Message ID | 1415785203-26938-3-git-send-email-mst@redhat.com |
---|---|
State | New |
Headers | show |
* Michael S. Tsirkin (mst@redhat.com) wrote: > host pointer accesses force pointer math, let's > add a wrapper to make them safer. > > Signed-off-by: Michael S. Tsirkin <mst@redhat.com> > --- > include/exec/cpu-all.h | 5 +++++ > exec.c | 10 +++++----- > 2 files changed, 10 insertions(+), 5 deletions(-) > > diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h > index c085804..9d8d408 100644 > --- a/include/exec/cpu-all.h > +++ b/include/exec/cpu-all.h > @@ -313,6 +313,11 @@ typedef struct RAMBlock { > int fd; > } RAMBlock; > > +static inline void *ramblock_ptr(RAMBlock *block, ram_addr_t offset) > +{ > + return (char *)block->host + offset; > +} I'm a bit surprised you don't need to pass a length to this to be able to tell how much you can access. > typedef struct RAMList { > QemuMutex mutex; > /* Protected by the iothread lock. */ > diff --git a/exec.c b/exec.c > index ad5cf12..9648669 100644 > --- a/exec.c > +++ b/exec.c > @@ -840,7 +840,7 @@ static void tlb_reset_dirty_range_all(ram_addr_t start, ram_addr_t length) > > block = qemu_get_ram_block(start); > assert(block == qemu_get_ram_block(end - 1)); > - start1 = (uintptr_t)block->host + (start - block->offset); > + start1 = (uintptr_t)ramblock_ptr(block, start - block->offset); > cpu_tlb_reset_dirty_all(start1, length); > } > > @@ -1500,7 +1500,7 @@ void qemu_ram_remap(ram_addr_t addr, ram_addr_t length) > QTAILQ_FOREACH(block, &ram_list.blocks, next) { > offset = addr - block->offset; > if (offset < block->length) { > - vaddr = block->host + offset; > + vaddr = ramblock_ptr(block, offset); > if (block->flags & RAM_PREALLOC) { > ; > } else if (xen_enabled()) { > @@ -1551,7 +1551,7 @@ void *qemu_get_ram_block_host_ptr(ram_addr_t addr) > { > RAMBlock *block = qemu_get_ram_block(addr); > > - return block->host; > + return ramblock_ptr(block, 0); > } > > /* Return a host pointer to ram allocated with qemu_ram_alloc. > @@ -1578,7 +1578,7 @@ void *qemu_get_ram_ptr(ram_addr_t addr) > xen_map_cache(block->offset, block->length, 1); > } > } > - return block->host + (addr - block->offset); > + return ramblock_ptr(block, addr - block->offset); > } which then makes me wonder if all the uses of this are safe near the end of the block. > /* Return a host pointer to guest's ram. Similar to qemu_get_ram_ptr > @@ -1597,7 +1597,7 @@ static void *qemu_ram_ptr_length(ram_addr_t addr, hwaddr *size) > if (addr - block->offset < block->length) { > if (addr - block->offset + *size > block->length) > *size = block->length - addr + block->offset; > - return block->host + (addr - block->offset); > + return ramblock_ptr(block, addr - block->offset); > } but then this sounds like it's going to have partial duplication, it already looks like it's only going to succeed if it finds itself a block that the access fits in. Dave > } > > -- > MST > -- Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
On Mon, Nov 17, 2014 at 10:58:53AM +0000, Dr. David Alan Gilbert wrote: > * Michael S. Tsirkin (mst@redhat.com) wrote: > > host pointer accesses force pointer math, let's > > add a wrapper to make them safer. > > > > Signed-off-by: Michael S. Tsirkin <mst@redhat.com> > > --- > > include/exec/cpu-all.h | 5 +++++ > > exec.c | 10 +++++----- > > 2 files changed, 10 insertions(+), 5 deletions(-) > > > > diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h > > index c085804..9d8d408 100644 > > --- a/include/exec/cpu-all.h > > +++ b/include/exec/cpu-all.h > > @@ -313,6 +313,11 @@ typedef struct RAMBlock { > > int fd; > > } RAMBlock; > > > > +static inline void *ramblock_ptr(RAMBlock *block, ram_addr_t offset) > > +{ > > + return (char *)block->host + offset; > > +} > > I'm a bit surprised you don't need to pass a length to this to be able > to tell how much you can access. This is because at the moment all accesses only touch a single page. Said assumption seems to be made all over the code, and won't be easy to remove. > > typedef struct RAMList { > > QemuMutex mutex; > > /* Protected by the iothread lock. */ > > diff --git a/exec.c b/exec.c > > index ad5cf12..9648669 100644 > > --- a/exec.c > > +++ b/exec.c > > @@ -840,7 +840,7 @@ static void tlb_reset_dirty_range_all(ram_addr_t start, ram_addr_t length) > > > > block = qemu_get_ram_block(start); > > assert(block == qemu_get_ram_block(end - 1)); > > - start1 = (uintptr_t)block->host + (start - block->offset); > > + start1 = (uintptr_t)ramblock_ptr(block, start - block->offset); > > cpu_tlb_reset_dirty_all(start1, length); > > } > > > > @@ -1500,7 +1500,7 @@ void qemu_ram_remap(ram_addr_t addr, ram_addr_t length) > > QTAILQ_FOREACH(block, &ram_list.blocks, next) { > > offset = addr - block->offset; > > if (offset < block->length) { > > - vaddr = block->host + offset; > > + vaddr = ramblock_ptr(block, offset); > > if (block->flags & RAM_PREALLOC) { > > ; > > } else if (xen_enabled()) { > > @@ -1551,7 +1551,7 @@ void *qemu_get_ram_block_host_ptr(ram_addr_t addr) > > { > > RAMBlock *block = qemu_get_ram_block(addr); > > > > - return block->host; > > + return ramblock_ptr(block, 0); > > } > > > > /* Return a host pointer to ram allocated with qemu_ram_alloc. > > @@ -1578,7 +1578,7 @@ void *qemu_get_ram_ptr(ram_addr_t addr) > > xen_map_cache(block->offset, block->length, 1); > > } > > } > > - return block->host + (addr - block->offset); > > + return ramblock_ptr(block, addr - block->offset); > > } > > which then makes me wonder if all the uses of this are safe near the > end of the block. > > > /* Return a host pointer to guest's ram. Similar to qemu_get_ram_ptr > > @@ -1597,7 +1597,7 @@ static void *qemu_ram_ptr_length(ram_addr_t addr, hwaddr *size) > > if (addr - block->offset < block->length) { > > if (addr - block->offset + *size > block->length) > > *size = block->length - addr + block->offset; > > - return block->host + (addr - block->offset); > > + return ramblock_ptr(block, addr - block->offset); > > } > > but then this sounds like it's going to have partial duplication, it already looks > like it's only going to succeed if it finds itself a block that the access fits > in. > > > Dave Sorry, I don't really understand what you are saying here. > > } > > > > -- > > MST > > > -- > Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
* Michael S. Tsirkin (mst@redhat.com) wrote: > On Mon, Nov 17, 2014 at 10:58:53AM +0000, Dr. David Alan Gilbert wrote: > > * Michael S. Tsirkin (mst@redhat.com) wrote: > > > host pointer accesses force pointer math, let's > > > add a wrapper to make them safer. > > > > > > Signed-off-by: Michael S. Tsirkin <mst@redhat.com> > > > --- > > > include/exec/cpu-all.h | 5 +++++ > > > exec.c | 10 +++++----- > > > 2 files changed, 10 insertions(+), 5 deletions(-) > > > > > > diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h > > > index c085804..9d8d408 100644 > > > --- a/include/exec/cpu-all.h > > > +++ b/include/exec/cpu-all.h > > > @@ -313,6 +313,11 @@ typedef struct RAMBlock { > > > int fd; > > > } RAMBlock; > > > > > > +static inline void *ramblock_ptr(RAMBlock *block, ram_addr_t offset) > > > +{ > > > + return (char *)block->host + offset; > > > +} > > > > I'm a bit surprised you don't need to pass a length to this to be able > > to tell how much you can access. > > This is because at the moment all accesses only touch a single page. > Said assumption seems to be made all over the code, and won't > be easy to remove. > > > > typedef struct RAMList { > > > QemuMutex mutex; > > > /* Protected by the iothread lock. */ > > > diff --git a/exec.c b/exec.c > > > index ad5cf12..9648669 100644 > > > --- a/exec.c > > > +++ b/exec.c > > > @@ -840,7 +840,7 @@ static void tlb_reset_dirty_range_all(ram_addr_t start, ram_addr_t length) > > > > > > block = qemu_get_ram_block(start); > > > assert(block == qemu_get_ram_block(end - 1)); > > > - start1 = (uintptr_t)block->host + (start - block->offset); > > > + start1 = (uintptr_t)ramblock_ptr(block, start - block->offset); > > > cpu_tlb_reset_dirty_all(start1, length); > > > } > > > > > > @@ -1500,7 +1500,7 @@ void qemu_ram_remap(ram_addr_t addr, ram_addr_t length) > > > QTAILQ_FOREACH(block, &ram_list.blocks, next) { > > > offset = addr - block->offset; > > > if (offset < block->length) { > > > - vaddr = block->host + offset; > > > + vaddr = ramblock_ptr(block, offset); > > > if (block->flags & RAM_PREALLOC) { > > > ; > > > } else if (xen_enabled()) { > > > @@ -1551,7 +1551,7 @@ void *qemu_get_ram_block_host_ptr(ram_addr_t addr) > > > { > > > RAMBlock *block = qemu_get_ram_block(addr); > > > > > > - return block->host; > > > + return ramblock_ptr(block, 0); > > > } > > > > > > /* Return a host pointer to ram allocated with qemu_ram_alloc. > > > @@ -1578,7 +1578,7 @@ void *qemu_get_ram_ptr(ram_addr_t addr) > > > xen_map_cache(block->offset, block->length, 1); > > > } > > > } > > > - return block->host + (addr - block->offset); > > > + return ramblock_ptr(block, addr - block->offset); > > > } > > > > which then makes me wonder if all the uses of this are safe near the > > end of the block. > > > > > /* Return a host pointer to guest's ram. Similar to qemu_get_ram_ptr > > > @@ -1597,7 +1597,7 @@ static void *qemu_ram_ptr_length(ram_addr_t addr, hwaddr *size) > > > if (addr - block->offset < block->length) { > > > if (addr - block->offset + *size > block->length) > > > *size = block->length - addr + block->offset; > > > - return block->host + (addr - block->offset); > > > + return ramblock_ptr(block, addr - block->offset); > > > } > > > > but then this sounds like it's going to have partial duplication, it already looks > > like it's only going to succeed if it finds itself a block that the access fits > > in. > > > > > > Dave > > Sorry, I don't really understand what you are saying here. qemu_ram_ptr_length already does some checks, so using ramblock_ptr is duplicating some of that; not a big issue. Dave > > > > } > > > > > > -- > > > MST > > > > > -- > > Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK -- Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
On Mon, Nov 17, 2014 at 12:59:44PM +0000, Dr. David Alan Gilbert wrote: > * Michael S. Tsirkin (mst@redhat.com) wrote: > > On Mon, Nov 17, 2014 at 10:58:53AM +0000, Dr. David Alan Gilbert wrote: > > > * Michael S. Tsirkin (mst@redhat.com) wrote: > > > > host pointer accesses force pointer math, let's > > > > add a wrapper to make them safer. > > > > > > > > Signed-off-by: Michael S. Tsirkin <mst@redhat.com> > > > > --- > > > > include/exec/cpu-all.h | 5 +++++ > > > > exec.c | 10 +++++----- > > > > 2 files changed, 10 insertions(+), 5 deletions(-) > > > > > > > > diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h > > > > index c085804..9d8d408 100644 > > > > --- a/include/exec/cpu-all.h > > > > +++ b/include/exec/cpu-all.h > > > > @@ -313,6 +313,11 @@ typedef struct RAMBlock { > > > > int fd; > > > > } RAMBlock; > > > > > > > > +static inline void *ramblock_ptr(RAMBlock *block, ram_addr_t offset) > > > > +{ > > > > + return (char *)block->host + offset; > > > > +} > > > > > > I'm a bit surprised you don't need to pass a length to this to be able > > > to tell how much you can access. > > > > This is because at the moment all accesses only touch a single page. > > Said assumption seems to be made all over the code, and won't > > be easy to remove. > > > > > > typedef struct RAMList { > > > > QemuMutex mutex; > > > > /* Protected by the iothread lock. */ > > > > diff --git a/exec.c b/exec.c > > > > index ad5cf12..9648669 100644 > > > > --- a/exec.c > > > > +++ b/exec.c > > > > @@ -840,7 +840,7 @@ static void tlb_reset_dirty_range_all(ram_addr_t start, ram_addr_t length) > > > > > > > > block = qemu_get_ram_block(start); > > > > assert(block == qemu_get_ram_block(end - 1)); > > > > - start1 = (uintptr_t)block->host + (start - block->offset); > > > > + start1 = (uintptr_t)ramblock_ptr(block, start - block->offset); > > > > cpu_tlb_reset_dirty_all(start1, length); > > > > } > > > > > > > > @@ -1500,7 +1500,7 @@ void qemu_ram_remap(ram_addr_t addr, ram_addr_t length) > > > > QTAILQ_FOREACH(block, &ram_list.blocks, next) { > > > > offset = addr - block->offset; > > > > if (offset < block->length) { > > > > - vaddr = block->host + offset; > > > > + vaddr = ramblock_ptr(block, offset); > > > > if (block->flags & RAM_PREALLOC) { > > > > ; > > > > } else if (xen_enabled()) { > > > > @@ -1551,7 +1551,7 @@ void *qemu_get_ram_block_host_ptr(ram_addr_t addr) > > > > { > > > > RAMBlock *block = qemu_get_ram_block(addr); > > > > > > > > - return block->host; > > > > + return ramblock_ptr(block, 0); > > > > } > > > > > > > > /* Return a host pointer to ram allocated with qemu_ram_alloc. > > > > @@ -1578,7 +1578,7 @@ void *qemu_get_ram_ptr(ram_addr_t addr) > > > > xen_map_cache(block->offset, block->length, 1); > > > > } > > > > } > > > > - return block->host + (addr - block->offset); > > > > + return ramblock_ptr(block, addr - block->offset); > > > > } > > > > > > which then makes me wonder if all the uses of this are safe near the > > > end of the block. > > > > > > > /* Return a host pointer to guest's ram. Similar to qemu_get_ram_ptr > > > > @@ -1597,7 +1597,7 @@ static void *qemu_ram_ptr_length(ram_addr_t addr, hwaddr *size) > > > > if (addr - block->offset < block->length) { > > > > if (addr - block->offset + *size > block->length) > > > > *size = block->length - addr + block->offset; > > > > - return block->host + (addr - block->offset); > > > > + return ramblock_ptr(block, addr - block->offset); > > > > } > > > > > > but then this sounds like it's going to have partial duplication, it already looks > > > like it's only going to succeed if it finds itself a block that the access fits > > > in. > > > > > > > > > Dave > > > > Sorry, I don't really understand what you are saying here. > > qemu_ram_ptr_length already does some checks, so using ramblock_ptr is duplicating > some of that; not a big issue. > > Dave Yep. Since the point is hardening, it's probably a good idea to keep it simple - and data path shouldn't use ram_addr_t. > > > > > > } > > > > > > > > -- > > > > MST > > > > > > > -- > > > Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK > -- > Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h index c085804..9d8d408 100644 --- a/include/exec/cpu-all.h +++ b/include/exec/cpu-all.h @@ -313,6 +313,11 @@ typedef struct RAMBlock { int fd; } RAMBlock; +static inline void *ramblock_ptr(RAMBlock *block, ram_addr_t offset) +{ + return (char *)block->host + offset; +} + typedef struct RAMList { QemuMutex mutex; /* Protected by the iothread lock. */ diff --git a/exec.c b/exec.c index ad5cf12..9648669 100644 --- a/exec.c +++ b/exec.c @@ -840,7 +840,7 @@ static void tlb_reset_dirty_range_all(ram_addr_t start, ram_addr_t length) block = qemu_get_ram_block(start); assert(block == qemu_get_ram_block(end - 1)); - start1 = (uintptr_t)block->host + (start - block->offset); + start1 = (uintptr_t)ramblock_ptr(block, start - block->offset); cpu_tlb_reset_dirty_all(start1, length); } @@ -1500,7 +1500,7 @@ void qemu_ram_remap(ram_addr_t addr, ram_addr_t length) QTAILQ_FOREACH(block, &ram_list.blocks, next) { offset = addr - block->offset; if (offset < block->length) { - vaddr = block->host + offset; + vaddr = ramblock_ptr(block, offset); if (block->flags & RAM_PREALLOC) { ; } else if (xen_enabled()) { @@ -1551,7 +1551,7 @@ void *qemu_get_ram_block_host_ptr(ram_addr_t addr) { RAMBlock *block = qemu_get_ram_block(addr); - return block->host; + return ramblock_ptr(block, 0); } /* Return a host pointer to ram allocated with qemu_ram_alloc. @@ -1578,7 +1578,7 @@ void *qemu_get_ram_ptr(ram_addr_t addr) xen_map_cache(block->offset, block->length, 1); } } - return block->host + (addr - block->offset); + return ramblock_ptr(block, addr - block->offset); } /* Return a host pointer to guest's ram. Similar to qemu_get_ram_ptr @@ -1597,7 +1597,7 @@ static void *qemu_ram_ptr_length(ram_addr_t addr, hwaddr *size) if (addr - block->offset < block->length) { if (addr - block->offset + *size > block->length) *size = block->length - addr + block->offset; - return block->host + (addr - block->offset); + return ramblock_ptr(block, addr - block->offset); } }
host pointer accesses force pointer math, let's add a wrapper to make them safer. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> --- include/exec/cpu-all.h | 5 +++++ exec.c | 10 +++++----- 2 files changed, 10 insertions(+), 5 deletions(-)