[PATCH] x86: fix bug_line()

[PATCH] x86: fix bug_line()

[Jan Beulich]

[-- Attachment #1: Type: text/plain, Size: 1203 bytes --]

Due to the packing into a bit field together with a relocated field,
the computation can overflow when the relocated field ends up getting a
negative value stored. Hence it isn't sufficient to correct the value
by 1 in this case, but we also need to mask the result to the width of
the original bit field.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/include/asm-x86/bug.h
+++ b/xen/include/asm-x86/bug.h
@@ -15,9 +15,11 @@ struct bug_frame {
 
 #define bug_loc(b) ((const void *)(b) + (b)->loc_disp)
 #define bug_ptr(b) ((const void *)(b) + (b)->ptr_disp)
-#define bug_line(b) ((((b)->line_hi + ((b)->loc_disp < 0)) <<                \
+#define bug_line(b) (((((b)->line_hi + ((b)->loc_disp < 0)) &                \
+                       ((1 << BUG_LINE_HI_WIDTH) - 1)) <<                    \
                       BUG_LINE_LO_WIDTH) +                                   \
-                     (b)->line_lo + ((b)->ptr_disp < 0))
+                     (((b)->line_lo + ((b)->ptr_disp < 0)) &                 \
+                      ((1 << BUG_LINE_LO_WIDTH) - 1)))
 #define bug_msg(b) ((const char *)(b) + (b)->msg_disp[1])
 
 #define BUGFRAME_run_fn 0




[-- Attachment #2: x86-bug-line.patch --]
[-- Type: text/plain, Size: 1220 bytes --]

x86: fix bug_line()

Due to the packing into a bit field together with a relocated field,
the computation can overflow when the relocated field ends up getting a
negative value stored. Hence it isn't sufficient to correct the value
by 1 in this case, but we also need to mask the result to the width of
the original bit field.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/include/asm-x86/bug.h
+++ b/xen/include/asm-x86/bug.h
@@ -15,9 +15,11 @@ struct bug_frame {
 
 #define bug_loc(b) ((const void *)(b) + (b)->loc_disp)
 #define bug_ptr(b) ((const void *)(b) + (b)->ptr_disp)
-#define bug_line(b) ((((b)->line_hi + ((b)->loc_disp < 0)) <<                \
+#define bug_line(b) (((((b)->line_hi + ((b)->loc_disp < 0)) &                \
+                       ((1 << BUG_LINE_HI_WIDTH) - 1)) <<                    \
                       BUG_LINE_LO_WIDTH) +                                   \
-                     (b)->line_lo + ((b)->ptr_disp < 0))
+                     (((b)->line_lo + ((b)->ptr_disp < 0)) &                 \
+                      ((1 << BUG_LINE_LO_WIDTH) - 1)))
 #define bug_msg(b) ((const char *)(b) + (b)->msg_disp[1])
 
 #define BUGFRAME_run_fn 0

[-- Attachment #3: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH] x86: fix bug_line()

[Keir Fraser]

On 11/10/2013 16:25, "Jan Beulich" <JBeulich@suse.com> wrote:

> Due to the packing into a bit field together with a relocated field,
> the computation can overflow when the relocated field ends up getting a
> negative value stored. Hence it isn't sufficient to correct the value
> by 1 in this case, but we also need to mask the result to the width of
> the original bit field.
> 
> Signed-off-by: Jan Beulich <jbeulich@suse.com>

Acked-by: Keir Fraser <keir@xen.org>

> --- a/xen/include/asm-x86/bug.h
> +++ b/xen/include/asm-x86/bug.h
> @@ -15,9 +15,11 @@ struct bug_frame {
>  
>  #define bug_loc(b) ((const void *)(b) + (b)->loc_disp)
>  #define bug_ptr(b) ((const void *)(b) + (b)->ptr_disp)
> -#define bug_line(b) ((((b)->line_hi + ((b)->loc_disp < 0)) <<
> \
> +#define bug_line(b) (((((b)->line_hi + ((b)->loc_disp < 0)) &
> \
> +                       ((1 << BUG_LINE_HI_WIDTH) - 1)) <<
> \
>                        BUG_LINE_LO_WIDTH) +
> \
> -                     (b)->line_lo + ((b)->ptr_disp < 0))
> +                     (((b)->line_lo + ((b)->ptr_disp < 0)) &
> \
> +                      ((1 << BUG_LINE_LO_WIDTH) - 1)))
>  #define bug_msg(b) ((const char *)(b) + (b)->msg_disp[1])
>  
>  #define BUGFRAME_run_fn 0
> 
> 
>