOR_MAP_GLOBAL;
> - else if ( !strncmp(s, "per-device", ss - s))
> - opt_irq_vector_map=OPT_IRQ_VECTOR_MAP_PERDEV;
> + if ( !cmdline_strcmp(s, "none") )
> + opt_irq_vector_map = OPT_IRQ_VECTOR_MAP_NONE;
> + else if ( !cmdline_strcmp(s, "global") )
> + opt_irq_vector_map = OPT_IRQ_VECTOR_MAP_GLOBAL;
> + else if ( !cmdline_strcmp(s, "per-device") )
> + opt_irq_vector_map = OPT_IRQ_VECTOR_MAP_PERDEV;
> else
> rc = -EINVAL;
>
> diff --git a/xen/arch/x86/psr.c b/xen/arch/x86/psr.c
> index 0ba8ef8..5866a26 100644
> --- a/xen/arch/x86/psr.c
> +++ b/xen/arch/x86/psr.c
> @@ -591,13 +591,13 @@ static int __init parse_psr_param(const char *s)
> if ( val_delim > ss )
> val_delim = ss;
>
> - if ( *val_delim && !strncmp(s, "rmid_max", val_delim - s) )
> + if ( *val_delim && !cmdline_strcmp(s, "rmid_max") )
> {
> opt_rmid_max = simple_strtoul(val_delim + 1, &q, 0);
> if ( *q && *q != ',' )
> rc = -EINVAL;
> }
> - else if ( *val_delim && !strncmp(s, "cos_max", val_delim - s) )
> + else if ( *val_delim && !cmdline_strcmp(s, "cos_max") )
> {
> opt_cos_max = simple_strtoul(val_delim + 1, &q, 0);
> if ( *q && *q != ',' )
> diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
> index a36bcef..ad72ecd 100644
> --- a/xen/arch/x86/spec_ctrl.c
> +++ b/xen/arch/x86/spec_ctrl.c
> @@ -138,11 +138,11 @@ static int __init parse_spec_ctrl(const char *s)
> {
> s += 10;
>
> - if ( !strncmp(s, "retpoline", ss - s) )
> + if ( !cmdline_strcmp(s, "retpoline") )
> opt_thunk = THUNK_RETPOLINE;
> - else if ( !strncmp(s, "lfence", ss - s) )
> + else if ( !cmdline_strcmp(s, "lfence") )
> opt_thunk = THUNK_LFENCE;
> - else if ( !strncmp(s, "jmp", ss - s) )
> + else if ( !cmdline_strcmp(s, "jmp") )
> opt_thunk = THUNK_JMP;
> else
> rc = -EINVAL;
> diff --git a/xen/arch/x86/x86_64/mmconfig-shared.c b/xen/arch/x86/x86_64/mmconfig-shared.c
> index 8675dbd..9e1c81d 100644
> --- a/xen/arch/x86/x86_64/mmconfig-shared.c
> +++ b/xen/arch/x86/x86_64/mmconfig-shared.c
> @@ -46,8 +46,8 @@ static int __init parse_mmcfg(const char *s)
> case 1:
> break;
> default:
> - if ( !strncmp(s, "amd_fam10", ss - s) ||
> - !strncmp(s, "amd-fam10", ss - s) )
> + if ( !cmdline_strcmp(s, "amd_fam10") ||
> + !cmdline_strcmp(s, "amd-fam10") )
> pci_probe |= PCI_CHECK_ENABLE_AMD_MMCONF;
> else
> rc = -EINVAL;
> diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c
> index 2ed5403..1e1a551 100644
> --- a/xen/common/efi/boot.c
> +++ b/xen/common/efi/boot.c
> @@ -1401,14 +1401,14 @@ static int __init parse_efi_param(const char *s)
> if ( !ss )
> ss = strchr(s, '\0');
>
> - if ( !strncmp(s, "rs", ss - s) )
> + if ( !cmdline_strcmp(s, "rs") )
> {
> if ( val )
> __set_bit(EFI_RS, &efi_flags);
> else
> __clear_bit(EFI_RS, &efi_flags);
> }
> - else if ( !strncmp(s, "attr=uc", ss - s) )
> + else if ( !cmdline_strcmp(s, "attr=uc") )
> efi_map_uc = val;
> else
> rc = -EINVAL;
> diff --git a/xen/common/kernel.c b/xen/common/kernel.c
> index 5766a0f..053c31d 100644
> --- a/xen/common/kernel.c
> +++ b/xen/common/kernel.c
> @@ -221,25 +221,51 @@ void __init cmdline_parse(const char *cmdline)
