| Message ID | f0cd7c48-6816-4050-a505-693c4a470506@suse.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | ioreq: don't wrongly claim "success" in ioreq_send_buffered() | expand |
Hi Jan, On 11/09/2024 13:19, Jan Beulich wrote: > Returning a literal number is a bad idea anyway when all other returns > use IOREQ_STATUS_* values. While that's maybe intended on Arm (mapping > to IO_ABORT), Arm doesn't support buffered ioreq (see ioreq_server_create()) and AFAICT the "0" was already there before the code was moved. > mapping to X86EMUL_OKAY is surely wrong on x86. The code has been for nearly 10 years. So I would like to understand why the change now. Did you see any issue? The unclear part for me is the behavior change. Below... > > Fixes: f6bf39f84f82 ("x86/hvm: add support for broadcast of buffered ioreqs...") > Signed-off-by: Jan Beulich <jbeulich@suse.com> > --- > Judging from history, it may want to be IOREQ_STATUS_UNHANDLED instead, > eliminating the need for IOREQ_STATUS_BAD. That'll be a behavioral > change on Arm then too, though. ... you mention Arm. But not x86. This would imply there are no behavior change but I don't understand why. For the Arm behavior change, per above, I don't think we can reach the code on Arm so it should not be a problem to change it. > > Shouldn't IOREQ_READ requests also be rejected here, for the result of > a read not possibly coming from anywhere, yet a (bogus) caller then > assuming some data was actually returned? I am not sure. I understand from an hardened PoV. But this would add an extra check to something the caller should be aware of. This is different from the address check because this is more of an implementation details. So maybe it should be an ASSERT()? > > --- a/xen/arch/arm/include/asm/ioreq.h > +++ b/xen/arch/arm/include/asm/ioreq.h > @@ -56,6 +56,7 @@ static inline void msix_write_completion > #define IOREQ_STATUS_HANDLED IO_HANDLED > #define IOREQ_STATUS_UNHANDLED IO_UNHANDLED > #define IOREQ_STATUS_RETRY IO_RETRY > +#define IOREQ_STATUS_BAD IO_ABORT > > #endif /* __ASM_ARM_IOREQ_H__ */ > > --- a/xen/arch/x86/include/asm/hvm/ioreq.h > +++ b/xen/arch/x86/include/asm/hvm/ioreq.h > @@ -12,6 +12,7 @@ > #define IOREQ_STATUS_HANDLED X86EMUL_OKAY > #define IOREQ_STATUS_UNHANDLED X86EMUL_UNHANDLEABLE > #define IOREQ_STATUS_RETRY X86EMUL_RETRY > +#define IOREQ_STATUS_BAD X86EMUL_UNRECOGNIZED > > #endif /* __ASM_X86_HVM_IOREQ_H__ */ > > --- a/xen/common/ioreq.c > +++ b/xen/common/ioreq.c > @@ -1175,7 +1175,7 @@ static int ioreq_send_buffered(struct io > return IOREQ_STATUS_UNHANDLED; > > /* > - * Return 0 for the cases we can't deal with: > + * Return BAD for the cases we can't deal with: > * - 'addr' is only a 20-bit field, so we cannot address beyond 1MB > * - we cannot buffer accesses to guest memory buffers, as the guest > * may expect the memory buffer to be synchronously accessed > @@ -1183,7 +1183,7 @@ static int ioreq_send_buffered(struct io > * support data_is_ptr we do not waste space for the count field either > */ > if ( (p->addr > 0xfffffUL) || p->data_is_ptr || (p->count != 1) ) > - return 0; > + return IOREQ_STATUS_BAD; > > switch ( p->size ) > { Cheers,
On 16.09.2024 23:27, Julien Grall wrote: > On 11/09/2024 13:19, Jan Beulich wrote: >> Returning a literal number is a bad idea anyway when all other returns >> use IOREQ_STATUS_* values. While that's maybe intended on Arm (mapping >> to IO_ABORT), > > Arm doesn't support buffered ioreq (see ioreq_server_create()) and > AFAICT the "0" was already there before the code was moved. Indeed, the bad conversion is older than the move. > > mapping to X86EMUL_OKAY is surely wrong on x86. > > The code has been for nearly 10 years. So I would like to understand why > the change now. Did you see any issue? Well, result of looking at the code. As said - returning success here is definitely wrong on x86. The open question is whether IO_ABORT was actually meant to be (implicitly) used here for Arm (but see below). > The unclear part for me is the behavior change. Below... > >> >> Fixes: f6bf39f84f82 ("x86/hvm: add support for broadcast of buffered ioreqs...") >> Signed-off-by: Jan Beulich <jbeulich@suse.com> >> --- >> Judging from history, it may want to be IOREQ_STATUS_UNHANDLED instead, >> eliminating the need for IOREQ_STATUS_BAD. That'll be a behavioral >> change on Arm then too, though. > > ... you mention Arm. But not x86. This would imply there are no behavior > change but I don't understand why. The way the patch is written it keeps Arm's (perceived; again see below) behavior unchanged, but fixes x86. The remark above is suggesting an alternative without need for the new IOREQ_STATUS_BAD, yet then also leading to a behavioral change on Arm. Hence the question whether the present behavior is intended. However, ... > For the Arm behavior change, per above, I don't think we can reach the > code on