[XEN,v5,7/8] x86/mm: add defensive return

Message ID	24501d2e7f5d82d8e5a483a80b35e04ce765a7cf.1722239813.git.federico.serafini@bugseng.com (mailing list archive)
State	New
Headers	show Return-Path: <xen-devel-bounces@lists.xenproject.org> Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org> From: Federico Serafini <federico.serafini@bugseng.com> To: xen-devel@lists.xenproject.org Cc: consulting@bugseng.com, Federico Serafini <federico.serafini@bugseng.com>, Jan Beulich <jbeulich@suse.com>, Andrew Cooper <andrew.cooper3@citrix.com>, =?utf-8?q?Roger_Pau_Monn=C3=A9?= <roger.pau@citrix.com> Subject: [XEN PATCH v5 7/8] x86/mm: add defensive return Date: Mon, 29 Jul 2024 11:00:08 +0200 Message-Id: <24501d2e7f5d82d8e5a483a80b35e04ce765a7cf.1722239813.git.federico.serafini@bugseng.com> In-Reply-To: <cover.1722239813.git.federico.serafini@bugseng.com> References: <cover.1722239813.git.federico.serafini@bugseng.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	x86: address some violations of MISRA C Rule 16.3 \| expand [XEN,v5,0/8] x86: address some violations of MISRA C Rule 16.3 [XEN,v5,1/8] automation/eclair: fix deviation of MISRA C Rule 16.3 [XEN,v5,2/8] x86/vpmu: address violations of MISRA C Rule 16.3 [XEN,v5,3/8] x86/traps: address violations of MISRA C Rule 16.3 [XEN,v5,4/8] x86/mce: address violations of MISRA C Rule 16.3 [XEN,v5,5/8] x86/hvm: address violations of MISRA C Rule 16.3 [XEN,v5,6/8] x86/hvm: add defensive statements in unreachable program points [XEN,v5,7/8] x86/mm: add defensive return [XEN,v5,8/8] x86/mpparse: address a violation of MISRA C Rule 16.3

Federico Serafini July 29, 2024, 9 a.m. UTC

Add defensive return statement at the end of an unreachable
default case. Other than improve safety, this meets the requirements
to deviate a violation of MISRA C Rule 16.3: "An unconditional `break'
statement shall terminate every switch-clause".

Signed-off-by: Federico Serafini <federico.serafini@bugseng.com>
---
No changes from v3 and v4, further feedback on this thread would be appreciated:
https://lists.xenproject.org/archives/html/xen-devel/2024-07/msg00474.html
---
 xen/arch/x86/mm.c | 1 +
 1 file changed, 1 insertion(+)

Stefano Stabellini July 29, 2024, 10:12 p.m. UTC | #1

On Mon, 29 Jul 2024, Federico Serafini wrote:
> Add defensive return statement at the end of an unreachable
> default case. Other than improve safety, this meets the requirements
> to deviate a violation of MISRA C Rule 16.3: "An unconditional `break'
> statement shall terminate every switch-clause".
> 
> Signed-off-by: Federico Serafini <federico.serafini@bugseng.com>

Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>

> ---
> No changes from v3 and v4, further feedback on this thread would be appreciated:
> https://lists.xenproject.org/archives/html/xen-devel/2024-07/msg00474.html
> ---
>  xen/arch/x86/mm.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
> index 95795567f2..8973e76dff 100644
> --- a/xen/arch/x86/mm.c
> +++ b/xen/arch/x86/mm.c
> @@ -917,6 +917,7 @@ get_page_from_l1e(
>                  return 0;
>              default:
>                  ASSERT_UNREACHABLE();
> +                return -EPERM;
>              }
>          }
>          else if ( l1f & _PAGE_RW )
> -- 
> 2.34.1
> 
>

Stefano Stabellini Aug. 29, 2024, 12:35 a.m. UTC | #2

On Mon, 29 Jul 2024, Stefano Stabellini wrote:
> On Mon, 29 Jul 2024, Federico Serafini wrote:
> > Add defensive return statement at the end of an unreachable
> > default case. Other than improve safety, this meets the requirements
> > to deviate a violation of MISRA C Rule 16.3: "An unconditional `break'
> > statement shall terminate every switch-clause".
> > 
> > Signed-off-by: Federico Serafini <federico.serafini@bugseng.com>
> 
> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
> 
> > ---
> > No changes from v3 and v4, further feedback on this thread would be appreciated:
> > https://lists.xenproject.org/archives/html/xen-devel/2024-07/msg00474.html