>
> int parse_bool(const char *s, const char *e)
> {
> - unsigned int len;
> + size_t len = e ? ({ ASSERT(e >= s); e - s; }) : strlen(s);
>
> - len = e ? ({ ASSERT(e >= s); e - s; }) : strlen(s);
> - if ( !len )
> - return -1;
> + switch ( len )
> + {
> + case 1:
> + if ( *s == '1' )
> + return 1;
> + if ( *s == '0' )
> + return 0;
> + break;
>
> - if ( !strncmp("no", s, len) ||
> - !strncmp("off", s, len) ||
> - !strncmp("false", s, len) ||
> - !strncmp("disable", s, len) ||
> - !strncmp("0", s, len) )
> - return 0;
> + case 2:
> + if ( !strncmp("on", s, 2) )
> + return 1;
> + if ( !strncmp("no", s, 2) )
> + return 0;
> + break;
> +
> + case 3:
> + if ( !strncmp("yes", s, 3) )
> + return 1;
> + if ( !strncmp("off", s, 3) )
> + return 0;
> + break;
> +
> + case 4:
> + if ( !strncmp("true", s, 4) )
> + return 1;
> + break;
> +
> + case 5:
> + if ( !strncmp("false", s, 5) )
> + return 0;
> + break;
>
> - if ( !strncmp("yes", s, len) ||
> - !strncmp("on", s, len) ||
> - !strncmp("true", s, len) ||
> - !strncmp("enable", s, len) ||
> - !strncmp("1", s, len) )
> - return 1;
> + case 6:
> + if ( !strncmp("enable", s, 6) )
> + return 1;
> + break;
> +
> + case 7:
> + if ( !strncmp("disable", s, 7) )
> + return 0;
> + break;
> + }
>
> return -1;
> }
> @@ -271,6 +297,27 @@ int parse_boolean(const char *name, const char *s, const char *e)
> return -1;
> }
>
> +int cmdline_strcmp(const char *frag, const char *name)
> +{
> + for ( ; ; frag++, name++ )
> + {
> + unsigned char f = *frag, n = *name;
> + int res = f - n;
> +
> + if ( res || n == '\0' )
> + {
> + /*
> + * NUL in 'name' matching a comma, colon or semicolon in 'frag'
> + * implies success.
> + */
> + if ( n == '\0' && (f == ',' || f == ':' || f == ';') )
> + res = 0;
> +
> + return res;
> + }
> + }
> +}
> +
> unsigned int tainted;
>
> /**
> diff --git a/xen/drivers/cpufreq/cpufreq.c b/xen/drivers/cpufreq/cpufreq.c
> index 4d6badc..ba9897a 100644
> --- a/xen/drivers/cpufreq/cpufreq.c
> +++ b/xen/drivers/cpufreq/cpufreq.c
> @@ -73,7 +73,7 @@ static int __init setup_cpufreq_option(const char *str)
> arg = strchr(str, '\0');
> choice = parse_bool(str, arg);
>
> - if ( choice < 0 && !strncmp(str, "dom0-kernel", arg - str) )
> + if ( choice < 0 && !cmdline_strcmp(str, "dom0-kernel") )
> {
> xen_processor_pmbits &= ~XEN_PROCESSOR_PM_PX;
> cpufreq_controller = FREQCTL_dom0_kernel;
> @@ -81,14 +81,14 @@ static int __init setup_cpufreq_option(const char *str)
> return 0;
> }
>
> - if ( choice == 0 || !strncmp(str, "none", arg - str) )
> + if ( choice == 0 || !cmdline_strcmp(str, "none") )
> {
> xen_processor_pmbits &= ~XEN_PROCESSOR_PM_PX;
> cpufreq_controller = FREQCTL_none;
> return 0;
> }
>
> - if ( choice > 0 || !strncmp(str, "xen", arg - str) )
> + if ( choice > 0 || !cmdline_strcmp(str, "xen") )
> {
> xen_processor_pmbits |= XEN_PROCESSOR_PM_PX;
> cpufreq_controller = FREQCTL_xen;
> diff --git a/xen/drivers/passthrough/iommu.c b/xen/drivers/passthrough/iommu.c
> index caff3ab..f097394 100644
> --- a/xen/drivers/passthrough/iommu.c
