* [PATCH 1/2] x86/mm: Avoid NULL dereference when checking altp2m's for shareability @ 2016-07-27 18:08 Andrew Cooper 2016-07-27 18:08 ` [PATCH 2/2] x86/mm: Annotate gfn_get_* helpers as requiring non-NULL parameters Andrew Cooper 2016-07-28 15:51 ` [PATCH 1/2] x86/mm: Avoid NULL dereference when checking altp2m's for shareability George Dunlap 0 siblings, 2 replies; 10+ messages in thread From: Andrew Cooper @ 2016-07-27 18:08 UTC (permalink / raw) To: Xen-devel Cc: George Dunlap, Andrew Cooper, Tim Deegan, Jan Beulich, Tamas K Lengyel Coverity identifies that __get_gfn_type_access() unconditionally writes to its type parameter under a number of circumstances. Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> --- CC: Jan Beulich <JBeulich@suse.com> CC: Tim Deegan <tim@xen.org> CC: George Dunlap <george.dunlap@eu.citrix.com> CC: Tamas K Lengyel <tamas.lengyel@zentific.com> There is a second complaint that ap2ma and p2ma are used before initialisation in the following line, although that is harder to reason about. I think the code is OK... --- xen/arch/x86/mm/mem_sharing.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/mm/mem_sharing.c b/xen/arch/x86/mm/mem_sharing.c index 47e0820..14952ce 100644 --- a/xen/arch/x86/mm/mem_sharing.c +++ b/xen/arch/x86/mm/mem_sharing.c @@ -870,6 +870,7 @@ int mem_sharing_nominate_page(struct domain *d, unsigned int i; struct p2m_domain *ap2m; mfn_t amfn; + p2m_type_t ap2mt; p2m_access_t ap2ma; altp2m_list_lock(d); @@ -880,7 +881,7 @@ int mem_sharing_nominate_page(struct domain *d, if ( !ap2m ) continue; - amfn = get_gfn_type_access(ap2m, gfn, NULL, &ap2ma, 0, NULL); + amfn = get_gfn_type_access(ap2m, gfn, &ap2mt, &ap2ma, 0, NULL); if ( mfn_valid(amfn) && (mfn_x(amfn) != mfn_x(mfn) || ap2ma != p2ma) ) { altp2m_list_unlock(d); -- 2.1.4 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel ^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 2/2] x86/mm: Annotate gfn_get_* helpers as requiring non-NULL parameters 2016-07-27 18:08 [PATCH 1/2] x86/mm: Avoid NULL dereference when checking altp2m's for shareability Andrew Cooper @ 2016-07-27 18:08 ` Andrew Cooper 2016-07-28 15:58 ` George Dunlap 2016-08-01 15:40 ` [PATCH " Jan Beulich 2016-07-28 15:51 ` [PATCH 1/2] x86/mm: Avoid NULL dereference when checking altp2m's for shareability George Dunlap 1 sibling, 2 replies; 10+ messages in thread From: Andrew Cooper @ 2016-07-27 18:08 UTC (permalink / raw) To: Xen-devel Cc: George Dunlap, Andrew Cooper, Tim Deegan, Jan Beulich, Tamas K Lengyel Introduce and use the nonnull attribute to help the compiler catch NULL parameters being passed to function which require their parameters not to be NULL. Experimentally, GCC 4.9 on Debian Jessie only warns of non-NULL-ness from immediate callers, so propagate the attributes out to all helpers. A sample error looks like: mem_sharing.c: In function ‘mem_sharing_nominate_page’: mem_sharing.c:884:13: error: null argument where non-null required (argument 3) [-Werror=nonnull] amfn = get_gfn_type_access(ap2m, gfn, NULL, &ap2ma, 0, NULL); ^ As part of this, replace the get_gfn_type_access() macro with an equivalent static inline function for extra type safety, and the ability to be annotated. Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> --- CC: Jan Beulich <JBeulich@suse.com> CC: Tim Deegan <tim@xen.org> CC: George Dunlap <george.dunlap@eu.citrix.com> CC: Tamas K Lengyel <tamas.lengyel@zentific.com> --- xen/include/asm-x86/p2m.h | 19 +++++++++++-------- xen/include/xen/compiler.h | 2 ++ 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/xen/include/asm-x86/p2m.h b/xen/include/asm-x86/p2m.h index 194020e..e35d59c 100644 --- a/xen/include/asm-x86/p2m.h +++ b/xen/include/asm-x86/p2m.h @@ -380,9 +380,9 @@ void p2m_unlock_and_tlb_flush(struct p2m_domain *p2m); * After calling any of the variants below, caller needs to use * put_gfn. ****/ -mfn_t __get_gfn_type_access(struct p2m_domain *p2m, unsigned long gfn, - p2m_type_t *t, p2m_access_t *a, p2m_query_t q, - unsigned int *page_order, bool_t locked); +mfn_t __nonnull(1, 3, 4) __get_gfn_type_access( + struct p2m_domain *p2m, unsigned long gfn, p2m_type_t *t, + p2m_access_t *a, p2m_query_t q, unsigned int *page_order, bool_t locked); /* Read a particular P2M table, mapping pages as we go. Most callers * should _not_ call this directly; use the other get_gfn* functions @@ -391,13 +391,16 @@ mfn_t __get_gfn_type_access(struct p2m_domain *p2m, unsigned long gfn, * If the lookup succeeds, the return value is != INVALID_MFN and * *page_order is filled in with the order of the superpage (if any) that * the entry was found in. */ -#define get_gfn_type_access(p, g, t, a, q, o) \ - __get_gfn_type_access((p), (g), (t), (a), (q), (o), 1) +static inline mfn_t __nonnull(1, 3, 4) get_gfn_type_access( + struct p2m_domain *p2m, unsigned long gfn, p2m_type_t *t, + p2m_access_t *a, p2m_query_t q, unsigned int *page_order) +{ + return __get_gfn_type_access(p2m, gfn, t, a, q, page_order, true); +} /* General conversion function from gfn to mfn */ -static inline mfn_t get_gfn_type(struct domain *d, - unsigned long gfn, p2m_type_t *t, - p2m_query_t q) +static inline mfn_t __nonnull(1, 3) get_gfn_type( + struct domain *d, unsigned long gfn, p2m_type_t *t, p2m_query_t q) { p2m_access_t a; return get_gfn_type_access(p2m_get_hostp2m(d), gfn, t, &a, q, NULL); diff --git a/xen/include/xen/compiler.h b/xen/include/xen/compiler.h index 892455b..8fcb033 100644 --- a/xen/include/xen/compiler.h +++ b/xen/include/xen/compiler.h @@ -62,6 +62,8 @@ #define __must_check __attribute__((__warn_unused_result__)) +#define __nonnull(...) __attribute__((nonnull (__VA_ARGS__))) + #define offsetof(a,b) __builtin_offsetof(a,b) #if !defined(__STDC_VERSION__) || __STDC_VERSION__ < 201112L -- 2.1.4 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 2/2] x86/mm: Annotate gfn_get_* helpers as requiring non-NULL parameters 2016-07-27 18:08 ` [PATCH 2/2] x86/mm: Annotate gfn_get_* helpers as requiring non-NULL parameters Andrew Cooper @ 2016-07-28 15:58 ` George Dunlap 2016-07-28 16:11 ` Andrew Cooper ` (2 more replies) 2016-08-01 15:40 ` [PATCH " Jan Beulich 1 sibling, 3 replies; 10+ messages in thread From: George Dunlap @ 2016-07-28 15:58 UTC (permalink / raw) To: Andrew Cooper, Xen-devel Cc: George Dunlap, Tamas K Lengyel, Tim Deegan, Jan Beulich On 27/07/16 19:08, Andrew Cooper wrote: > Introduce and use the nonnull attribute to help the compiler catch NULL > parameters being passed to function which require their parameters not to be > NULL. Experimentally, GCC 4.9 on Debian