Looking at the older threads, I looks like Jan suggested EACCES, I also
think it is marginally better. My R-b stands also for EACCES. Jan, I
think you should go ahead and fix on commit


> > ---
> >  xen/arch/x86/mm.c | 1 +
> >  1 file changed, 1 insertion(+)
> > 
> > diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
> > index 95795567f2..8973e76dff 100644
> > --- a/xen/arch/x86/mm.c
> > +++ b/xen/arch/x86/mm.c
> > @@ -917,6 +917,7 @@ get_page_from_l1e(
> >                  return 0;
> >              default:
> >                  ASSERT_UNREACHABLE();
> > +                return -EPERM;
> >              }
> >          }
> >          else if ( l1f & _PAGE_RW )
> > -- 
> > 2.34.1
> > 
> > 
>

Jan Beulich Aug. 29, 2024, 7:04 a.m. UTC | #3

On 29.08.2024 02:35, Stefano Stabellini wrote:
> On Mon, 29 Jul 2024, Stefano Stabellini wrote:
>> On Mon, 29 Jul 2024, Federico Serafini wrote:
>>> Add defensive return statement at the end of an unreachable
>>> default case. Other than improve safety, this meets the requirements
>>> to deviate a violation of MISRA C Rule 16.3: "An unconditional `break'
>>> statement shall terminate every switch-clause".
>>>
>>> Signed-off-by: Federico Serafini <federico.serafini@bugseng.com>
>>
>> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
>>
>>> ---
>>> No changes from v3 and v4, further feedback on this thread would be appreciated:
>>> https://lists.xenproject.org/archives/html/xen-devel/2024-07/msg00474.html
> 
> Looking at the older threads, I looks like Jan suggested EACCES, I also
> think it is marginally better. My R-b stands also for EACCES. Jan, I
> think you should go ahead and fix on commit

No, I very definitely want a 2nd x86 maintainer opinion here. Or a better
suggestion for the error code to use by anyone. After all, as you confirm,
EACCES is only marginally better.

Jan

Roger Pau Monne Aug. 30, 2024, 9:18 a.m. UTC | #4

On Thu, Aug 29, 2024 at 09:04:37AM +0200, Jan Beulich wrote:
> On 29.08.2024 02:35, Stefano Stabellini wrote:
> > On Mon, 29 Jul 2024, Stefano Stabellini wrote:
> >> On Mon, 29 Jul 2024, Federico Serafini wrote:
> >>> Add defensive return statement at the end of an unreachable
> >>> default case. Other than improve safety, this meets the requirements
> >>> to deviate a violation of MISRA C Rule 16.3: "An unconditional `break'
> >>> statement shall terminate every switch-clause".
> >>>
> >>> Signed-off-by: Federico Serafini <federico.serafini@bugseng.com>
> >>
> >> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
> >>
> >>> ---
> >>> No changes from v3 and v4, further feedback on this thread would be appreciated:
> >>> https://lists.xenproject.org/archives/html/xen-devel/2024-07/msg00474.html
> > 
> > Looking at the older threads, I looks like Jan suggested EACCES, I also
> > think it is marginally better. My R-b stands also for EACCES. Jan, I
> > think you should go ahead and fix on commit
> 
> No, I very definitely want a 2nd x86 maintainer opinion here. Or a better
> suggestion for the error code to use by anyone. After all, as you confirm,
> EACCES is only marginally better.

Hm, the only alternative I could suggest is using ERANGE, to signal
the value of opt_mmio_relax is out of the expected range, however that
could be confusing for the callers?

One benefit of using ERANGE is that there's currently no return path
in get_page_from_l1e() with that error code, so it would be very easy
to spot when an unexpected value of opt_mmio_relax is found.  However
there are no guarantees that further error paths might use that error
code.

Thanks, Roger.