> +++ b/xen/drivers/passthrough/iommu.c
> @@ -98,36 +98,36 @@ static int __init parse_iommu_param(const char *s)
> b = parse_bool(s, ss);
> if ( b >= 0 )
> iommu_enable = b;
> - else if ( !strncmp(s, "force", ss - s) ||
> - !strncmp(s, "required", ss - s) )
> + else if ( !cmdline_strcmp(s, "force") ||
> + !cmdline_strcmp(s, "required") )
> force_iommu = val;
> - else if ( !strncmp(s, "workaround_bios_bug", ss - s) )
> + else if ( !cmdline_strcmp(s, "workaround_bios_bug") )
> iommu_workaround_bios_bug = val;
> - else if ( !strncmp(s, "igfx", ss - s) )
> + else if ( !cmdline_strcmp(s, "igfx") )
> iommu_igfx = val;
> - else if ( !strncmp(s, "verbose", ss - s) )
> + else if ( !cmdline_strcmp(s, "verbose") )
> iommu_verbose = val;
> - else if ( !strncmp(s, "snoop", ss - s) )
> + else if ( !cmdline_strcmp(s, "snoop") )
> iommu_snoop = val;
> - else if ( !strncmp(s, "qinval", ss - s) )
> + else if ( !cmdline_strcmp(s, "qinval") )
> iommu_qinval = val;
> - else if ( !strncmp(s, "intremap", ss - s) )
> + else if ( !cmdline_strcmp(s, "intremap") )
> iommu_intremap = val;
> - else if ( !strncmp(s, "intpost", ss - s) )
> + else if ( !cmdline_strcmp(s, "intpost") )
> iommu_intpost = val;
> - else if ( !strncmp(s, "debug", ss - s) )
> + else if ( !cmdline_strcmp(s, "debug") )
> {
> iommu_debug = val;
> if ( val )
> iommu_verbose = 1;
> }
> - else if ( !strncmp(s, "amd-iommu-perdev-intremap", ss - s) )
> + else if ( !cmdline_strcmp(s, "amd-iommu-perdev-intremap") )
> amd_iommu_perdev_intremap = val;
> - else if ( !strncmp(s, "dom0-passthrough", ss - s) )
> + else if ( !cmdline_strcmp(s, "dom0-passthrough") )
> iommu_hwdom_passthrough = val;
> - else if ( !strncmp(s, "dom0-strict", ss - s) )
> + else if ( !cmdline_strcmp(s, "dom0-strict") )
> iommu_hwdom_strict = val;
> - else if ( !strncmp(s, "sharept", ss - s) )
> + else if ( !cmdline_strcmp(s, "sharept") )
> iommu_hap_pt_share = val;
> else
> rc = -EINVAL;
> diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c
> index 1277ce2..93c20b9 100644
> --- a/xen/drivers/passthrough/pci.c
> +++ b/xen/drivers/passthrough/pci.c
> @@ -213,12 +213,12 @@ static int __init parse_pci_param(const char *s)
> if ( !ss )
> ss = strchr(s, '\0');
>
> - if ( !strncmp(s, "serr", ss - s) )
> + if ( !cmdline_strcmp(s, "serr") )
> {
> cmd_mask = PCI_COMMAND_SERR;
> brctl_mask = PCI_BRIDGE_CTL_SERR | PCI_BRIDGE_CTL_DTMR_SERR;
> }
> - else if ( !strncmp(s, "perr", ss - s) )
> + else if ( !cmdline_strcmp(s, "perr") )
> {
> cmd_mask = PCI_COMMAND_PARITY;
> brctl_mask = PCI_BRIDGE_CTL_PARITY;
> diff --git a/xen/include/xen/lib.h b/xen/include/xen/lib.h
> index 972fc84..89939f4 100644
> --- a/xen/include/xen/lib.h
> +++ b/xen/include/xen/lib.h
> @@ -79,6 +79,13 @@ int parse_bool(const char *s, const char *e);
> */
> int parse_boolean(const char *name, const char *s, const char *e);
>
> +/**
> + * Very similar to strcmp(), but will declare a match if the NUL in 'name'
> + * lines up with comma, colon or semicolon in 'frag'. Designed for picking
> + * exact string matches out of a delimited command line list.