Arm so it should not be a problem to change it. ... with you pointing out that buffered ioreqs aren't supported on Arm, I could indeed change this whichever way suits x86, without affecting Arm at all. It would then be only an abstract consideration, for the hypothetical case that buffered ioreqs became needed on Arm as well. Buffered ioreqs not being supported on Arm of course means the function as a whole is unreachable, i.e. in violation of Misra rule 2.1. Which I find concerning, as that rule is marked as clean - indicating that Eclair isn't smart enough to spot the case here. (Reason for the remark: If the function had been marked / excluded accordingly, I would have noticed Arm's unaffectedness of whichever way the change is done.) >> Shouldn't IOREQ_READ requests also be rejected here, for the result of >> a read not possibly coming from anywhere, yet a (bogus) caller then >> assuming some data was actually returned? > > I am not sure. I understand from an hardened PoV. But this would add an > extra check to something the caller should be aware of. This is > different from the address check because this is more of an > implementation details. > > So maybe it should be an ASSERT()? That might be an option, yet with the general movement towards also providing safety on release builds that would likely end up being if ( dir != IOREQ_WRITE ) { ASSERT_UNREACHABLE(): return 0; } i.e. still an extra check. Jan
On 2024-09-23 11:47, Jan Beulich wrote: > On 16.09.2024 23:27, Julien Grall wrote: >> On 11/09/2024 13:19, Jan Beulich wrote: >>> Returning a literal number is a bad idea anyway when all other >>> returns >>> use IOREQ_STATUS_* values. While that's maybe intended on Arm >>> (mapping >>> to IO_ABORT), >> >> Arm doesn't support buffered ioreq (see ioreq_server_create()) and >> AFAICT the "0" was already there before the code was moved. > > Indeed, the bad conversion is older than the move. > >> > mapping to X86EMUL_OKAY is surely wrong on x86. >> >> The code has been for nearly 10 years. So I would like to understand >> why >> the change now. Did you see any issue? > > Well, result of looking at the code. As said - returning success here > is > definitely wrong on x86. The open question is whether IO_ABORT was > actually > meant to be (implicitly) used here for Arm (but see below). > >> The unclear part for me is the behavior change. Below... >> >>> >>> Fixes: f6bf39f84f82 ("x86/hvm: add support for broadcast of buffered >>> ioreqs...") >>> Signed-off-by: Jan Beulich <jbeulich@suse.com> >>> --- >>> Judging from history, it may want to be IOREQ_STATUS_UNHANDLED >>> instead, >>> eliminating the need for IOREQ_STATUS_BAD. That'll be a behavioral >>> change on Arm then too, though. >> >> ... you mention Arm. But not x86. This would imply there are no >> behavior >> change but I don't understand why. > > The way the patch is written it keeps Arm's (perceived; again see > below) > behavior unchanged, but fixes x86. The remark above is suggesting an > alternative without need for the new IOREQ_STATUS_BAD, yet then also > leading to a behavioral change on Arm. Hence the question whether the > present behavior is intended. However, ... > >> For the Arm behavior change, per above, I don't think we can reach the >> code on Arm so it should not be a problem to change it. > > ... with you pointing out that buffered ioreqs aren't supported on Arm, > I could indeed change this whichever way suits x86, without affecting > Arm at all. It would then be only an abstract consideration, for the > hypothetical case that buffered ioreqs became needed on Arm as well. > > Buffered ioreqs not being supported on Arm of course means the function > as a whole is unreachable, i.e. in violation of Misra rule 2.1. Which I > find concerning, as that rule is marked as clean - indicating that > Eclair isn't smart enough to spot the case here. (Reason for the > remark: > If the function had been marked / excluded accordingly, I would have > noticed Arm's unaffectedness of whichever way the change is done.) > ECLAIR has been configured to mark unreferenced functions as deliberately unreachable and thus hide those reports by default in the CI analyses. -doc_begin="Some functions are intended to be not referenced." -config=MC3R1.R2.1,+reports={deliberate,"first_area(^.*is never referenced$)"} -doc_end >>> Shouldn't IOREQ_READ requests also be rejected here, for the result >>> of >>> a read not possibly coming from anywhere, yet a (bogus) caller then >>> assuming some data was actually returned? >> >> I am not sure. I understand from an hardened PoV. But this would add >> an >> extra check to something the caller should be aware of. This is >> different from the address check because this is more of an >> implementation details. >> >> So maybe it should be an ASSERT()? > > That might be an option, yet with the general movement towards also > providing safety on release builds that would likely end up being > > if ( dir != IOREQ_WRITE ) > { > ASSERT_UNREACHABLE(): > return 0; > } > > i.e. still an extra check. > > Jan
