From patchwork Tue Feb 5 18:14:45 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paolo Bonzini X-Patchwork-Id: 1037064 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="YEAeT+mg"; dkim-atps=neutral Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 43vDKK21mqz9s7T for ; Wed, 6 Feb 2019 05:55:01 +1100 (AEDT) Received: from localhost ([127.0.0.1]:37895 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gr5s3-00008G-6C for incoming@patchwork.ozlabs.org; Tue, 05 Feb 2019 13:54:59 -0500 Received: from eggs.gnu.org ([209.51.188.92]:36431) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gr5Ge-0002cb-4h for qemu-devel@nongnu.org; Tue, 05 Feb 2019 13:16:24 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gr5Gb-00046u-J7 for qemu-devel@nongnu.org; Tue, 05 Feb 2019 13:16:20 -0500 Received: from mail-wr1-x436.google.com ([2a00:1450:4864:20::436]:44633) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gr5GZ-0003xT-Fo for qemu-devel@nongnu.org; Tue, 05 Feb 2019 13:16:17 -0500 Received: by mail-wr1-x436.google.com with SMTP id v16so2845897wrn.11 for ; Tue, 05 Feb 2019 10:16:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references; bh=UGSwc1aX5adFQoWg0wLpWvmqPVthsz+4Bc/xih1znrE=; b=YEAeT+mgPWeOPS9Z4abX990k4y523y5hfgUVAvXBQ1aNCFN1smxIl4Y83jhRJhp453 8GPwCjcbYAgDRuujg9HCO2YiagaYNpYWUsuWBGHzc9ubMIjxPYiMG3KNEYlzQEx7OLNa kYBx+Gw3VS3AQ1QIr7asfRR9mfzx04h7JaeO4Z7i/8W4jkNLzxvrD4lulwVgdxmMVYhA WBmCnkRURnUGK94sNvrHBDyVjl9eDnfzzwixzOrY1dfBVWr0pZCIyW1+Q1CQTUxBf7YA 3ayGt8n+srQ2Aqr/aSUDHo3h/96rbty4Qkr1D40TkEXYKaQpO3Yjm6nHdAH9b9LP4hLj 6dGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references; bh=UGSwc1aX5adFQoWg0wLpWvmqPVthsz+4Bc/xih1znrE=; b=PR+aVCnfVh1prS012DnDzMRulFjDfVu7HX0bZWJFIUrN2Iv3gNJrAmfME7HvZS1Jy0 sfpTKvnPbwox6GcbsjwiDb+BEKOimopkHsKZLZs2P5i+RWJF+Va8u5GE1sGcu7HaRCtH hO7ofHVNHZnYD5Xf+J+QO47COLaMeeKvAzHpBS9kvp1wreiiizJ6OA8sXgDHWyYQW419 C+XwNi3TUCcF/PtAYoS+RY8zgGo7Adju80VbsKSbgLv5n53jDpFPB2dqdrTo8tBEEfLq 1oBBygqnvLsFQrNnWKc43EM9ApUB+SyUuL1ztSfcmSYLMbNGhYvhHNUUQVPx/ve9rmC9 lhKw== X-Gm-Message-State: AHQUAuZoA8cXiJ6nSNt45FREUkbrxVWIuB5sqVvznt+APjxoS0ifovyz yCALBI62YBqLTBp/TJlJZkDrSSZl X-Google-Smtp-Source: AHgI3IZhojSFBEBVscgYmUJKa+/+m0ZDHE4tOkVl5khyvn2vXvlONR7Ut8Kh5KcQQckUAilnFf/UUg== X-Received: by 2002:adf:a14d:: with SMTP id r13mr4442946wrr.169.1549390564219; Tue, 05 Feb 2019 10:16:04 -0800 (PST) Received: from 640k.lan ([93.56.166.5]) by smtp.gmail.com with ESMTPSA id p5sm8931665wmh.16.2019.02.05.10.16.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 05 Feb 2019 10:16:03 -0800 (PST) From: Paolo Bonzini To: qemu-devel@nongnu.org Date: Tue, 5 Feb 2019 19:14:45 +0100 Message-Id: <1549390526-24246-36-git-send-email-pbonzini@redhat.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1549390526-24246-1-git-send-email-pbonzini@redhat.com> References: <1549390526-24246-1-git-send-email-pbonzini@redhat.com> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:1450:4864:20::436 Subject: [Qemu-devel] [PULL 35/76] unify len and addr type for memory/address APIs X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Richard Henderson , Stefano Garzarella , Li Zhijian , Peter Crosthwaite Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" From: Li Zhijian Some address/memory APIs have different type between 'hwaddr/target_ulong addr' and 'int len'. It is very unsafe, especially some APIs will be passed a non-int len by caller which might cause overflow quietly. Below is an potential overflow case: dma_memory_read(uint32_t len) -> dma_memory_rw(uint32_t len) -> dma_memory_rw_relaxed(uint32_t len) -> address_space_rw(int len) # len overflow CC: Paolo Bonzini CC: Peter Crosthwaite CC: Richard