> + */
> +int cmdline_strcmp(const char *frag, const char *name);
> +
> /*#define DEBUG_TRACE_DUMP*/
> #ifdef DEBUG_TRACE_DUMP
> extern void debugtrace_dump(void);
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: PING ARM [PATCH v2] xen/cmdline: Fix buggy strncmp(s, LITERAL, ss - s) construct
2019-01-14 15:17 ` PING ARM " Andrew Cooper
@ 2019-01-14 16:07 ` Julien Grall
2019-01-14 16:59 ` Andrew Cooper
0 siblings, 1 reply; 14+ messages in thread
From: Julien Grall @ 2019-01-14 16:07 UTC (permalink / raw)
To: Andrew Cooper, Xen-devel; +Cc: Juergen Gross, Stefano Stabellini
Hi Andrew,
On 14/01/2019 15:17, Andrew Cooper wrote:
>> diff --git a/xen/arch/arm/efi/efi-boot.h b/xen/arch/arm/efi/efi-boot.h
>> index ca655ff..22a86ec 100644
>> --- a/xen/arch/arm/efi/efi-boot.h
>> +++ b/xen/arch/arm/efi/efi-boot.h
>> @@ -212,7 +212,7 @@ EFI_STATUS __init fdt_add_uefi_nodes(EFI_SYSTEM_TABLE *sys_table,
>> break;
>>
>> type = fdt_getprop(fdt, node, "device_type", &len);
>> - if ( type && strncmp(type, "memory", len) == 0 )
>> + if ( type && len == 6 && strncmp(type, "memory", 6) == 0 )
string property terminates with NUL and is included in the len. So I don't think
this change is correct.
Cheers,
--
Julien Grall
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: PING ARM [PATCH v2] xen/cmdline: Fix buggy strncmp(s, LITERAL, ss - s) construct
2019-01-14 16:07 ` Julien Grall
@ 2019-01-14 16:59 ` Andrew Cooper
2019-01-14 17:16 ` Julien Grall
0 siblings, 1 reply; 14+ messages in thread
From: Andrew Cooper @ 2019-01-14 16:59 UTC (permalink / raw)
To: Julien Grall, Xen-devel; +Cc: Juergen Gross, Stefano Stabellini
On 14/01/2019 16:07, Julien Grall wrote:
> Hi Andrew,
>
> On 14/01/2019 15:17, Andrew Cooper wrote:
>>> diff --git a/xen/arch/arm/efi/efi-boot.h b/xen/arch/arm/efi/efi-boot.h
>>> index ca655ff..22a86ec 100644
>>> --- a/xen/arch/arm/efi/efi-boot.h
>>> +++ b/xen/arch/arm/efi/efi-boot.h
>>> @@ -212,7 +212,7 @@ EFI_STATUS __init
>>> fdt_add_uefi_nodes(EFI_SYSTEM_TABLE *sys_table,
>>> break;
>>> type = fdt_getprop(fdt, node, "device_type", &len);
>>> - if ( type && strncmp(type, "memory", len) == 0 )
>>> + if ( type && len == 6 && strncmp(type, "memory", 6) == 0 )
>
> string property terminates with NUL and is included in the len. So I
> don't think this change is correct.
Are you saying that len is 7 here then?
