* arm: Minor bug report & Fix in gic_route_irq_to_guest
@ 2013-04-24 2:24 Sengul Thomas
2013-04-24 8:24 ` Ian Campbell
2013-04-24 13:22 ` Julien Grall
0 siblings, 2 replies; 4+ messages in thread
From: Sengul Thomas @ 2013-04-24 2:24 UTC (permalink / raw)
To: Xen Devel
Hello,
I found that when calling gic_route_irq_to_guest in construct_dom0 function,
it uses local variable "name" for passing devname argument.
And, gic_route_irq_to_guest just copies the pointer of this devname
and afterward,
reading this devname gives data abort.
Here goes a simple fix: just copying the data, not the pointer
ps. I'm writing this patch on top of the following source
repo: git://xenbits.xen.org/people/julieng/xen-unstable.git
branch: arndale
and, I'm curious is it ok?
Signed-off-by: Thomas Sengul <thomas.sengul@gmail.com>
---
xen/arch/arm/gic.c | 13 ++++++++++++-
xen/arch/arm/irq.c | 14 +++++++++++++-
2 files changed, 25 insertions(+), 2 deletions(-)
diff --git a/xen/arch/arm/gic.c b/xen/arch/arm/gic.c
index 63caeb8..012aae9 100644
--- a/xen/arch/arm/gic.c
+++ b/xen/arch/arm/gic.c
@@ -468,7 +468,10 @@ void __init release_irq(unsigned int irq)
do { smp_mb(); } while ( desc->status & IRQ_INPROGRESS );
if (action && action->free_on_release)
+ {
+ xfree((void *)action->name);
xfree(action);
+ }
}
static int __setup_irq(struct irq_desc *desc, unsigned int irq,
@@ -617,13 +620,20 @@ int gic_route_irq_to_guest(struct domain *d,
unsigned int irq,
struct irq_desc *desc = irq_to_desc(irq);
unsigned long flags;
int retval;
+ char *name;
action = xmalloc(struct irqaction);
if (!action)
return -ENOMEM;
action->dev_id = d;
- action->name = devname;
+
+#define MIN_ACTION_NAME_LEN 16
+ name = xmalloc_array(char, MIN_ACTION_NAME_LEN);
+ if (!name)
+ return -ENOMEM;
+ strlcpy(name, devname, strnlen(devname, MIN_ACTION_NAME_LEN));
+ action->name = name;
spin_lock_irqsave(&desc->lock, flags);
spin_lock(&gic.lock);
@@ -635,6 +645,7 @@ int gic_route_irq_to_guest(struct domain *d,
unsigned int irq,
retval = __setup_irq(desc, irq, action);
if (retval) {
+ xfree((void *)action->name);
xfree(action);
goto out;
}
diff --git a/xen/arch/arm/irq.c b/xen/arch/arm/irq.c
index 8c96a0a..e6c24f9 100644
--- a/xen/arch/arm/irq.c
+++ b/xen/arch/arm/irq.c
@@ -99,6 +99,7 @@ int __init request_irq(unsigned int irq,
{
struct irqaction *action;
int retval;
+ char *name;
/*
* Sanity-check: shared interrupts must pass in a real dev-ID,
@@ -116,13 +117,24 @@ int __init request_irq(unsigned int irq,
return -ENOMEM;
action->handler = handler;
- action->name = devname;
+
+#define MIN_ACTION_NAME_LEN 16
+ name = xmalloc_array(char, MIN_ACTION_NAME_LEN);
+ if (!name)
+ return -ENOMEM;
+ strlcpy(name, devname, strnlen(devname, MIN_ACTION_NAME_LEN));
+ action->name = name;
+
action->dev_id = dev_id;
action->free_on_release = 1;
retval = setup_irq(irq, action);
if (retval)
+ {
+ xfree((void *)action->name);
xfree(action);
+ }
+
return retval;
}
Sincerely,
Thomas
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: arm: Minor bug report & Fix in gic_route_irq_to_guest
2013-04-24 2:24 arm: Minor bug report & Fix in gic_route_irq_to_guest Sengul Thomas
@ 2013-04-24 8:24 ` Ian Campbell
2013-04-24 8:36 ` Sengul Thomas
2013-04-24 13:22 ` Julien Grall
1 sibling, 1 reply; 4+ messages in thread
From: Ian Campbell @ 2013-04-24 8:24 UTC (permalink / raw)
To: Sengul Thomas; +Cc: Julien Grall, Xen Devel
Adding Julien, in general it's a good idea to CC the appropriate
maintainers where possible.
On Wed, 2013-04-24 at 03:24 +0100, Sengul Thomas wrote:
> Hello,
>
> I found that when calling gic_route_irq_to_guest in construct_dom0 function,
> it uses local variable "name" for passing devname argument.