Andrew Cooper Aug. 30, 2024, 7:17 p.m. UTC | #5

On 30/08/2024 10:18 am, Roger Pau Monné wrote:
> On Thu, Aug 29, 2024 at 09:04:37AM +0200, Jan Beulich wrote:
>> On 29.08.2024 02:35, Stefano Stabellini wrote:
>>> On Mon, 29 Jul 2024, Stefano Stabellini wrote:
>>>> On Mon, 29 Jul 2024, Federico Serafini wrote:
>>>>> Add defensive return statement at the end of an unreachable
>>>>> default case. Other than improve safety, this meets the requirements
>>>>> to deviate a violation of MISRA C Rule 16.3: "An unconditional `break'
>>>>> statement shall terminate every switch-clause".
>>>>>
>>>>> Signed-off-by: Federico Serafini <federico.serafini@bugseng.com>
>>>> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
>>>>
>>>>> ---
>>>>> No changes from v3 and v4, further feedback on this thread would be appreciated:
>>>>> https://lists.xenproject.org/archives/html/xen-devel/2024-07/msg00474.html
>>> Looking at the older threads, I looks like Jan suggested EACCES, I also
>>> think it is marginally better. My R-b stands also for EACCES. Jan, I
>>> think you should go ahead and fix on commit
>> No, I very definitely want a 2nd x86 maintainer opinion here. Or a better
>> suggestion for the error code to use by anyone. After all, as you confirm,
>> EACCES is only marginally better.
> Hm, the only alternative I could suggest is using ERANGE, to signal
> the value of opt_mmio_relax is out of the expected range, however that
> could be confusing for the callers?
>
> One benefit of using ERANGE is that there's currently no return path
> in get_page_from_l1e() with that error code, so it would be very easy
> to spot when an unexpected value of opt_mmio_relax is found.  However
> there are no guarantees that further error paths might use that error
> code.

EPERM and EACCES are both very wrong here.  They imply something that is
simply not appropriate in this context.

We use EILSEQ elsewhere for believed-impossible conditions where we need
an errno of some kind.  I suggest we use it here too.

~Andrew

Roger Pau Monne Sept. 2, 2024, 7:43 a.m. UTC | #6

On Fri, Aug 30, 2024 at 08:17:40PM +0100, Andrew Cooper wrote:
> On 30/08/2024 10:18 am, Roger Pau Monné wrote:
> > On Thu, Aug 29, 2024 at 09:04:37AM +0200, Jan Beulich wrote:
> >> On 29.08.2024 02:35, Stefano Stabellini wrote:
> >>> On Mon, 29 Jul 2024, Stefano Stabellini wrote:
> >>>> On Mon, 29 Jul 2024, Federico Serafini wrote:
> >>>>> Add defensive return statement at the end of an unreachable
> >>>>> default case. Other than improve safety, this meets the requirements
> >>>>> to deviate a violation of MISRA C Rule 16.3: "An unconditional `break'
> >>>>> statement shall terminate every switch-clause".
> >>>>>
> >>>>> Signed-off-by: Federico Serafini <federico.serafini@bugseng.com>
> >>>> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
> >>>>
> >>>>> ---
> >>>>> No changes from v3 and v4, further feedback on this thread would be appreciated:
> >>>>> https://lists.xenproject.org/archives/html/xen-devel/2024-07/msg00474.html
> >>> Looking at the older threads, I looks like Jan suggested EACCES, I also
> >>> think it is marginally better. My R-b stands also for EACCES. Jan, I
> >>> think you should go ahead and fix on commit
> >> No, I very definitely want a 2nd x86 maintainer opinion here. Or a better
> >> suggestion for the error code to use by anyone. After all, as you confirm,
> >> EACCES is only marginally better.
> > Hm, the only alternative I could suggest is using ERANGE, to signal
> > the value of opt_mmio_relax is out of the expected range, however that
> > could be confusing for the callers?
> >
> > One benefit of using ERANGE is that there's currently no return path
> > in get_page_from_l1e() with that error code, so it would be very easy
> > to spot when an unexpected value of opt_mmio_relax is found.  However
> > there are no guarantees that further error paths might use that error
> > code.
> 
> EPERM and EACCES are both very wrong here.  They imply something that is
> simply not appropriate in this context.
> 
> We use EILSEQ elsewhere for believed-impossible conditions where we need
> an errno of some kind.  I suggest we use it here too.

Fine with me.  With that:

Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>

Thanks.

[XEN,v5,7/8] x86/mm: add defensive return

Commit Message

Comments

Patch