~Andrew
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: PING ARM [PATCH v2] xen/cmdline: Fix buggy strncmp(s, LITERAL, ss - s) construct
2019-01-14 16:59 ` Andrew Cooper
@ 2019-01-14 17:16 ` Julien Grall
2019-01-14 17:43 ` Andrew Cooper
2019-01-15 8:47 ` Jan Beulich
0 siblings, 2 replies; 14+ messages in thread
From: Julien Grall @ 2019-01-14 17:16 UTC (permalink / raw)
To: Andrew Cooper, Xen-devel; +Cc: Juergen Gross, Stefano Stabellini
Hi Andrew,
On 14/01/2019 16:59, Andrew Cooper wrote:
> On 14/01/2019 16:07, Julien Grall wrote:
>> On 14/01/2019 15:17, Andrew Cooper wrote:
>>>> diff --git a/xen/arch/arm/efi/efi-boot.h b/xen/arch/arm/efi/efi-boot.h
>>>> index ca655ff..22a86ec 100644
>>>> --- a/xen/arch/arm/efi/efi-boot.h
>>>> +++ b/xen/arch/arm/efi/efi-boot.h
>>>> @@ -212,7 +212,7 @@ EFI_STATUS __init
>>>> fdt_add_uefi_nodes(EFI_SYSTEM_TABLE *sys_table,
>>>> break;
>>>> type = fdt_getprop(fdt, node, "device_type", &len);
>>>> - if ( type && strncmp(type, "memory", len) == 0 )
>>>> + if ( type && len == 6 && strncmp(type, "memory", 6) == 0 )
>>
>> string property terminates with NUL and is included in the len. So I
>> don't think this change is correct.
>
> Are you saying that len is 7 here then?
Yes. But I don't think this change is necessary as we already include NUL in the
comparison.
Cheers,
--
Julien Grall
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: PING ARM [PATCH v2] xen/cmdline: Fix buggy strncmp(s, LITERAL, ss - s) construct
2019-01-14 17:16 ` Julien Grall
@ 2019-01-14 17:43 ` Andrew Cooper
2019-01-15 11:39 ` Julien Grall
2019-01-15 8:47 ` Jan Beulich
1 sibling, 1 reply; 14+ messages in thread
From: Andrew Cooper @ 2019-01-14 17:43 UTC (permalink / raw)
To: Julien Grall, Xen-devel; +Cc: Juergen Gross, Stefano Stabellini
On 14/01/2019 17:16, Julien Grall wrote:
> Hi Andrew,
>
> On 14/01/2019 16:59, Andrew Cooper wrote:
>> On 14/01/2019 16:07, Julien Grall wrote:
>>> On 14/01/2019 15:17, Andrew Cooper wrote:
>>>>> diff --git a/xen/arch/arm/efi/efi-boot.h
>>>>> b/xen/arch/arm/efi/efi-boot.h
>>>>> index ca655ff..22a86ec 100644
>>>>> --- a/xen/arch/arm/efi/efi-boot.h
>>>>> +++ b/xen/arch/arm/efi/efi-boot.h
>>>>> @@ -212,7 +212,7 @@ EFI_STATUS __init
>>>>> fdt_add_uefi_nodes(EFI_SYSTEM_TABLE *sys_table,
>>>>> break;
>>>>> type = fdt_getprop(fdt, node, "device_type", &len);
>>>>> - if ( type && strncmp(type, "memory", len) == 0 )
>>>>> + if ( type && len == 6 && strncmp(type, "memory", 6) == 0 )
>>>
>>> string property terminates with NUL and is included in the len. So I
>>> don't think this change is correct.
>>
>> Are you saying that len is 7 here then?
>
> Yes. But I don't think this change is necessary as we already include
> NUL in the comparison.
Ah - fair point. I'll drop this hunk then.
Are you happy with the adjustment in arch/arm/cpuerrata.c ?