Jessie only warns of non-NULL-ness > from immediate callers, so propagate the attributes out to all helpers. > > A sample error looks like: > > mem_sharing.c: In function ‘mem_sharing_nominate_page’: > mem_sharing.c:884:13: error: null argument where non-null required (argument 3) [-Werror=nonnull] > amfn = get_gfn_type_access(ap2m, gfn, NULL, &ap2ma, 0, NULL); > ^ > > As part of this, replace the get_gfn_type_access() macro with an equivalent > static inline function for extra type safety, and the ability to be annotated. > > Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> At a high level this looks like it's probably an improvement; I'd like to hear opinions of people who tend to have stronger opinions here first. One technical comment... > --- > CC: Jan Beulich <JBeulich@suse.com> > CC: Tim Deegan <tim@xen.org> > CC: George Dunlap <george.dunlap@eu.citrix.com> > CC: Tamas K Lengyel <tamas.lengyel@zentific.com> > --- > xen/include/asm-x86/p2m.h | 19 +++++++++++-------- > xen/include/xen/compiler.h | 2 ++ > 2 files changed, 13 insertions(+), 8 deletions(-) > > diff --git a/xen/include/asm-x86/p2m.h b/xen/include/asm-x86/p2m.h > index 194020e..e35d59c 100644 > --- a/xen/include/asm-x86/p2m.h > +++ b/xen/include/asm-x86/p2m.h > @@ -380,9 +380,9 @@ void p2m_unlock_and_tlb_flush(struct p2m_domain *p2m); > * After calling any of the variants below, caller needs to use > * put_gfn. ****/ > > -mfn_t __get_gfn_type_access(struct p2m_domain *p2m, unsigned long gfn, > - p2m_type_t *t, p2m_access_t *a, p2m_query_t q, > - unsigned int *page_order, bool_t locked); > +mfn_t __nonnull(1, 3, 4) __get_gfn_type_access( __get_gfn_type_access() explicitly tolerates p2m being NULL, so '1' should be removed from the list (both here and below). -George _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 2/2] x86/mm: Annotate gfn_get_* helpers as requiring non-NULL parameters 2016-07-28 15:58 ` George Dunlap @ 2016-07-28 16:11 ` Andrew Cooper 2016-08-01 15:38 ` Jan Beulich 2016-08-01 16:59 ` [PATCH v2 " Andrew Cooper 2 siblings, 0 replies; 10+ messages in thread From: Andrew Cooper @ 2016-07-28 16:11 UTC (permalink / raw) To: George Dunlap, Xen-devel Cc: George Dunlap, Tamas K Lengyel, Tim Deegan, Jan Beulich On 28/07/16 16:58, George Dunlap wrote: > On 27/07/16 19:08, Andrew Cooper wrote: >> Introduce and use the nonnull attribute to help the compiler catch NULL >> parameters being passed to function which require their parameters not to be >> NULL. Experimentally, GCC 4.9 on Debian Jessie only warns of non-NULL-ness >> from immediate callers, so propagate the attributes out to all helpers. >> >> A sample error looks like: >> >> mem_sharing.c: In function ‘mem_sharing_nominate_page’: >> mem_sharing.c:884:13: error: null argument where non-null required (argument 3) [-Werror=nonnull] >> amfn = get_gfn_type_access(ap2m, gfn, NULL, &ap2ma, 0, NULL); >> ^ >> >> As part of this, replace the get_gfn_type_access() macro with an equivalent >> static inline function for extra type safety, and the ability to be annotated. >> >> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> > At a high level this looks like it's probably an improvement; I'd like > to hear opinions of people who tend to have stronger opinions here first. > > One technical