Henderson CC: Peter Maydell CC: Stefano Garzarella Signed-off-by: Li Zhijian Reviewed-by: Peter Maydell Reviewed-by: Richard Henderson Reviewed-by: Stefano Garzarella Signed-off-by: Paolo Bonzini --- exec.c | 47 +++++++++++++++++++++++------------------------ include/exec/cpu-all.h | 2 +- include/exec/cpu-common.h | 8 ++++---- include/exec/memory.h | 22 +++++++++++----------- 4 files changed, 39 insertions(+), 40 deletions(-) diff --git a/exec.c b/exec.c index 03dd673..5180645 100644 --- a/exec.c +++ b/exec.c @@ -2851,10 +2851,10 @@ static const MemoryRegionOps watch_mem_ops = { }; static MemTxResult flatview_read(FlatView *fv, hwaddr addr, - MemTxAttrs attrs, uint8_t *buf, int len); + MemTxAttrs attrs, uint8_t *buf, hwaddr len); static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs, - const uint8_t *buf, int len); -static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len, + const uint8_t *buf, hwaddr len); +static bool flatview_access_valid(FlatView *fv, hwaddr addr, hwaddr len, bool is_write, MemTxAttrs attrs); static MemTxResult subpage_read(void *opaque, hwaddr addr, uint64_t *data, @@ -3102,10 +3102,10 @@ MemoryRegion *get_system_io(void) /* physical memory access (slow version, mainly for debug) */ #if defined(CONFIG_USER_ONLY) int cpu_memory_rw_debug(CPUState *cpu, target_ulong addr, - uint8_t *buf, int len, int is_write) + uint8_t *buf, target_ulong len, int is_write) { - int l, flags; - target_ulong page; + int flags; + target_ulong l, page; void * p; while (len > 0) { @@ -3231,7 +3231,7 @@ static bool prepare_mmio_access(MemoryRegion *mr) static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr, MemTxAttrs attrs, const uint8_t *buf, - int len, hwaddr addr1, + hwaddr len, hwaddr addr1, hwaddr l, MemoryRegion *mr) { uint8_t *ptr; @@ -3276,7 +3276,7 @@ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr, /* Called from RCU critical section. */ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs, - const uint8_t *buf, int len) + const uint8_t *buf, hwaddr len) { hwaddr l; hwaddr addr1; @@ -3294,7 +3294,7 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs, /* Called within RCU critical section. */ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr, MemTxAttrs attrs, uint8_t *buf, - int len, hwaddr addr1, hwaddr l, + hwaddr len, hwaddr addr1, hwaddr l, MemoryRegion *mr) { uint8_t *ptr; @@ -3337,7 +3337,7 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr, /* Called from RCU critical section. */ static MemTxResult flatview_read(FlatView *fv, hwaddr addr, - MemTxAttrs attrs, uint8_t *buf, int len) + MemTxAttrs attrs, uint8_t *buf, hwaddr len) { hwaddr l; hwaddr addr1; @@ -3350,7 +3350,7 @@ static MemTxResult flatview_read(FlatView *fv, hwaddr addr, } MemTxResult address_space_read_full(AddressSpace *as, hwaddr addr, - MemTxAttrs attrs, uint8_t *buf, int len) + MemTxAttrs attrs, uint8_t *buf, hwaddr len) { MemTxResult result = MEMTX_OK; FlatView *fv; @@ -3367,7 +3367,7 @@ MemTxResult address_space_read_full(AddressSpace *as, hwaddr addr, MemTxResult address_space_write(AddressSpace *as, hwaddr addr, MemTxAttrs attrs, - const uint8_t *buf, int len) + const uint8_t *buf, hwaddr len) { MemTxResult result = MEMTX_OK; FlatView *fv; @@ -3383,7 +3383,7 @@ MemTxResult address_space_write(AddressSpace *as, hwaddr addr, } MemTxResult address_space_rw(AddressSpace *as, hwaddr addr, MemTxAttrs attrs, - uint8_t *buf, int len, bool is_write) + uint8_t *buf, hwaddr len, bool is_write) { if (is_write) { return address_space_write(as, addr, attrs, buf, len); @@ -3393,7 +3393,7 @@ MemTxResult address_space_rw(AddressSpace *as, hwaddr addr, MemTxAttrs attrs, } void cpu_physical_memory_rw(hwaddr