~Andrew
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: PING ARM [PATCH v2] xen/cmdline: Fix buggy strncmp(s, LITERAL, ss - s) construct
2019-01-14 17:16 ` Julien Grall
2019-01-14 17:43 ` Andrew Cooper
@ 2019-01-15 8:47 ` Jan Beulich
2019-01-15 11:11 ` Julien Grall
1 sibling, 1 reply; 14+ messages in thread
From: Jan Beulich @ 2019-01-15 8:47 UTC (permalink / raw)
To: Julien Grall, Andrew Cooper; +Cc: Juergen Gross, Stefano Stabellini, Xen-devel
>>> On 14.01.19 at 18:16, <julien.grall@arm.com> wrote:
> Hi Andrew,
>
> On 14/01/2019 16:59, Andrew Cooper wrote:
>> On 14/01/2019 16:07, Julien Grall wrote:
>>> On 14/01/2019 15:17, Andrew Cooper wrote:
>>>>> diff --git a/xen/arch/arm/efi/efi-boot.h b/xen/arch/arm/efi/efi-boot.h
>>>>> index ca655ff..22a86ec 100644
>>>>> --- a/xen/arch/arm/efi/efi-boot.h
>>>>> +++ b/xen/arch/arm/efi/efi-boot.h
>>>>> @@ -212,7 +212,7 @@ EFI_STATUS __init
>>>>> fdt_add_uefi_nodes(EFI_SYSTEM_TABLE *sys_table,
>>>>> break;
>>>>> type = fdt_getprop(fdt, node, "device_type", &len);
>>>>> - if ( type && strncmp(type, "memory", len) == 0 )
>>>>> + if ( type && len == 6 && strncmp(type, "memory", 6) == 0 )
>>>
>>> string property terminates with NUL and is included in the len. So I
>>> don't think this change is correct.
>>
>> Are you saying that len is 7 here then?
>
> Yes. But I don't think this change is necessary as we already include NUL in the
> comparison.
If len is 7, then indeed you do. Looking at fdt_get_property_by_offset()
I can't see though where the guarantee comes from that the returned
string is nul-terminated, as it's prop->len which gets handed back. IOW
if you e.g. get back "mem" (with or without a nul terminator) and len 3,
then strncmp() would still return zero.
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: PING ARM [PATCH v2] xen/cmdline: Fix buggy strncmp(s, LITERAL, ss - s) construct
2019-01-15 8:47 ` Jan Beulich
@ 2019-01-15 11:11 ` Julien Grall
0 siblings, 0 replies; 14+ messages in thread
From: Julien Grall @ 2019-01-15 11:11 UTC (permalink / raw)
To: Jan Beulich, Andrew Cooper; +Cc: Juergen Gross, Stefano Stabellini, Xen-devel
Hi Jan,
On 1/15/19 8:47 AM, Jan Beulich wrote:
>>>> On 14.01.19 at 18:16, <julien.grall@arm.com> wrote:
>> Hi Andrew,
>>
>> On 14/01/2019 16:59, Andrew Cooper wrote:
>>> On 14/01/2019 16:07, Julien Grall wrote:
>>>> On 14/01/2019 15:17, Andrew Cooper wrote:
>>>>>> diff --git a/xen/arch/arm/efi/efi-boot.h b/xen/arch/arm/efi/efi-boot.h
>>>>>> index ca655ff..22a86ec 100644
>>>>>> --- a/xen/arch/arm/efi/efi-boot.h
>>>>>> +++ b/xen/arch/arm/efi/efi-boot.h
>>>>>> @@ -212,7 +212,7 @@ EFI_STATUS __init
>>>>>> fdt_add_uefi_nodes(EFI_SYSTEM_TABLE *sys_table,
>>>>>> break;
>>>>>> type = fdt_getprop(fdt, node, "device_type", &len);
>>>>>> - if ( type && strncmp(type, "memory", len) == 0 )
>>>>>> + if ( type && len == 6 && strncmp(type, "memory", 6) == 0 )
>>>>
>>>> string property terminates with NUL and is included in the len. So I
>>>> don't think this change is correct.
>>>
>>> Are you saying that len is 7 here then?
>>
>> Yes. But I don't think this change is necessary as we already include NUL in the
>> comparison.