> And, gic_route_irq_to_guest just copies the pointer of this devname
> and afterward,
> reading this devname gives data abort.
>
> Here goes a simple fix: just copying the data, not the pointer
>
> ps. I'm writing this patch on top of the following source
> repo: git://xenbits.xen.org/people/julieng/xen-unstable.git
> branch: arndale
> and, I'm curious is it ok?
I guess this is specific to Julien's branch because in mainline all of
the devname arguments are string literals.
I think rather than casting away the const it should be up to the caller
of gic_route_irq_to_guest to ensure that the devname it passes in has
the appropriate lifetime -- i.e. it needs to do the copy itself.
Likewise the caller of release_irq would need to free it, but in this
case I don't think we would ever release this IRQ.
Ian.
>
> Signed-off-by: Thomas Sengul <thomas.sengul@gmail.com>
> ---
> xen/arch/arm/gic.c | 13 ++++++++++++-
> xen/arch/arm/irq.c | 14 +++++++++++++-
> 2 files changed, 25 insertions(+), 2 deletions(-)
>
> diff --git a/xen/arch/arm/gic.c b/xen/arch/arm/gic.c
> index 63caeb8..012aae9 100644
> --- a/xen/arch/arm/gic.c
> +++ b/xen/arch/arm/gic.c
> @@ -468,7 +468,10 @@ void __init release_irq(unsigned int irq)
> do { smp_mb(); } while ( desc->status & IRQ_INPROGRESS );
>
> if (action && action->free_on_release)
> + {
> + xfree((void *)action->name);
> xfree(action);
> + }
> }
>
> static int __setup_irq(struct irq_desc *desc, unsigned int irq,
> @@ -617,13 +620,20 @@ int gic_route_irq_to_guest(struct domain *d,
> unsigned int irq,
> struct irq_desc *desc = irq_to_desc(irq);
> unsigned long flags;
> int retval;
> + char *name;
>
> action = xmalloc(struct irqaction);
> if (!action)
> return -ENOMEM;
>
> action->dev_id = d;
> - action->name = devname;
> +
> +#define MIN_ACTION_NAME_LEN 16
> + name = xmalloc_array(char, MIN_ACTION_NAME_LEN);
> + if (!name)
> + return -ENOMEM;
> + strlcpy(name, devname, strnlen(devname, MIN_ACTION_NAME_LEN));
> + action->name = name;
>
> spin_lock_irqsave(&desc->lock, flags);
> spin_lock(&gic.lock);
> @@ -635,6 +645,7 @@ int gic_route_irq_to_guest(struct domain *d,
> unsigned int irq,
>
> retval = __setup_irq(desc, irq, action);
> if (retval) {
> + xfree((void *)action->name);
> xfree(action);
> goto out;
> }
> diff --git a/xen/arch/arm/irq.c b/xen/arch/arm/irq.c
> index 8c96a0a..e6c24f9 100644
> --- a/xen/arch/arm/irq.c
> +++ b/xen/arch/arm/irq.c
> @@ -99,6 +99,7 @@ int __init request_irq(unsigned int irq,
> {
> struct irqaction *action;
> int retval;
> + char *name;
>
> /*
> * Sanity-check: shared interrupts must pass in a real dev-ID,
> @@ -116,13 +117,24 @@ int __init request_irq(unsigned int irq,
> return -ENOMEM;
>
> action->handler = handler;
> - action->name = devname;
> +
> +#define MIN_ACTION_NAME_LEN 16
> + name = xmalloc_array(char, MIN_ACTION_NAME_LEN);
> + if (!name)
> + return -ENOMEM;
> + strlcpy(name, devname, strnlen(devname, MIN_ACTION_NAME_LEN));
> + action->name = name;
> +
> action->dev_id = dev_id;
> action->free_on_release = 1;
>
> retval = setup_irq(irq, action);
> if (retval)
> + {
> + xfree((void *)action->name);
> xfree(action);
> + }
> +
>
> return retval;
> }
>
>
> Sincerely,
> Thomas
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: arm: Minor bug report & Fix in gic_route_irq_to_guest
2013-04-24 8:24 ` Ian Campbell
@ 2013-04-24 8:36 ` Sengul Thomas
0 siblings, 0 replies; 4+ messages in thread
From: Sengul Thomas @ 2013-04-24 8:36 UTC (permalink / raw)
To: Ian Campbell; +Cc: Julien Grall, Xen Devel
On Wed, Apr 24, 2013 at 5:24 PM, Ian Campbell <Ian.Campbell@citrix.com> wrote:
> Adding Julien, in general it's a good idea to CC the appropriate
> maintainers where possible.