comment... > >> --- >> CC: Jan Beulich <JBeulich@suse.com> >> CC: Tim Deegan <tim@xen.org> >> CC: George Dunlap <george.dunlap@eu.citrix.com> >> CC: Tamas K Lengyel <tamas.lengyel@zentific.com> >> --- >> xen/include/asm-x86/p2m.h | 19 +++++++++++-------- >> xen/include/xen/compiler.h | 2 ++ >> 2 files changed, 13 insertions(+), 8 deletions(-) >> >> diff --git a/xen/include/asm-x86/p2m.h b/xen/include/asm-x86/p2m.h >> index 194020e..e35d59c 100644 >> --- a/xen/include/asm-x86/p2m.h >> +++ b/xen/include/asm-x86/p2m.h >> @@ -380,9 +380,9 @@ void p2m_unlock_and_tlb_flush(struct p2m_domain *p2m); >> * After calling any of the variants below, caller needs to use >> * put_gfn. ****/ >> >> -mfn_t __get_gfn_type_access(struct p2m_domain *p2m, unsigned long gfn, >> - p2m_type_t *t, p2m_access_t *a, p2m_query_t q, >> - unsigned int *page_order, bool_t locked); >> +mfn_t __nonnull(1, 3, 4) __get_gfn_type_access( > __get_gfn_type_access() explicitly tolerates p2m being NULL, so '1' > should be removed from the list (both here and below). So it does. I wonder why that is? I presume PV guests don't have a p2m. Looking though this code, it seems to be an unnecessarily complicated tangle :s ~Andrew _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 2/2] x86/mm: Annotate gfn_get_* helpers as requiring non-NULL parameters 2016-07-28 15:58 ` George Dunlap 2016-07-28 16:11 ` Andrew Cooper @ 2016-08-01 15:38 ` Jan Beulich 2016-08-01 16:59 ` [PATCH v2 " Andrew Cooper 2 siblings, 0 replies; 10+ messages in thread From: Jan Beulich @ 2016-08-01 15:38 UTC (permalink / raw) To: Andrew Cooper, George Dunlap Cc: George Dunlap, Tamas K Lengyel, Tim Deegan, Xen-devel >>> On 28.07.16 at 17:58, <george.dunlap@citrix.com> wrote: > On 27/07/16 19:08, Andrew Cooper wrote: >> Introduce and use the nonnull attribute to help the compiler catch NULL >> parameters being passed to function which require their parameters not to be >> NULL. Experimentally, GCC 4.9 on Debian Jessie only warns of non-NULL-ness >> from immediate callers, so propagate the attributes out to all helpers. >> >> A sample error looks like: >> >> mem_sharing.c: In function ‘mem_sharing_nominate_page’: >> mem_sharing.c:884:13: error: null argument where non-null required (argument > 3) [-Werror=nonnull] >> amfn = get_gfn_type_access(ap2m, gfn, NULL, &ap2ma, 0, NULL); >> ^ >> >> As part of this, replace the get_gfn_type_access() macro with an equivalent >> static inline function for extra type safety, and the ability to be > annotated. >> >> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> > > At a high level this looks like it's probably an improvement; I'd like > to hear opinions of people who tend to have stronger opinions here first. I agree on this being a desirable change. Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH v2 2/2] x86/mm: Annotate gfn_get_* helpers as requiring non-NULL parameters 2016-07-28 15:58 ` George Dunlap 2016-07-28 16:11 ` Andrew Cooper 2016-08-01 15:38 ` Jan Beulich @ 2016-08-01 16:59 ` Andrew Cooper 2016-08-02 7:18 ` Jan Beulich 2016-08-02 13:14 ` George Dunlap 2 siblings, 2 replies; 10+ messages in thread From: Andrew Cooper @ 2016-08-01 16:59 UTC (permalink / raw) To: Xen-devel Cc: George Dunlap, Andrew Cooper, Tim Deegan, Jan Beulich, Tamas K Lengyel Introduce and