Patchwork [1/2] exec.c: Fix off-by-one error in register_subpage

login
register
mail settings
Submitter Tyler Hall
Date July 25, 2012, 10:45 p.m.
Message ID <1343256304-32029-1-git-send-email-tylerwhall@gmail.com>
Download mbox | patch
Permalink /patch/173312/
State New
Headers show

Comments

Tyler Hall - July 25, 2012, 10:45 p.m.
subpage_register() expects "end" to be the last byte in the mapping.
Registering a non-page-aligned memory region that extends up to or
beyond a page boundary causes subpage_register() to silently fail
through the (end >= PAGE_SIZE) check.

This bug does not cause noticeable problems for mappings that do not
extend to a page boundary, though they do register an extra byte.

Signed-off-by: Tyler Hall <tylerwhall@gmail.com>
---
 exec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Stefan Hajnoczi - Aug. 1, 2012, 10:42 a.m.
On Wed, Jul 25, 2012 at 06:45:03PM -0400, Tyler Hall wrote:
> subpage_register() expects "end" to be the last byte in the mapping.
> Registering a non-page-aligned memory region that extends up to or
> beyond a page boundary causes subpage_register() to silently fail
> through the (end >= PAGE_SIZE) check.
> 
> This bug does not cause noticeable problems for mappings that do not
> extend to a page boundary, though they do register an extra byte.
> 
> Signed-off-by: Tyler Hall <tylerwhall@gmail.com>
> ---
>  exec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/exec.c b/exec.c
> index feb4795..27b100c 100644
> --- a/exec.c
> +++ b/exec.c
> @@ -2271,7 +2271,7 @@ static void register_subpage(MemoryRegionSection *section)
>          subpage = container_of(existing->mr, subpage_t, iomem);
>      }
>      start = section->offset_within_address_space & ~TARGET_PAGE_MASK;
> -    end = start + section->size;
> +    end = start + section->size - 1;
>      subpage_register(subpage, start, end, phys_section_add(section));
>  }

I would really like to see an Acked-by: or Signed-off-by: from Avi or
someone else who is familiar with the memory regions code.  Especially
for Patch 2/2.

Stefan
Peter Maydell - Aug. 1, 2012, 12:52 p.m.
On 1 August 2012 11:42, Stefan Hajnoczi <stefanha@gmail.com> wrote:
> On Wed, Jul 25, 2012 at 06:45:03PM -0400, Tyler Hall wrote:
>> subpage_register() expects "end" to be the last byte in the mapping.
>> Registering a non-page-aligned memory region that extends up to or
>> beyond a page boundary causes subpage_register() to silently fail
>> through the (end >= PAGE_SIZE) check.
>>
>> This bug does not cause noticeable problems for mappings that do not
>> extend to a page boundary, though they do register an extra byte.
>>
>> Signed-off-by: Tyler Hall <tylerwhall@gmail.com>
>> ---
>>  exec.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/exec.c b/exec.c
>> index feb4795..27b100c 100644
>> --- a/exec.c
>> +++ b/exec.c
>> @@ -2271,7 +2271,7 @@ static void register_subpage(MemoryRegionSection *section)
>>          subpage = container_of(existing->mr, subpage_t, iomem);
>>      }
>>      start = section->offset_within_address_space & ~TARGET_PAGE_MASK;
>> -    end = start + section->size;
>> +    end = start + section->size - 1;
>>      subpage_register(subpage, start, end, phys_section_add(section));
>>  }
>
> I would really like to see an Acked-by: or Signed-off-by: from Avi or
> someone else who is familiar with the memory regions code.  Especially
> for Patch 2/2.

I think this patch is OK (compare the subpage_register() call in
subpage_init(), the guards in subpage_register(), etc), so

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

though I dunno that I'd claim to be familiar with the memory region
code ;-)

2/2 is definitely not a trivial patch, though -- it's trying to fix
a long standing deficiency in qemu's mmio region handling. I gave 2/2
a quick test and it seems to pass the right offset through to the
read/write handlers, but Avi should definitely review it...