>
> If len is 7, then indeed you do. Looking at fdt_get_property_by_offset()
> I can't see though where the guarantee comes from that the returned
> string is nul-terminated, as it's prop->len which gets handed back. IOW
> if you e.g. get back "mem" (with or without a nul terminator) and len 3,
> then strncmp() would still return zero.
From section 2.2.4, when the propery value is a string then it should
be null-terminated. So your example is invalid from a DT spec point of view.
Validating a Device-Tree (other than the bindings) is a pain so you
always have to provide a blob complaint with the spec [1].
Cheers,
[1]
https://github.com/devicetree-org/devicetree-specification/releases/tag/v0.2
>
> Jan
>
>
--
Julien Grall
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: PING ARM [PATCH v2] xen/cmdline: Fix buggy strncmp(s, LITERAL, ss - s) construct
2019-01-14 17:43 ` Andrew Cooper
@ 2019-01-15 11:39 ` Julien Grall
0 siblings, 0 replies; 14+ messages in thread
From: Julien Grall @ 2019-01-15 11:39 UTC (permalink / raw)
To: Andrew Cooper, Xen-devel; +Cc: Juergen Gross, Stefano Stabellini
Hi Andrew,
On 1/14/19 5:43 PM, Andrew Cooper wrote:
> On 14/01/2019 17:16, Julien Grall wrote:
>> Hi Andrew,
>>
>> On 14/01/2019 16:59, Andrew Cooper wrote:
>>> On 14/01/2019 16:07, Julien Grall wrote:
>>>> On 14/01/2019 15:17, Andrew Cooper wrote:
>>>>>> diff --git a/xen/arch/arm/efi/efi-boot.h
>>>>>> b/xen/arch/arm/efi/efi-boot.h
>>>>>> index ca655ff..22a86ec 100644
>>>>>> --- a/xen/arch/arm/efi/efi-boot.h
>>>>>> +++ b/xen/arch/arm/efi/efi-boot.h
>>>>>> @@ -212,7 +212,7 @@ EFI_STATUS __init
>>>>>> fdt_add_uefi_nodes(EFI_SYSTEM_TABLE *sys_table,
>>>>>> break;
>>>>>> type = fdt_getprop(fdt, node, "device_type", &len);
>>>>>> - if ( type && strncmp(type, "memory", len) == 0 )
>>>>>> + if ( type && len == 6 && strncmp(type, "memory", 6) == 0 )
>>>>
>>>> string property terminates with NUL and is included in the len. So I
>>>> don't think this change is correct.
>>>
>>> Are you saying that len is 7 here then?
>>
>> Yes. But I don't think this change is necessary as we already include
>> NUL in the comparison.
>
> Ah - fair point. I'll drop this hunk then.
>
> Are you happy with the adjustment in arch/arm/cpuerrata.c ?
Yes. For that change:
Acked-by: Julien Grall <julien.grall@arm.com>
Cheers,
--
Julien Grall
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] xen/cmdline: Fix buggy strncmp(s, LITERAL, ss - s) construct
2019-01-08 8:31 ` Jan Beulich
@ 2019-01-16 12:08 ` George Dunlap
2019-01-16 12:48 ` Jan Beulich
0 siblings, 1 reply; 14+ messages in thread
From: George Dunlap @ 2019-01-16 12:08 UTC (permalink / raw)
To: Jan Beulich
Cc: Stefano Stabellini, Wei Liu, Andrew Cooper, Xen-devel,
Julien Grall, Roger Pau Monne
On Tue, Jan 8, 2019 at 8:32 AM Jan Beulich <JBeulich@suse.com> wrote:
>
> >>> On 07.01.19 at 18:28, <andrew.cooper3@citrix.com> wrote:
> > On 07/01/2019 08:59, Jan Beulich wrote:
> >>> @@ -271,6 +297,27 @@ int parse_boolean(const char *name, const char *s,
> > const char *e)
> >>> return -1;
> >>> }
> >>>
> >>> +int cmdline_strcmp(const char *frag, const char *name)
> >> So you've decided to retain the strcmp()-like return type and value,
> >> despite them being of no interest to any caller, and it being
> >> vanishingly unlikely for a caller to appear which would care. Fine
> >> for now, but I'd still like to understand why.