addr, uint8_t *buf, - int len, int is_write) + hwaddr len, int is_write) { address_space_rw(&address_space_memory, addr, MEMTXATTRS_UNSPECIFIED, buf, len, is_write); @@ -3408,7 +3408,7 @@ static inline MemTxResult address_space_write_rom_internal(AddressSpace *as, hwaddr addr, MemTxAttrs attrs, const uint8_t *buf, - int len, + hwaddr len, enum write_rom_type type) { hwaddr l; @@ -3448,13 +3448,13 @@ static inline MemTxResult address_space_write_rom_internal(AddressSpace *as, /* used for ROM loading : can write in RAM and ROM */ MemTxResult address_space_write_rom(AddressSpace *as, hwaddr addr, MemTxAttrs attrs, - const uint8_t *buf, int len) + const uint8_t *buf, hwaddr len) { return address_space_write_rom_internal(as, addr, attrs, buf, len, WRITE_DATA); } -void cpu_flush_icache_range(hwaddr start, int len) +void cpu_flush_icache_range(hwaddr start, hwaddr len) { /* * This function should do the same thing as an icache flush that was @@ -3557,7 +3557,7 @@ static void cpu_notify_map_clients(void) qemu_mutex_unlock(&map_client_list_lock); } -static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len, +static bool flatview_access_valid(FlatView *fv, hwaddr addr, hwaddr len, bool is_write, MemTxAttrs attrs) { MemoryRegion *mr; @@ -3580,7 +3580,7 @@ static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len, } bool address_space_access_valid(AddressSpace *as, hwaddr addr, - int len, bool is_write, + hwaddr len, bool is_write, MemTxAttrs attrs) { FlatView *fv; @@ -3833,7 +3833,7 @@ static inline MemoryRegion *address_space_translate_cached( */ void address_space_read_cached_slow(MemoryRegionCache *cache, hwaddr addr, - void *buf, int len) + void *buf, hwaddr len) { hwaddr addr1, l; MemoryRegion *mr; @@ -3851,7 +3851,7 @@ address_space_read_cached_slow(MemoryRegionCache *cache, hwaddr addr, */ void address_space_write_cached_slow(MemoryRegionCache *cache, hwaddr addr, - const void *buf, int len) + const void *buf, hwaddr len) { hwaddr addr1, l; MemoryRegion *mr; @@ -3874,11 +3874,10 @@ address_space_write_cached_slow(MemoryRegionCache *cache, hwaddr addr, /* virtual memory access for debug (includes writing to ROM) */ int cpu_memory_rw_debug(CPUState *cpu, target_ulong addr, - uint8_t *buf, int len, int is_write) + uint8_t *buf, target_ulong len, int is_write) { - int l; hwaddr phys_addr; - target_ulong page; + target_ulong l, page; cpu_synchronize_state(cpu); while (len > 0) { diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h index 117d2fb..b16c9ec 100644 --- a/include/exec/cpu-all.h +++ b/include/exec/cpu-all.h @@ -367,7 +367,7 @@ void dump_opcount_info(FILE *f, fprintf_function cpu_fprintf); #endif /* !CONFIG_USER_ONLY */ int cpu_memory_rw_debug(CPUState *cpu, target_ulong addr, - uint8_t *buf, int len, int is_write); + uint8_t *buf, target_ulong len, int is_write); int cpu_exec(CPUState *cpu); diff --git a/include/exec/cpu-common.h b/include/exec/cpu-common.h index 2ad2d6d..63ec1f9 100644 --- a/include/exec/cpu-common.h +++ b/include/exec/cpu-common.h @@ -83,14 +83,14 @@ size_t qemu_ram_pagesize(RAMBlock *block); size_t qemu_ram_pagesize_largest(void); void cpu_physical_memory_rw(hwaddr addr, uint8_t *buf, - int len, int is_write); + hwaddr len, int is_write); static inline void cpu_physical_memory_read(hwaddr addr, - void *buf, int len) + void *buf, hwaddr len) { cpu_physical_memory_rw(addr, buf, len, 0); } static inline void cpu_physical_memory_write(hwaddr addr, - const void *buf, int len) + const void *buf, hwaddr len) { cpu_physical_memory_rw(addr, (void *)buf, len, 1); } @@ -111,7 +111,7 @@ bool cpu_physical_memory_is_io(hwaddr phys_addr); */ void