2016-10-31 08:29:03

by Dongli Zhang

[permalink] [raw]
Subject: Re: [Xen-devel] [PATCH 1/1] xen-netfront: do not cast grant table reference to signed short

> > ref = gnttab_claim_grant_reference(&queue->gref_rx_head);
> > - BUG_ON((signed short)ref < 0);
> > + WARN_ON_ONCE(IS_ERR_VALUE((unsigned long)ref));

> You really need to cast to plain (or signed) long here - casting to
> unsigned long will work only in 32-bit configurations, as otherwise
> you lose the sign of the value.

Seems the sign of value would not be lost since casting to unsigned long will
use signed extension. Is my understanding wrong or did I miss anything? I have
verified this with both sample userspace helloworld program and a kernel
module.

> And then just issuing a warning here is insufficient, I think: Either
> you follow David's line of thought assuming that no failure here is

Keeping this can help debug xen-netfront.

> possible at all (in which case the BUG_ON() can be ditched without
> replacement), or you follow your original one (which matches mine)
> that we can't exclude an error here because of a bug elsewhere,
> in which case this either needs to stay BUG_ON() or should be
> followed by some form of bailing out (so that the bad ref won't get
> stored, preventing its later use from causing further damage).

The reason I use warning instead BUG_ON is that Linus suggested use
WARN_ON_ONCE() in a previous email:
http://lkml.iu.edu/hypermail/linux/kernel/1610.0/00878.html

I would change to BUG_ON() if it is OK to you.

Thank you very much!

Dongli Zhang


----- Original Message -----
From: [email protected]
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Sent: Monday, October 31, 2016 3:48:03 PM GMT +08:00 Beijing / Chongqing / Hong Kong / Urumqi
Subject: Re: [Xen-devel] [PATCH 1/1] xen-netfront: do not cast grant table reference to signed short

>>> On 31.10.16 at 06:38, <[email protected]> wrote:
> --- a/drivers/net/xen-netfront.c
> +++ b/drivers/net/xen-netfront.c
> @@ -304,7 +304,7 @@ static void xennet_alloc_rx_buffers(struct netfront_queue *queue)
> queue->rx_skbs[id] = skb;
>
> ref = gnttab_claim_grant_reference(&queue->gref_rx_head);
> - BUG_ON((signed short)ref < 0);
> + WARN_ON_ONCE(IS_ERR_VALUE((unsigned long)ref));

You really need to cast to plain (or signed) long here - casting to
unsigned long will work only in 32-bit configurations, as otherwise
you lose the sign of the value.

And then just issuing a warning here is insufficient, I think: Either
you follow David's line of thought assuming that no failure here is
possible at all (in which case the BUG_ON() can be ditched without
replacement), or you follow your original one (which matches mine)
that we can't exclude an error here because of a bug elsewhere,
in which case this either needs to stay BUG_ON() or should be
followed by some form of bailing out (so that the bad ref won't get
stored, preventing its later use from causing further damage).

Jan


2016-10-31 08:44:21

by Jan Beulich

[permalink] [raw]
Subject: Re: [Xen-devel] [PATCH 1/1] xen-netfront: do not cast grant table reference to signed short

>>> On 31.10.16 at 09:28, <[email protected]> wrote:
>> > ref = gnttab_claim_grant_reference(&queue->gref_rx_head);
>> > - BUG_ON((signed short)ref < 0);
>> > + WARN_ON_ONCE(IS_ERR_VALUE((unsigned long)ref));
>
>> You really need to cast to plain (or signed) long here - casting to
>> unsigned long will work only in 32-bit configurations, as otherwise
>> you lose the sign of the value.
>
> Seems the sign of value would not be lost since casting to unsigned long will
> use signed extension. Is my understanding wrong or did I miss anything?

ref being of type grant_ref_t, which is a typedef of uint32_t, I can't
see how the conversion to unsigned long would be using sign
extension. Did you look at the generated code? (If ref was of a signed
type, I don't think the original author would have found a need to cast
it to signed short.)

> I have verified this with both sample userspace helloworld program
> and a kernel module.

Are you saying you did see the warning trigger with a 64-bit kernel?
I'd be very surprised, but of course I may be overlooking something.

Jan