> >
> > You already asked this, and give no objection to my answer, I presumed
> > you were satisfied with the concrete usecase I gave, citing a patch
> > needing this behaviour which has already been posted to the list.
>
> Well, for one I admit I didn't recall this answer of yours. Perhaps
> largely because that (to me) was referring to yet to be posted
> code, as (obviously) you can't have used cmdline_strcmp() there.
> Now that you say this was posted already (with strncmp()
> presumably), I can only remind you that ...
>
> > <bff3c33d-a244-362a-529c-32f91b5f3965@citrix.com>
>
> ... neither my mail client nor the list archives allow me to search
> for such a mail ID.
I prepend "http://marc.info/?i=" to the id in question. For example:
marc.info/?i=<bff3c33d-a244-362a-529c-32f91b5f3965@citrix.com>
If I need to see more I then search based on the title.
-George
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] xen/cmdline: Fix buggy strncmp(s, LITERAL, ss - s) construct
2019-01-16 12:08 ` George Dunlap
@ 2019-01-16 12:48 ` Jan Beulich
0 siblings, 0 replies; 14+ messages in thread
From: Jan Beulich @ 2019-01-16 12:48 UTC (permalink / raw)
To: George Dunlap
Cc: Stefano Stabellini, Wei Liu, Andrew Cooper, Xen-devel,
Julien Grall, Roger Pau Monne
>>> On 16.01.19 at 13:08, <dunlapg@umich.edu> wrote:
> On Tue, Jan 8, 2019 at 8:32 AM Jan Beulich <JBeulich@suse.com> wrote:
>>
>> >>> On 07.01.19 at 18:28, <andrew.cooper3@citrix.com> wrote:
>> > On 07/01/2019 08:59, Jan Beulich wrote:
>> >>> @@ -271,6 +297,27 @@ int parse_boolean(const char *name, const char *s,
>> > const char *e)
>> >>> return -1;
>> >>> }
>> >>>
>> >>> +int cmdline_strcmp(const char *frag, const char *name)
>> >> So you've decided to retain the strcmp()-like return type and value,
>> >> despite them being of no interest to any caller, and it being
>> >> vanishingly unlikely for a caller to appear which would care. Fine
>> >> for now, but I'd still like to understand why.
>> >
>> > You already asked this, and give no objection to my answer, I presumed
>> > you were satisfied with the concrete usecase I gave, citing a patch
>> > needing this behaviour which has already been posted to the list.
>>
>> Well, for one I admit I didn't recall this answer of yours. Perhaps
>> largely because that (to me) was referring to yet to be posted
>> code, as (obviously) you can't have used cmdline_strcmp() there.
>> Now that you say this was posted already (with strncmp()
>> presumably), I can only remind you that ...
>>
>> > <bff3c33d-a244-362a-529c-32f91b5f3965@citrix.com>
>>
>> ... neither my mail client nor the list archives allow me to search
>> for such a mail ID.
>
> I prepend "http://marc.info/?i=" to the id in question. For example:
>
> marc.info/?i=<bff3c33d-a244-362a-529c-32f91b5f3965@citrix.com>
Oh, thanks, that's useful to know as a workaround.
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2019-01-16 12:48 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-04 17:17 [PATCH v2] xen/cmdline: Fix buggy strncmp(s, LITERAL, ss - s) construct Andrew Cooper
2019-01-07 8:59 ` Jan Beulich
2019-01-07 17:28 ` Andrew Cooper
2019-01-08 8:31 ` Jan Beulich
2019-01-16 12:08 ` George Dunlap
2019-01-16 12:48 ` Jan Beulich
2019-01-14 15:17 ` PING ARM " Andrew Cooper
2019-01-14 16:07 ` Julien Grall
2019-01-14 16:59 ` Andrew Cooper
2019-01-14 17:16 ` Julien Grall
2019-01-14 17:43 ` Andrew Cooper
2019-01-15 11:39 ` Julien Grall
2019-01-15 8:47 ` Jan Beulich
2019-01-15 11:11 ` Julien Grall
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.