use the nonnull attribute to help the compiler catch NULL parameters being passed to function which require their parameters not to be NULL. Experimentally, GCC 4.9 on Debian Jessie only warns of non-NULL-ness from immediate callers, so propagate the attributes out to all helpers. A sample error looks like: mem_sharing.c: In function ‘mem_sharing_nominate_page’: mem_sharing.c:884:13: error: null argument where non-null required (argument 3) [-Werror=nonnull] amfn = get_gfn_type_access(ap2m, gfn, NULL, &ap2ma, 0, NULL); ^ As part of this, replace the get_gfn_type_access() macro with an equivalent static inline function for extra type safety, and the ability to be annotated. Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> --- CC: Jan Beulich <JBeulich@suse.com> CC: Tim Deegan <tim@xen.org> CC: George Dunlap <george.dunlap@eu.citrix.com> CC: Tamas K Lengyel <tamas.lengyel@zentific.com> v2: * s/nonnull/__nonnull__/ * Tolerate the p2m parameter being NULL --- xen/include/asm-x86/p2m.h | 19 +++++++++++-------- xen/include/xen/compiler.h | 1 + 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/xen/include/asm-x86/p2m.h b/xen/include/asm-x86/p2m.h index 194020e..035ca92 100644 --- a/xen/include/asm-x86/p2m.h +++ b/xen/include/asm-x86/p2m.h @@ -380,9 +380,9 @@ void p2m_unlock_and_tlb_flush(struct p2m_domain *p2m); * After calling any of the variants below, caller needs to use * put_gfn. ****/ -mfn_t __get_gfn_type_access(struct p2m_domain *p2m, unsigned long gfn, - p2m_type_t *t, p2m_access_t *a, p2m_query_t q, - unsigned int *page_order, bool_t locked); +mfn_t __nonnull(3, 4) __get_gfn_type_access( + struct p2m_domain *p2m, unsigned long gfn, p2m_type_t *t, + p2m_access_t *a, p2m_query_t q, unsigned int *page_order, bool_t locked); /* Read a particular P2M table, mapping pages as we go. Most callers * should _not_ call this directly; use the other get_gfn* functions @@ -391,13 +391,16 @@ mfn_t __get_gfn_type_access(struct p2m_domain *p2m, unsigned long gfn, * If the lookup succeeds, the return value is != INVALID_MFN and * *page_order is filled in with the order of the superpage (if any) that * the entry was found in. */ -#define get_gfn_type_access(p, g, t, a, q, o) \ - __get_gfn_type_access((p), (g), (t), (a), (q), (o), 1) +static inline mfn_t __nonnull(3, 4) get_gfn_type_access( + struct p2m_domain *p2m, unsigned long gfn, p2m_type_t *t, + p2m_access_t *a, p2m_query_t q, unsigned int *page_order) +{ + return __get_gfn_type_access(p2m, gfn, t, a, q, page_order, true); +} /* General conversion function from gfn to mfn */ -static inline mfn_t get_gfn_type(struct domain *d, - unsigned long gfn, p2m_type_t *t, - p2m_query_t q) +static inline mfn_t __nonnull(3) get_gfn_type( + struct domain *d, unsigned long gfn, p2m_type_t *t, p2m_query_t q) { p2m_access_t a; return get_gfn_type_access(p2m_get_hostp2m(d), gfn, t, &a, q, NULL); diff --git a/xen/include/xen/compiler.h b/xen/include/xen/compiler.h index 892455b..f3e8d95 100644 --- a/xen/include/xen/compiler.h +++ b/xen/include/xen/compiler.h @@ -61,6 +61,7 @@ #define __maybe_unused __attribute__((__unused__)) #define __must_check __attribute__((__warn_unused_result__)) +#define __nonnull(...) __attribute__((__nonnull__(__VA_ARGS__))) #define offsetof(a,b) __builtin_offsetof(a,b) -- 