Received: by 10.223.176.5 with SMTP id f5csp2568031wra; Mon, 5 Feb 2018 06:19:23 -0800 (PST) X-Google-Smtp-Source: AH8x227RIcIHncHCarjWfO2XzqXLcumrGHY7KJUADyPjcpHohyGRvU8HmpnhG/SY2jnOkkOkxujE X-Received: by 10.101.66.131 with SMTP id j3mr37273766pgp.56.1517840363579; Mon, 05 Feb 2018 06:19:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517840363; cv=none; d=google.com; s=arc-20160816; b=e5WN8K8fNbvY0K8p9zzp0MjS+AvxDtOIv1yAyfJ2HHV0/kXQjGp3HXIQEQb6vY/WIH 9kiGYW79aX6eRjh87USofxKa3+6WTXZ2KrSRj440NFe3s6MUOHUyXu004X6tS75p2DDs vopshld8cDTpC1s2slWA4G4JA4pJpMhfHOiW7V0NMShCaA0xfbEsv+OprqPr09cP+O7U qkdZsuBunElOrogRDDE/N1r/J6qzfjaqc9Ql0lMbKgznracKdim8LDFRokMwl4JgKyeq z+QSJ8fnJdhm4Lho6pn9GtpVJDpS6noPkY6l4xC/PMdlRDwWLpivCJt91lU4EU897nQ6 vncg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=jYmvUjmsVjY/XsV1rSq3YqUqygKbfe0KCjvhyu4W4Sk=; b=rlLHg9+FqvIwsq52HuTlpRW7aXU3WL3OvtTczPMlG2eNuw/drV0IzU62dLkI8FQEdg n0hz2zWyRtsMm8eV+R4Ec9nHrXNVyLJ/Hn11Shpn2kaFd+GWvo4mL4WkecOmdjm4FuOk Zs9AzKQso51gu3nA0GE1J4TuipNuZWIajwLUmdHMzEIdWgNu7lDxkeMYjJ7jQEWQWzru RPKfsv64MbgKaRfXkE9KSVUWRpeGKCvU24Hvj4QQiRtg5Eqm2iTBHOMtOJVvMzC8/1gq CK9dhimixLn3PxuH+m+bX31Jk0xpzDaPC5nNAV9uks4r2o6UFTa4fEodpBEZiem0SVQq 6Okg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=GxTsi4U1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c21-v6si7018632plo.46.2018.02.05.06.19.09; Mon, 05 Feb 2018 06:19:23 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=GxTsi4U1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753029AbeBEOSG (ORCPT + 99 others); Mon, 5 Feb 2018 09:18:06 -0500 Received: from mail-oi0-f67.google.com ([209.85.218.67]:41230 "EHLO mail-oi0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752710AbeBEOSC (ORCPT ); Mon, 5 Feb 2018 09:18:02 -0500 Received: by mail-oi0-f67.google.com with SMTP id m83so21268044oik.8 for ; Mon, 05 Feb 2018 06:18:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=jYmvUjmsVjY/XsV1rSq3YqUqygKbfe0KCjvhyu4W4Sk=; b=GxTsi4U100BVWJ3a9AjW3sLDxdl6/zUVPGmSkbFc0os7qR3A0grgne5AYDNOUPmfUi Ij6lX6FkhgKbFRpaGqc8DckX0WbzzQZ5eB3lL8oJCkjloYeLIns8SaNjePKwXnjjo5sG 9gbS+w4gCfThFkjQXtnx1yw2qAJB93a2YYZ8wNda2fqEwQlfc0ruI5F1kNkAVuqciS9L EOBXCA4vXollNO6PdaUZ2WLxYwBLHW1FDOyXYZKYsM7ipYQSbolr0e1l980A4MrRUAZo 8YG/xbzIG+qcwd4hA9Aok5mmki11Jmqn5609eDN33CNokadQe617YRJAqy1zW6DWDKeD hPVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=jYmvUjmsVjY/XsV1rSq3YqUqygKbfe0KCjvhyu4W4Sk=; b=XVS39OluwQTrnMx6NNcNe7wP9ZR2yG4fETgy+GAxrNf9MIVxcuLD6LaYZ9cjR4/Kxc qu5gu/ZrPkhWTcYaQ6u0sVHXuJAhA4UiVEF+IUmtlmxPnC0teFSq08ytOO2Ih3Z82hed oxVcMElcdx8wSbM6ALpDoFJUDFXitszMSQQjGW4zAmRiAf3JCDw9VXoA/kpetSamnrbE nutG3X8Di+NsQpQb+Fx1ylJ5GVplBnHY2aW8aDwRsKgB7cbR/HJRfrMoA6g9q3oCr7vP /NRjOerOMac5pneyJN8ptjIBibFit6qpMEi6Bl6pDZnb629eu3d+qJ1RNUWatP19SIFW ZCJw== X-Gm-Message-State: APf1xPBGmPY096YWKSrXadI9RL4FssisFtmRra40T16MWkBAZooxA0rg t85e/W5fiujPbFe+XVGHzTLmxK+QBq0fzTMfzcgwGonK X-Received: by 10.202.194.7 with SMTP id s7mr2417186oif.128.1517840280538; Mon, 05 Feb 2018 06:18:00 -0800 (PST) MIME-Version: 1.0 Received: by 10.157.68.33 with HTTP; Mon, 5 Feb 2018 06:18:00 -0800 (PST) In-Reply-To: References: <20180202153240.1190361-1-arnd@arndb.de> <1eddce614f604c518b9bf238a2f92e4b@AcuMS.aculab.com> From: Arnd Bergmann Date: Mon, 5 Feb 2018 15:18:00 +0100 X-Google-Sender-Auth: BW4mqc7dgiMWfY-xAiekcXh4vSA Message-ID: Subject: Re: [PATCH] xen: hypercall: fix out-of-bounds memcpy To: David Laight Cc: Boris Ostrovsky , Juergen Gross , Nicolas Pitre , Andi Kleen , Dan Carpenter , Jan Beulich , "xen-devel@lists.xenproject.org" , "linux-kernel@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 5, 2018 at 2:58 PM, David Laight wrote: > From: Arnd Bergmann >> Sent: 05 February 2018 12:37 > .... >> > Are the EVTCHNOP_xxx values dense? >> > In which case an array is almost certainly better than the switch statement. >> >> They are, yes. PHYSDEVOP_xxx are also consecutive by start at '4'. >> Dan made the same comment earlier, and I replied that my I had >> considered it but went for the more failsafe route. I also verified my >> assumption now that gcc in fact is smart enough to turn this >> into a table by itself: > > I've never spotted that optimisation, must be fairly new. Indeed, I checked again and found that most compilers have a less efficient jump table based version, the output I posted was from gcc-8, this is what I get with gcc-4.8 through gcc-7: xen_event_channel_op_compat: pushq %r13 # pushq %r12 # pushq %rbp # pushq %rbx # movl $-38, %ebx #, subq $32, %rsp #, # /git/arm-soc/drivers/xen/fallback.c:14: switch (cmd) { cmpl $9, %edi #, cmd # /git/arm-soc/drivers/xen/fallback.c:10: struct evtchn_op op = { .cmd = cmd, }; movq $0, 8(%rsp) #, MEM[(struct evtchn_op *)&op + 4B] movq $0, 16(%rsp) #, MEM[(struct evtchn_op *)&op + 4B] movq $0, 24(%rsp) #, MEM[(struct evtchn_op *)&op + 4B] movl %edi, 4(%rsp) # cmd, op.cmd # /git/arm-soc/drivers/xen/fallback.c:14: switch (cmd) { ja .L1 #, movl %edi, %eax # cmd, cmd jmp *.L4(,%rax,8) # .section .rodata .align 8 .align 4 .L4: .quad .L9 .quad .L9 .quad .L9 .quad .L5 .quad .L5 .quad .L6 .quad .L7 .quad .L7 .quad .L7 .quad .L5 .text .L7: # /git/arm-soc/drivers/xen/fallback.c:31: len = sizeof(struct evtchn_alloc_unbound); movl $8, %r12d #, len .L3: # /git/arm-soc/drivers/xen/fallback.c:49: memcpy(&op.u, arg, len); leaq 8(%rsp), %r13 #, tmp98 movq %r12, %rdx # len, movq %rsi, %rbp # arg, arg movq %r13, %rdi # tmp98, call __memcpy # # /git/arm-soc/drivers/xen/fallback.c:50: rc = _hypercall1(int, event_channel_op_compat, &op); leaq 4(%rsp), %rdi #, tmp104 #APP # 50 "/git/arm-soc/drivers/xen/fallback.c" 1 call hypercall_page+512 # # 0 "" 2 # /git/arm-soc/drivers/xen/fallback.c:51: memcpy(arg, &op.u, len); #NO_APP movq %r12, %rdx # len, movq %r13, %rsi # tmp98, movq %rbp, %rdi # arg, # /git/arm-soc/drivers/xen/fallback.c:50: rc = _hypercall1(int, event_channel_op_compat, &op); movl %eax, %ebx # __res.7_3, # /git/arm-soc/drivers/xen/fallback.c:51: memcpy(arg, &op.u, len); call __memcpy # .L1: # /git/arm-soc/drivers/xen/fallback.c:54: } addq $32, %rsp #, movl %ebx, %eax # , popq %rbx # popq %rbp # popq %r12 # popq %r13 # ret .L5: # /git/arm-soc/drivers/xen/fallback.c:25: len = sizeof(struct evtchn_close); movl $4, %r12d #, len jmp .L3 # .L9: # /git/arm-soc/drivers/xen/fallback.c:16: len = sizeof(struct evtchn_bind_interdomain); movl $12, %r12d #, len jmp .L3 # .L6: # /git/arm-soc/drivers/xen/fallback.c:37: len = sizeof(struct evtchn_status); movl $24, %r12d #, len # /git/arm-soc/drivers/xen/fallback.c:38: break; jmp .L3 # .size xen_event_channel_op_compat, .-xen_event_channel_op_compat .p2align 4,,15 which isn't all that bad, but gets slightly worse when you compile with -mindirect-branch=thunk-extern, the total size now grows from 474 bytes with gcc-8 to 525 bytes with gcc-7+retpoline. Arnd