qemu_flush_coalesced_mmio_buffer(void); -void cpu_flush_icache_range(hwaddr start, int len); +void cpu_flush_icache_range(hwaddr start, hwaddr len); extern struct MemoryRegion io_mem_rom; extern struct MemoryRegion io_mem_notdirty; diff --git a/include/exec/memory.h b/include/exec/memory.h index abe9cc7..1625913 100644 --- a/include/exec/memory.h +++ b/include/exec/memory.h @@ -1791,7 +1791,7 @@ void address_space_destroy(AddressSpace *as); */ MemTxResult address_space_rw(AddressSpace *as, hwaddr addr, MemTxAttrs attrs, uint8_t *buf, - int len, bool is_write); + hwaddr len, bool is_write); /** * address_space_write: write to address space. @@ -1808,7 +1808,7 @@ MemTxResult address_space_rw(AddressSpace *as, hwaddr addr, */ MemTxResult address_space_write(AddressSpace *as, hwaddr addr, MemTxAttrs attrs, - const uint8_t *buf, int len); + const uint8_t *buf, hwaddr len); /** * address_space_write_rom: write to address space, including ROM. @@ -1834,7 +1834,7 @@ MemTxResult address_space_write(AddressSpace *as, hwaddr addr, */ MemTxResult address_space_write_rom(AddressSpace *as, hwaddr addr, MemTxAttrs attrs, - const uint8_t *buf, int len); + const uint8_t *buf, hwaddr len); /* address_space_ld*: load from an address space * address_space_st*: store to an address space @@ -2035,7 +2035,7 @@ static inline MemoryRegion *address_space_translate(AddressSpace *as, * @is_write: indicates the transfer direction * @attrs: memory attributes */ -bool address_space_access_valid(AddressSpace *as, hwaddr addr, int len, +bool address_space_access_valid(AddressSpace *as, hwaddr addr, hwaddr len, bool is_write, MemTxAttrs attrs); /* address_space_map: map a physical memory region into a host virtual address @@ -2072,19 +2072,19 @@ void address_space_unmap(AddressSpace *as, void *buffer, hwaddr len, /* Internal functions, part of the implementation of address_space_read. */ MemTxResult address_space_read_full(AddressSpace *as, hwaddr addr, - MemTxAttrs attrs, uint8_t *buf, int len); + MemTxAttrs attrs, uint8_t *buf, hwaddr len); MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr, MemTxAttrs attrs, uint8_t *buf, - int len, hwaddr addr1, hwaddr l, + hwaddr len, hwaddr addr1, hwaddr l, MemoryRegion *mr); void *qemu_map_ram_ptr(RAMBlock *ram_block, ram_addr_t addr); /* Internal functions, part of the implementation of address_space_read_cached * and address_space_write_cached. */ void address_space_read_cached_slow(MemoryRegionCache *cache, - hwaddr addr, void *buf, int len); + hwaddr addr, void *buf, hwaddr len); void address_space_write_cached_slow(MemoryRegionCache *cache, - hwaddr addr, const void *buf, int len); + hwaddr addr, const void *buf, hwaddr len); static inline bool memory_access_is_direct(MemoryRegion *mr, bool is_write) { @@ -2112,7 +2112,7 @@ static inline bool memory_access_is_direct(MemoryRegion *mr, bool is_write) static inline __attribute__((__always_inline__)) MemTxResult address_space_read(AddressSpace *as, hwaddr addr, MemTxAttrs attrs, uint8_t *buf, - int len) + hwaddr len) { MemTxResult result = MEMTX_OK; hwaddr l, addr1; @@ -2151,7 +2151,7 @@ MemTxResult address_space_read(AddressSpace *as, hwaddr addr, */ static inline void address_space_read_cached(MemoryRegionCache *cache, hwaddr addr, - void *buf, int len) + void *buf, hwaddr len) { assert(addr < cache->len && len <= cache->len - addr); if (likely(cache->ptr)) { @@ -2171,7 +2171,7 @@ address_space_read_cached(MemoryRegionCache *cache, hwaddr addr, */ static inline void address_space_write_cached(MemoryRegionCache *cache, hwaddr addr, - void *buf, int len) + void *buf, hwaddr len) { assert(addr < cache->len && len <= cache->len - addr); if (likely(cache->ptr)) {