On a related note, the comment above register_subpage which includes
remarks about how this special case doesn't work seems to now be
rather out of date since it's still talking about function parameter
names which no longer exist.

-- PMM
Avi Kivity - Aug. 1, 2012, 12:56 p.m.
On 07/26/2012 01:45 AM, Tyler Hall wrote:
> subpage_register() expects "end" to be the last byte in the mapping.
> Registering a non-page-aligned memory region that extends up to or
> beyond a page boundary causes subpage_register() to silently fail
> through the (end >= PAGE_SIZE) check.
> 
> This bug does not cause noticeable problems for mappings that do not
> extend to a page boundary, though they do register an extra byte.

Reviewed-by: Avi Kivity <avi@redhat.com>
Stefan Hajnoczi - Aug. 1, 2012, 1:01 p.m.
On Wed, Aug 1, 2012 at 1:56 PM, Avi Kivity <avi@redhat.com> wrote:
> On 07/26/2012 01:45 AM, Tyler Hall wrote:
>> subpage_register() expects "end" to be the last byte in the mapping.
>> Registering a non-page-aligned memory region that extends up to or
>> beyond a page boundary causes subpage_register() to silently fail
>> through the (end >= PAGE_SIZE) check.
>>
>> This bug does not cause noticeable problems for mappings that do not
>> extend to a page boundary, though they do register an extra byte.
>
> Reviewed-by: Avi Kivity <avi@redhat.com>

Thanks Avi.  Does this include Patch 2/2 too?

https://lists.gnu.org/archive/html/qemu-devel/2012-07/msg03573.html

Stefan
Avi Kivity - Aug. 1, 2012, 1:03 p.m.
On 08/01/2012 04:01 PM, Stefan Hajnoczi wrote:
> On Wed, Aug 1, 2012 at 1:56 PM, Avi Kivity <avi@redhat.com> wrote:
>> On 07/26/2012 01:45 AM, Tyler Hall wrote:
>>> subpage_register() expects "end" to be the last byte in the mapping.
>>> Registering a non-page-aligned memory region that extends up to or
>>> beyond a page boundary causes subpage_register() to silently fail
>>> through the (end >= PAGE_SIZE) check.
>>>
>>> This bug does not cause noticeable problems for mappings that do not
>>> extend to a page boundary, though they do register an extra byte.
>>
>> Reviewed-by: Avi Kivity <avi@redhat.com>
> 
> Thanks Avi.  Does this include Patch 2/2 too?

I reviewed that as well with similar results.
Stefan Hajnoczi - Aug. 3, 2012, 9:55 a.m.
On Wed, Jul 25, 2012 at 06:45:03PM -0400, Tyler Hall wrote:
> subpage_register() expects "end" to be the last byte in the mapping.
> Registering a non-page-aligned memory region that extends up to or
> beyond a page boundary causes subpage_register() to silently fail
> through the (end >= PAGE_SIZE) check.
> 
> This bug does not cause noticeable problems for mappings that do not
> extend to a page boundary, though they do register an extra byte.
> 
> Signed-off-by: Tyler Hall <tylerwhall@gmail.com>
> ---
>  exec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Thanks, both applied to the trivial patches tree:
https://github.com/stefanha/qemu/commits/trivial-patches

Stefan

Patch

diff --git a/exec.c b/exec.c
index feb4795..27b100c 100644
--- a/exec.c
+++ b/exec.c
@@ -2271,7 +2271,7 @@  static void register_subpage(MemoryRegionSection *section)
         subpage = container_of(existing->mr, subpage_t, iomem);
     }
     start = section->offset_within_address_space & ~TARGET_PAGE_MASK;
-    end = start + section->size;
+    end = start + section->size - 1;
     subpage_register(subpage, start, end, phys_section_add(section));
 }