| Message ID | f0cd7c48-6816-4050-a505-693c4a470506@suse.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | ioreq: don't wrongly claim "success" in ioreq_send_buffered() | expand |
Hi Jan, On 11/09/2024 13:19, Jan Beulich wrote: > Returning a literal number is a bad idea anyway when all other returns > use IOREQ_STATUS_* values. While that's maybe intended on Arm (mapping > to IO_ABORT), Arm doesn't support buffered ioreq (see ioreq_server_create()) and AFAICT the "0" was already there before the code was moved. > mapping to X86EMUL_OKAY is surely wrong on x86. The code has been for nearly 10 years. So I would like to understand why the change now. Did you see any issue? The unclear part for me is the behavior change. Below... > > Fixes: f6bf39f84f82 ("x86/hvm: add support for broadcast of buffered ioreqs...") > Signed-off-by: Jan Beulich <jbeulich@suse.com> > --- > Judging from history, it may want to be IOREQ_STATUS_UNHANDLED instead, > eliminating the need for IOREQ_STATUS_BAD. That'll be a behavioral > change on Arm then too, though. ... you mention Arm. But not x86. This would imply there are no behavior change but I don't understand why. For the Arm behavior change, per above, I don't think we can reach the code on Arm so it should not be a problem to change it. > > Shouldn't IOREQ_READ requests also be rejected here, for the result of > a read not possibly coming from anywhere, yet a (bogus) caller then > assuming some data was actually returned? I am not sure. I understand from an hardened PoV. But this would add an extra check to something the caller should be aware of. This is different from the address check because this is more of an implementation details. So maybe it should be an ASSERT()? > > --- a/xen/arch/arm/include/asm/ioreq.h > +++ b/xen/arch/arm/include/asm/ioreq.h > @@ -56,6 +56,7 @@ static inline void msix_write_completion > #define IOREQ_STATUS_HANDLED IO_HANDLED > #define IOREQ_STATUS_UNHANDLED IO_UNHANDLED > #define IOREQ_STATUS_RETRY IO_RETRY > +#define IOREQ_STATUS_BAD IO_ABORT > > #endif /* __ASM_ARM_IOREQ_H__ */ > > --- a/xen/arch/x86/include/asm/hvm/ioreq.h > +++ b/xen/arch/x86/include/asm/hvm/ioreq.h > @@ -12,6 +12,7 @@ > #define IOREQ_STATUS_HANDLED X86EMUL_OKAY > #define IOREQ_STATUS_UNHANDLED X86EMUL_UNHANDLEABLE > #define IOREQ_STATUS_RETRY X86EMUL_RETRY > +#define IOREQ_STATUS_BAD X86EMUL_UNRECOGNIZED > > #endif /* __ASM_X86_HVM_IOREQ_H__ */ > > --- a/xen/common/ioreq.c > +++ b/xen/common/ioreq.c > @@ -1175,7 +1175,7 @@ static int ioreq_send_buffered(struct io > return IOREQ_STATUS_UNHANDLED; > > /* > - * Return 0 for the cases we can't deal with: > + * Return BAD for the cases we can't deal with: > * - 'addr' is only a 20-bit field, so we cannot address beyond 1MB > * - we cannot buffer accesses to guest memory buffers, as the guest > * may expect the memory buffer to be synchronously accessed > @@ -1183,7 +1183,7 @@ static int ioreq_send_buffered(struct io > * support data_is_ptr we do not waste space for the count field either > */ > if ( (p->addr > 0xfffffUL) || p->data_is_ptr || (p->count != 1) ) > - return 0; > + return IOREQ_STATUS_BAD; > > switch ( p->size ) > { Cheers,
--- a/xen/arch/arm/include/asm/ioreq.h +++ b/xen/arch/arm/include/asm/ioreq.h @@ -56,6 +56,7 @@ static inline void msix_write_completion #define IOREQ_STATUS_HANDLED IO_HANDLED #define IOREQ_STATUS_UNHANDLED IO_UNHANDLED #define IOREQ_STATUS_RETRY IO_RETRY +#define IOREQ_STATUS_BAD IO_ABORT #endif /* __ASM_ARM_IOREQ_H__ */ --- a/xen/arch/x86/include/asm/hvm/ioreq.h +++ b/xen/arch/x86/include/asm/hvm/ioreq.h @@ -12,6 +12,7 @@ #define IOREQ_STATUS_HANDLED X86EMUL_OKAY #define IOREQ_STATUS_UNHANDLED X86EMUL_UNHANDLEABLE #define IOREQ_STATUS_RETRY X86EMUL_RETRY +#define IOREQ_STATUS_BAD X86EMUL_UNRECOGNIZED #endif /* __ASM_X86_HVM_IOREQ_H__ */ --- a/xen/common/ioreq.c +++ b/xen/common/ioreq.c @@ -1175,7 +1175,7 @@ static int ioreq_send_buffered(struct io return IOREQ_STATUS_UNHANDLED; /* - * Return 0 for the cases we can't deal with: + * Return BAD for the cases we can't deal with: * - 'addr' is only a 20-bit field, so we cannot address beyond 1MB * - we cannot buffer accesses to guest memory buffers, as the guest * may expect the memory buffer to be synchronously accessed @@ -1183,7 +1183,7 @@ static int ioreq_send_buffered(struct io * support data_is_ptr we do not waste space for the count field either */ if ( (p->addr > 0xfffffUL) || p->data_is_ptr || (p->count != 1) ) - return 0; + return IOREQ_STATUS_BAD; switch ( p->size ) {
Returning a literal number is a bad idea anyway when all other returns use IOREQ_STATUS_* values. While that's maybe intended on Arm (mapping to IO_ABORT), mapping to X86EMUL_OKAY is surely wrong on x86. Fixes: f6bf39f84f82 ("x86/hvm: add support for broadcast of buffered ioreqs...") Signed-off-by: Jan Beulich <jbeulich@suse.com> --- Judging from history, it may want to be IOREQ_STATUS_UNHANDLED instead, eliminating the need for IOREQ_STATUS_BAD. That'll be a behavioral change on Arm then too, though. Shouldn't IOREQ_READ requests also be rejected here, for the result of a read not possibly coming from anywhere, yet a (bogus) caller then assuming some data was actually returned?