From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: Re: [PATCH v5 3/8] sysctl: Make XEN_SYSCTL_topologyinfo
 sysctl a little more efficient
Date: Wed, 25 Mar 2015 16:13:12 +0000
Message-ID: <5512DE98.10604@citrix.com>
References: <1426802044-19444-1-git-send-email-boris.ostrovsky@oracle.com>
	<1426802044-19444-4-git-send-email-boris.ostrovsky@oracle.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <1426802044-19444-4-git-send-email-boris.ostrovsky@oracle.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Boris Ostrovsky <boris.ostrovsky@oracle.com>, jbeulich@suse.com, keir@xen.org, ian.jackson@eu.citrix.com, stefano.stabellini@eu.citrix.com, ian.campbell@citrix.com, wei.liu2@citrix.com, dario.faggioli@citrix.com, elena.ufimtseva@oracle.com, xen-devel@lists.xen.org
List-Id: xen-devel@lists.xenproject.org

On 19/03/15 22:53, Boris Ostrovsky wrote:
> --- a/xen/common/sysctl.c
> +++ b/xen/common/sysctl.c
> @@ -324,39 +324,63 @@ long do_sysctl(XEN_GUEST_HANDLE_PARAM(xen_sysctl_t) u_sysctl)
>       }
>       break;
>   
> -    case XEN_SYSCTL_topologyinfo:
> +    case XEN_SYSCTL_cputopoinfo:
>       {
> -        uint32_t i, max_cpu_index, last_online_cpu;
> -        xen_sysctl_topologyinfo_t *ti = &op->u.topologyinfo;
> +        uint32_t i, num_cpus;
> +        xen_sysctl_cputopoinfo_t *ti = &op->u.cputopoinfo;
>   
> -        last_online_cpu = cpumask_last(&cpu_online_map);
> -        max_cpu_index = min_t(uint32_t, ti->max_cpu_index, last_online_cpu);
> -        ti->max_cpu_index = last_online_cpu;
> -
> -        for ( i = 0; i <= max_cpu_index; i++ )
> +        num_cpus = cpumask_last(&cpu_online_map) + 1;
> +        if ( !guest_handle_is_null(ti->cputopo) )
>           {
> -            if ( !guest_handle_is_null(ti->cpu_to_core) )
> +            if ( ti->num_cpus < num_cpus )
>               {
> -                uint32_t core = cpu_online(i) ? cpu_to_core(i) : ~0u;
> -                if ( copy_to_guest_offset(ti->cpu_to_core, i, &core, 1) )
> -                    break;
> +                ret = -ENOBUFS;
> +                i = num_cpus;
>               }
> -            if ( !guest_handle_is_null(ti->cpu_to_socket) )
> +
> +            for ( i = 0; i < num_cpus; i++ )

Observe that the "i = 0" clobbers the -ENOBUFS detection, meaning that 
Xen will always write num_cpus into the userspace array, writing past 
the end of the array if it is too short.

As this patch has already been committed, please fix as a matter of 
priority (or I can if you are overly busy).

~Andrew

(Also, you have introduced a mixed tab/space into 
tools/python/xen/lowlevel/xc/xc.c on the "goto out;" line)