2.1.4 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH v2 2/2] x86/mm: Annotate gfn_get_* helpers as requiring non-NULL parameters 2016-08-01 16:59 ` [PATCH v2 " Andrew Cooper @ 2016-08-02 7:18 ` Jan Beulich 2016-08-02 13:14 ` George Dunlap 1 sibling, 0 replies; 10+ messages in thread From: Jan Beulich @ 2016-08-02 7:18 UTC (permalink / raw) To: Andrew Cooper; +Cc: George Dunlap, Tamas K Lengyel, Tim Deegan, Xen-devel >>> On 01.08.16 at 18:59, <andrew.cooper3@citrix.com> wrote: > Introduce and use the nonnull attribute to help the compiler catch NULL > parameters being passed to function which require their parameters not to be > NULL. Experimentally, GCC 4.9 on Debian Jessie only warns of non-NULL-ness > from immediate callers, so propagate the attributes out to all helpers. > > A sample error looks like: > > mem_sharing.c: In function ‘mem_sharing_nominate_page’: > mem_sharing.c:884:13: error: null argument where non-null required (argument > 3) [-Werror=nonnull] > amfn = get_gfn_type_access(ap2m, gfn, NULL, &ap2ma, 0, NULL); > ^ > > As part of this, replace the get_gfn_type_access() macro with an equivalent > static inline function for extra type safety, and the ability to be > annotated. > > Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com> _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v2 2/2] x86/mm: Annotate gfn_get_* helpers as requiring non-NULL parameters 2016-08-01 16:59 ` [PATCH v2 " Andrew Cooper 2016-08-02 7:18 ` Jan Beulich @ 2016-08-02 13:14 ` George Dunlap 1 sibling, 0 replies; 10+ messages in thread From: George Dunlap @ 2016-08-02 13:14 UTC (permalink / raw) To: Andrew Cooper; +Cc: Tamas K Lengyel, Tim Deegan, Jan Beulich, Xen-devel On Mon, Aug 1, 2016 at 5:59 PM, Andrew Cooper <andrew.cooper3@citrix.com> wrote: > Introduce and use the nonnull attribute to help the compiler catch NULL > parameters being passed to function which require their parameters not to be > NULL. Experimentally, GCC 4.9 on Debian Jessie only warns of non-NULL-ness > from immediate callers, so propagate the attributes out to all helpers. > > A sample error looks like: > > mem_sharing.c: In function ‘mem_sharing_nominate_page’: > mem_sharing.c:884:13: error: null argument where non-null required (argument 3) [-Werror=nonnull] > amfn = get_gfn_type_access(ap2m, gfn, NULL, &ap2ma, 0, NULL); > ^ > > As part of this, replace the get_gfn_type_access() macro with an equivalent > static inline function for extra type safety, and the ability to be annotated. > > Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: George Dunlap <george.dunlap@citrix.com> _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 2/2] x86/mm: Annotate gfn_get_* helpers as requiring non-NULL parameters 2016-07-27 18:08 ` [PATCH 2/2] x86/mm: Annotate gfn_get_* helpers as requiring non-NULL parameters Andrew Cooper 2016-07-28 15:58 ` George Dunlap @ 2016-08-01 15:40 ` Jan Beulich 1 sibling, 0 replies; 10+ messages in thread From: Jan Beulich @ 2016-08-01 15:40 UTC (permalink / raw) To: Andrew Cooper; +Cc: George Dunlap, Tamas K Lengyel, Tim Deegan, Xen-devel >>> On 27.07.16 at 20:08, <andrew.cooper3@citrix.com> wrote: > --- a/xen/include/xen/compiler.h > +++ b/xen/include/xen/compiler.h > @@ -62,6 +62,8 @@ > > #define __must_check __attribute__((__warn_unused_result__)) > > +#define __nonnull(...) __attribute__((nonnull (__VA_ARGS__))) May I ask to use __nonnull__ here, to match the #define right above? Also I don't think there should be a blank following that token (again matching other #define-s further up). Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 1/2] x86/mm: Avoid NULL dereference when checking altp2m's for shareability 2016-07-27 18:08 [PATCH 1/2] x86/mm: Avoid NULL dereference when checking altp2m's for shareability Andrew Cooper 2016-07-27 18:08 ` [PATCH 2/2] x86/mm: Annotate gfn_get_* helpers as requiring non-NULL parameters Andrew Cooper @ 2016-07-28 15:51 ` George Dunlap 1 sibling, 0 replies; 10+ messages in thread From: George Dunlap @ 2016-07-28 15:51 UTC (permalink / raw) To: Andrew Cooper, Xen-devel Cc: George Dunlap, Tamas K Lengyel, Tim Deegan, Jan Beulich On 27/07/16 19:08, Andrew Cooper wrote: > Coverity identifies that __get_gfn_type_access() unconditionally writes to its > type parameter under a number of circumstances. > > Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: George Dunlap <george.dunlap@citrix.com> > --- > CC: Jan Beulich <JBeulich@suse.com> > CC: Tim Deegan <tim@xen.org> > CC: George Dunlap <george.dunlap@eu.citrix.com> > CC: Tamas K Lengyel <tamas.lengyel@zentific.com> > > There is a second complaint that ap2ma and p2ma are used before initialisation > in the following line, although that is harder to reason about. I think the > code is OK... Well there are paths through __get_gfn_type_access() which don't set the access value -- namely if p2m is null or !paging_mode_translate(p2m->domain) (which coverity has no way of knowing). That probably could use being made more robust at some point. -George > --- > xen/arch/x86/mm/mem_sharing.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/xen/arch/x86/mm/mem_sharing.c b/xen/arch/x86/mm/mem_sharing.c > index 47e0820..14952ce 100644 > --- a/xen/arch/x86/mm/mem_sharing.c > +++ b/xen/arch/x86/mm/mem_sharing.c > @@ -870,6 +870,7 @@ int mem_sharing_nominate_page(struct domain *d, > unsigned int i; > struct p2m_domain *ap2m; > mfn_t amfn; > + p2m_type_t ap2mt; > p2m_access_t ap2ma; > > altp2m_list_lock(d); > @@ -880,7 +881,7 @@ int mem_sharing_nominate_page(struct domain *d, > if ( !ap2m ) > continue; > > - amfn = get_gfn_type_access(ap2m, gfn, NULL, &ap2ma, 0, NULL); > + amfn = get_gfn_type_access(ap2m, gfn, &ap2mt, &ap2ma, 0, NULL); > if ( mfn_valid(amfn) && (mfn_x(amfn) != mfn_x(mfn) || ap2ma != p2ma) ) > { > altp2m_list_unlock(d); > _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2016-08-02 13:14 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-07-27 18:08 [PATCH 1/2] x86/mm: Avoid NULL dereference when checking altp2m's for shareability Andrew Cooper 2016-07-27 18:08 ` [PATCH 2/2] x86/mm: Annotate gfn_get_* helpers as requiring non-NULL parameters Andrew Cooper 2016-07-28 15:58 ` George Dunlap 2016-07-28 16:11 ` Andrew Cooper 2016-08-01 15:38 ` Jan Beulich 2016-08-01 16:59 ` [PATCH v2 " Andrew Cooper 2016-08-02 7:18 ` Jan Beulich 2016-08-02 13:14 ` George Dunlap 2016-08-01 15:40 ` [PATCH " Jan Beulich 2016-07-28 15:51 ` [PATCH 1/2] x86/mm: Avoid NULL dereference when checking altp2m's for shareability George Dunlap
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).