>
> On Wed, 2013-04-24 at 03:24 +0100, Sengul Thomas wrote:
>> Hello,
>>
>> I found that when calling gic_route_irq_to_guest in construct_dom0 function,
>> it uses local variable "name" for passing devname argument.
>> And, gic_route_irq_to_guest just copies the pointer of this devname
>> and afterward,
>> reading this devname gives data abort.
>>
>> Here goes a simple fix: just copying the data, not the pointer
>>
>> ps. I'm writing this patch on top of the following source
>> repo: git://xenbits.xen.org/people/julieng/xen-unstable.git
>> branch: arndale
>> and, I'm curious is it ok?
>
> I guess this is specific to Julien's branch because in mainline all of
> the devname arguments are string literals.
Oh, I just checked in mainline and got it!
>
> I think rather than casting away the const it should be up to the caller
> of gic_route_irq_to_guest to ensure that the devname it passes in has
> the appropriate lifetime -- i.e. it needs to do the copy itself.
> Likewise the caller of release_irq would need to free it, but in this
> case I don't think we would ever release this IRQ.
I got it, caller handles lifetime.
>
> Ian.
>
>>
>> Signed-off-by: Thomas Sengul <thomas.sengul@gmail.com>
>> ---
>> xen/arch/arm/gic.c | 13 ++++++++++++-
>> xen/arch/arm/irq.c | 14 +++++++++++++-
>> 2 files changed, 25 insertions(+), 2 deletions(-)
>>
>> diff --git a/xen/arch/arm/gic.c b/xen/arch/arm/gic.c
>> index 63caeb8..012aae9 100644
>> --- a/xen/arch/arm/gic.c
>> +++ b/xen/arch/arm/gic.c
>> @@ -468,7 +468,10 @@ void __init release_irq(unsigned int irq)
>> do { smp_mb(); } while ( desc->status & IRQ_INPROGRESS );
>>
>> if (action && action->free_on_release)
>> + {
>> + xfree((void *)action->name);
>> xfree(action);
>> + }
>> }
>>
>> static int __setup_irq(struct irq_desc *desc, unsigned int irq,
>> @@ -617,13 +620,20 @@ int gic_route_irq_to_guest(struct domain *d,
>> unsigned int irq,
>> struct irq_desc *desc = irq_to_desc(irq);
>> unsigned long flags;
>> int retval;
>> + char *name;
>>
>> action = xmalloc(struct irqaction);
>> if (!action)
>> return -ENOMEM;
>>
>> action->dev_id = d;
>> - action->name = devname;
>> +
>> +#define MIN_ACTION_NAME_LEN 16
>> + name = xmalloc_array(char, MIN_ACTION_NAME_LEN);
>> + if (!name)
>> + return -ENOMEM;
>> + strlcpy(name, devname, strnlen(devname, MIN_ACTION_NAME_LEN));
>> + action->name = name;
>>
>> spin_lock_irqsave(&desc->lock, flags);
>> spin_lock(&gic.lock);
>> @@ -635,6 +645,7 @@ int gic_route_irq_to_guest(struct domain *d,
>> unsigned int irq,
>>
>> retval = __setup_irq(desc, irq, action);
>> if (retval) {
>> + xfree((void *)action->name);
>> xfree(action);
>> goto out;
>> }
>> diff --git a/xen/arch/arm/irq.c b/xen/arch/arm/irq.c
>> index 8c96a0a..e6c24f9 100644
>> --- a/xen/arch/arm/irq.c
>> +++ b/xen/arch/arm/irq.c
>> @@ -99,6 +99,7 @@ int __init request_irq(unsigned int irq,
>> {
>> struct irqaction *action;
>> int retval;
>> + char *name;
>>
>> /*
>> * Sanity-check: shared interrupts must pass in a real dev-ID,
>> @@ -116,13 +117,24 @@ int __init request_irq(unsigned int irq,
>> return -ENOMEM;
>>
>> action->handler = handler;
>> - action->name = devname;
>> +
>> +#define MIN_ACTION_NAME_LEN 16
>> + name = xmalloc_array(char, MIN_ACTION_NAME_LEN);
>> + if (!name)
>> + return -ENOMEM;
>> + strlcpy(name, devname, strnlen(devname, MIN_ACTION_NAME_LEN));
>> + action->name = name;
>> +
>> action->dev_id = dev_id;
>> action->free_on_release = 1;
>>
>> retval = setup_irq(irq, action);
>> if (retval)
>> + {
>> + xfree((void *)action->name);
>> xfree(action);
>> + }
>> +
>>
>> return retval;
>> }
>>
>>
>> Sincerely,
>> Thomas
>>
>> _______________________________________________
>> Xen-devel mailing list
>> Xen-devel@lists.xen.org
>> http://lists.xen.org/xen-devel
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: arm: Minor bug report & Fix in gic_route_irq_to_guest
2013-04-24 2:24 arm: Minor bug report & Fix in gic_route_irq_to_guest Sengul Thomas
2013-04-24 8:24 ` Ian Campbell
@ 2013-04-24 13:22 ` Julien Grall
1 sibling, 0 replies; 4+ messages in thread
From: Julien Grall @ 2013-04-24 13:22 UTC (permalink / raw)
To: Sengul Thomas; +Cc: Ian Campbell, Xen Devel
On 04/24/2013 03:24 AM, Sengul Thomas wrote:
> Hello,
>
> I found that when calling gic_route_irq_to_guest in construct_dom0 function,
> it uses local variable "name" for passing devname argument.
