From: Paul Durrant <Paul.Durrant@citrix.com>
To: 'Jan Beulich' <JBeulich@suse.com>
Cc: Anthony Perard <anthony.perard@citrix.com>,
Roger Pau Monne <roger.pau@citrix.com>,
Stefano Stabellini <sstabellini@kernel.org>,
xen-devel <xen-devel@lists.xenproject.org>,
"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
"ehabkost@redhat.com" <ehabkost@redhat.com>,
"marcel@redhat.com" <marcel@redhat.com>,
"mst@redhat.com" <mst@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Richard Henderson <rth@twiddle.net>
Subject: Re: [Qemu-devel] [Xen-devel] [PATCH v2] xen-hvm: stop faking I/O to access PCI config space
Date: Fri, 18 May 2018 13:51:24 +0000 [thread overview]
Message-ID: <f4620ef5cd6d45b58bb4ef29259c6ee9@AMSPEX02CL03.citrite.net> (raw)
In-Reply-To: <5AFED64102000078001C4069@prv1-mh.provo.novell.com>
> -----Original Message-----
> From: Jan Beulich [mailto:JBeulich@suse.com]
> Sent: 18 May 2018 14:34
> To: Paul Durrant <Paul.Durrant@citrix.com>
> Cc: Anthony Perard <anthony.perard@citrix.com>; Roger Pau Monne
> <roger.pau@citrix.com>; Stefano Stabellini <sstabellini@kernel.org>; xen-
> devel <xen-devel@lists.xenproject.org>; qemu-devel@nongnu.org;
> ehabkost@redhat.com; marcel@redhat.com; mst@redhat.com; Paolo
> Bonzini <pbonzini@redhat.com>; Richard Henderson <rth@twiddle.net>
> Subject: Re: [Xen-devel] [PATCH v2] xen-hvm: stop faking I/O to access PCI
> config space
>
> >>> On 18.05.18 at 15:00, <paul.durrant@citrix.com> wrote:
> > @@ -903,6 +926,80 @@ static void cpu_ioreq_move(ioreq_t *req)
> > }
> > }
> >
> > +static void rw_config_req_item(XenPciDevice *xendev, ioreq_t *req,
>
> It looks to me as if both parameters could be constified.
>
They could for this function, yes.
> > + uint32_t i, uint32_t *val)
> > +{
> > + int32_t reg = req->addr;
> > + uint32_t offset = req->size * i;
> > +
> > + reg += (req->df ? -1 : 1) * offset;
> > + if (reg < 0 || reg > PCI_CONFIG_SPACE_SIZE) {
>
> Having fought a number of issues in this area in the hypervisor a couple
> of years back I wonder
> - why reg is of signed type,
I did that so I could do a < 0 check.
> - whether overflow of the first multiplication really doesn't matter,
It would be better to check it.
> - whether wrapping when adding in the offset is not an issue.
>
I'll do limits check on offset then... should be able to make reg unsigned then I guess.
> I take it that the rather lax upper bound check (should imo really be
> reg + size > PCI_CONFIG_SPACE_SIZE [implying reg + size doesn't
> itself wrap], or at least reg >= PCI_CONFIG_SPACE_SIZE) is not a
> problem because ...
>
> > + if (req->dir == IOREQ_READ) {
> > + *val = ~0u;
> > + }
> > + return;
> > + }
> > +
> > + if (req->dir == IOREQ_READ) {
> > + *val = pci_host_config_read_common(xendev->pci_dev, reg,
> > + PCI_CONFIG_SPACE_SIZE,
> > + req->size);
> > + trace_cpu_ioreq_config_read(req, xendev->sbdf, reg,
> > + req->size, *val);
> > + } else {
> > + trace_cpu_ioreq_config_write(req, xendev->sbdf, reg, req->size,
> > + *val);
> > + pci_host_config_write_common(xendev->pci_dev, reg,
> > + PCI_CONFIG_SPACE_SIZE, *val,
> > + req->size);
> > + }
>
> ... these called functions do full checking anyway?
Yes, I'm deferring further checking to these common functions. I'm only intending to avoid passing junk into them here.
>
> > +static void cpu_ioreq_config(XenIOState *state, ioreq_t *req)
> > +{
> > + uint32_t sbdf = req->addr >> 32;
> > + XenPciDevice *xendev;
> > +
> > + if (req->size > sizeof(uint32_t)) {
> > + hw_error("PCI config access: bad size (%u)", req->size);
>
> What about size 0 or 3?
>
Yes, I can reject those here also.
> > + }
> > +
> > + QLIST_FOREACH(xendev, &state->dev_list, entry) {
> > + unsigned int i;
> > + uint32_t tmp;
> > +
> > + if (xendev->sbdf != sbdf) {
> > + continue;
> > + }
> > +
> > + if (!req->data_is_ptr) {
> > + if (req->dir == IOREQ_READ) {
> > + for (i = 0; i < req->count; i++) {
> > + rw_config_req_item(xendev, req, i, &tmp);
> > + req->data = tmp;
> > + }
> > + } else if (req->dir == IOREQ_WRITE) {
> > + for (i = 0; i < req->count; i++) {
> > + tmp = req->data;
> > + rw_config_req_item(xendev, req, i, &tmp);
> > + }
> > + }
>
> Wouldn't it be more sensible to fail req->count != 1 requests here?
>
I'm wondering whether we'd want to handle count > 1 once we allow MMCONFIG accesses though. I guess it would be easier just to defer that.
Paul
> Jan
>
next prev parent reply other threads:[~2018-05-18 13:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-18 13:00 [Qemu-devel] [PATCH v2] xen-hvm: stop faking I/O to access PCI config space Paul Durrant
2018-05-18 13:33 ` [Qemu-devel] [Xen-devel] " Jan Beulich
2018-05-18 13:51 ` Paul Durrant [this message]
2018-05-18 14:15 ` Jan Beulich
2018-05-18 14:22 ` Paul Durrant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f4620ef5cd6d45b58bb4ef29259c6ee9@AMSPEX02CL03.citrite.net \
--to=paul.durrant@citrix.com \
--cc=JBeulich@suse.com \
--cc=anthony.perard@citrix.com \
--cc=ehabkost@redhat.com \
--cc=marcel@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=roger.pau@citrix.com \
--cc=rth@twiddle.net \
--cc=sstabellini@kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).