On 18.11.21 03:37, Stefano Stabellini wrote: > On Wed, 17 Nov 2021, Jan Beulich wrote: >> On 17.11.2021 03:11, Stefano Stabellini wrote: >>> --- a/drivers/xen/xenbus/xenbus_probe.c >>> +++ b/drivers/xen/xenbus/xenbus_probe.c >>> @@ -951,6 +951,18 @@ static int __init xenbus_init(void) >>> err = hvm_get_parameter(HVM_PARAM_STORE_PFN, &v); >>> if (err) >>> goto out_error; >>> + /* >>> + * Uninitialized hvm_params are zero and return no error. >>> + * Although it is theoretically possible to have >>> + * HVM_PARAM_STORE_PFN set to zero on purpose, in reality it is >>> + * not zero when valid. If zero, it means that Xenstore hasn't >>> + * been properly initialized. Instead of attempting to map a >>> + * wrong guest physical address return error. >>> + */ >>> + if (v == 0) { >>> + err = -ENOENT; >>> + goto out_error; >>> + } >> >> If such a check gets added, then I think known-invalid frame numbers >> should be covered at even higher a priority than zero. > > Uhm, that's a good point. We could check for 0 and also ULONG_MAX > > >> This would, for example, also mean to ... >> >>> xen_store_gfn = (unsigned long)v; >> >> ... stop silently truncating a value here. > > Yeah, it can only happen on 32-bit but you have a point. > > >> By covering them we would then have the option to pre-fill PFN params >> with, say, ~0 in the hypervisor (to clearly identify them as invalid, >> rather than having to guess at the validity of 0). I haven't really >> checked yet whether such a change would be compatible with existing >> software ... > > I had the same idea. I think the hvm_params should be initialized to an > invalid value in Xen. But here in Linux we need to be able to cope with > older Xen versions too so it still makes sense to check for zero in > places where it is very obviously incorrect (HVM_PARAM_STORE_PFN). > > > What do you think of the appended? > > > > diff --git a/drivers/xen/xenbus/xenbus_probe.c b/drivers/xen/xenbus/xenbus_probe.c > index 94405bb3829e..04558d3a5562 100644 > --- a/drivers/xen/xenbus/xenbus_probe.c > +++ b/drivers/xen/xenbus/xenbus_probe.c > @@ -951,6 +951,28 @@ static int __init xenbus_init(void) > err = hvm_get_parameter(HVM_PARAM_STORE_PFN, &v); > if (err) > goto out_error; > + /* > + * Return error on an invalid value. > + * > + * Uninitialized hvm_params are zero and return no error. > + * Although it is theoretically possible to have > + * HVM_PARAM_STORE_PFN set to zero on purpose, in reality it is > + * not zero when valid. If zero, it means that Xenstore hasn't > + * been properly initialized. Instead of attempting to map a > + * wrong guest physical address return error. > + */ > + if (v == 0) { Make this "if (v == ULONG_MAX || v== 0)" instead? This would result in the same err on a new and an old hypervisor (assuming we switch the hypervisor to init params with ~0UL). > + err = -ENOENT; > + goto out_error; > + } > + /* > + * ULONG_MAX is invalid on 64-bit because is INVALID_PFN. > + * On 32-bit return error to avoid truncation. > + */ > + if (v >= ULONG_MAX) { > + err = -EINVAL; > + goto out_error; > + } Does it make sense to continue the system running in case of truncation? This would be a 32-bit guest with more than 16TB of RAM and the Xen tools decided to place the Xenstore ring page above the 16TB boundary. This is a completely insane scenario IMO. A proper panic() in this case would make diagnosis of that much easier (me having doubts that this will ever be hit, though). Juergen