> And, gic_route_irq_to_guest just copies the pointer of this devname
> and afterward,
> reading this devname gives data abort.
>
> Here goes a simple fix: just copying the data, not the pointer
Thanks for this report. I prefer to remove all uses of local variable
"name", because I intend to remove this code soon.
I have pushed the commit in the arndale branch with another minor change.
Cheers,
Julien
> Signed-off-by: Thomas Sengul <thomas.sengul@gmail.com>
> ---
> xen/arch/arm/gic.c | 13 ++++++++++++-
> xen/arch/arm/irq.c | 14 +++++++++++++-
> 2 files changed, 25 insertions(+), 2 deletions(-)
>
> diff --git a/xen/arch/arm/gic.c b/xen/arch/arm/gic.c
> index 63caeb8..012aae9 100644
> --- a/xen/arch/arm/gic.c
> +++ b/xen/arch/arm/gic.c
> @@ -468,7 +468,10 @@ void __init release_irq(unsigned int irq)
> do { smp_mb(); } while ( desc->status & IRQ_INPROGRESS );
>
> if (action && action->free_on_release)
> + {
> + xfree((void *)action->name);
> xfree(action);
> + }
> }
>
> static int __setup_irq(struct irq_desc *desc, unsigned int irq,
> @@ -617,13 +620,20 @@ int gic_route_irq_to_guest(struct domain *d,
> unsigned int irq,
> struct irq_desc *desc = irq_to_desc(irq);
> unsigned long flags;
> int retval;
> + char *name;
>
> action = xmalloc(struct irqaction);
> if (!action)
> return -ENOMEM;
>
> action->dev_id = d;
> - action->name = devname;
> +
> +#define MIN_ACTION_NAME_LEN 16
> + name = xmalloc_array(char, MIN_ACTION_NAME_LEN);
> + if (!name)
> + return -ENOMEM;
> + strlcpy(name, devname, strnlen(devname, MIN_ACTION_NAME_LEN));
> + action->name = name;
>
> spin_lock_irqsave(&desc->lock, flags);
> spin_lock(&gic.lock);
> @@ -635,6 +645,7 @@ int gic_route_irq_to_guest(struct domain *d,
> unsigned int irq,
>
> retval = __setup_irq(desc, irq, action);
> if (retval) {
> + xfree((void *)action->name);
> xfree(action);
> goto out;
> }
> diff --git a/xen/arch/arm/irq.c b/xen/arch/arm/irq.c
> index 8c96a0a..e6c24f9 100644
> --- a/xen/arch/arm/irq.c
> +++ b/xen/arch/arm/irq.c
> @@ -99,6 +99,7 @@ int __init request_irq(unsigned int irq,
> {
> struct irqaction *action;
> int retval;
> + char *name;
>
> /*
> * Sanity-check: shared interrupts must pass in a real dev-ID,
> @@ -116,13 +117,24 @@ int __init request_irq(unsigned int irq,
> return -ENOMEM;
>
> action->handler = handler;
> - action->name = devname;
> +
> +#define MIN_ACTION_NAME_LEN 16
> + name = xmalloc_array(char, MIN_ACTION_NAME_LEN);
> + if (!name)
> + return -ENOMEM;
> + strlcpy(name, devname, strnlen(devname, MIN_ACTION_NAME_LEN));
> + action->name = name;
> +
> action->dev_id = dev_id;
> action->free_on_release = 1;
>
> retval = setup_irq(irq, action);
> if (retval)
> + {
> + xfree((void *)action->name);
> xfree(action);
> + }
> +
>
> return retval;
> }
>
>
> Sincerely,
> Thomas
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-04-24 13:22 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-04-24 2:24 arm: Minor bug report & Fix in gic_route_irq_to_guest Sengul Thomas
2013-04-24 8:24 ` Ian Campbell
2013-04-24 8:36 ` Sengul Thomas
2013-04-24 13:22 ` Julien Grall
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.