On 23.09.2024 11:55, Nicola Vetrini wrote: > On 2024-09-23 11:47, Jan Beulich wrote: >> On 16.09.2024 23:27, Julien Grall wrote: >>> On 11/09/2024 13:19, Jan Beulich wrote: >>>> Returning a literal number is a bad idea anyway when all other >>>> returns >>>> use IOREQ_STATUS_* values. While that's maybe intended on Arm >>>> (mapping >>>> to IO_ABORT), >>> >>> Arm doesn't support buffered ioreq (see ioreq_server_create()) and >>> AFAICT the "0" was already there before the code was moved. >> >> Indeed, the bad conversion is older than the move. >> >>> > mapping to X86EMUL_OKAY is surely wrong on x86. >>> >>> The code has been for nearly 10 years. So I would like to understand >>> why >>> the change now. Did you see any issue? >> >> Well, result of looking at the code. As said - returning success here >> is >> definitely wrong on x86. The open question is whether IO_ABORT was >> actually >> meant to be (implicitly) used here for Arm (but see below). >> >>> The unclear part for me is the behavior change. Below... >>> >>>> >>>> Fixes: f6bf39f84f82 ("x86/hvm: add support for broadcast of buffered >>>> ioreqs...") >>>> Signed-off-by: Jan Beulich <jbeulich@suse.com> >>>> --- >>>> Judging from history, it may want to be IOREQ_STATUS_UNHANDLED >>>> instead, >>>> eliminating the need for IOREQ_STATUS_BAD. That'll be a behavioral >>>> change on Arm then too, though. >>> >>> ... you mention Arm. But not x86. This would imply there are no >>> behavior >>> change but I don't understand why. >> >> The way the patch is written it keeps Arm's (perceived; again see >> below) >> behavior unchanged, but fixes x86. The remark above is suggesting an >> alternative without need for the new IOREQ_STATUS_BAD, yet then also >> leading to a behavioral change on Arm. Hence the question whether the >> present behavior is intended. However, ... >> >>> For the Arm behavior change, per above, I don't think we can reach the >>> code on Arm so it should not be a problem to change it. >> >> ... with you pointing out that buffered ioreqs aren't supported on Arm, >> I could indeed change this whichever way suits x86, without affecting >> Arm at all. It would then be only an abstract consideration, for the >> hypothetical case that buffered ioreqs became needed on Arm as well. >> >> Buffered ioreqs not being supported on Arm of course means the function >> as a whole is unreachable, i.e. in violation of Misra rule 2.1. Which I >> find concerning, as that rule is marked as clean - indicating that >> Eclair isn't smart enough to spot the case here. (Reason for the >> remark: >> If the function had been marked / excluded accordingly, I would have >> noticed Arm's unaffectedness of whichever way the change is done.) >> > > ECLAIR has been configured to mark unreferenced functions as > deliberately unreachable and thus hide those reports by default in the > CI analyses. > > -doc_begin="Some functions are intended to be not referenced." > -config=MC3R1.R2.1,+reports={deliberate,"first_area(^.*is never > referenced$)"} > -doc_end But the function is referenced. If it wasn't, the build would fail. It is just that on Arm the code path there cannot be taken, as the "buffered" function argument in the sole caller will only ever be false. That said - looking at docs/misra/deviations.txt I spot 4 entries for 2.1, yet none of them appears to fit with your reply. What's the connection? Furthermore I never fully understood Misra's separation of "unreachable" vs "dead", so maybe we're rather talking about dead code here (and hence another rule). Jan
--- a/xen/arch/arm/include/asm/ioreq.h +++ b/xen/arch/arm/include/asm/ioreq.h @@ -56,6 +56,7 @@ static inline void msix_write_completion #define IOREQ_STATUS_HANDLED IO_HANDLED #define IOREQ_STATUS_UNHANDLED IO_UNHANDLED #define IOREQ_STATUS_RETRY IO_RETRY +#define IOREQ_STATUS_BAD IO_ABORT #endif /* __ASM_ARM_IOREQ_H__ */ --- a/xen/arch/x86/include/asm/hvm/ioreq.h +++ b/xen/arch/x86/include/asm/hvm/ioreq.h @@ -12,6 +12,7 @@ #define IOREQ_STATUS_HANDLED X86EMUL_OKAY #define IOREQ_STATUS_UNHANDLED X86EMUL_UNHANDLEABLE #define IOREQ_STATUS_RETRY X86EMUL_RETRY +#define IOREQ_STATUS_BAD X86EMUL_UNRECOGNIZED #endif /* __ASM_X86_HVM_IOREQ_H__ */ --- a/xen/common/ioreq.c +++ b/xen/common/ioreq.c @@ -1175,7 +1175,7 @@ static int ioreq_send_buffered(struct io return IOREQ_STATUS_UNHANDLED; /* - * Return 0 for the cases we can't deal with: + * Return BAD for the cases we can't deal with: * - 'addr' is only a 20-bit field, so we cannot address beyond 1MB * - we cannot buffer accesses to guest memory buffers, as the guest * may expect the memory buffer to be synchronously accessed @@ -1183,7 +1183,7 @@ static int ioreq_send_buffered(struct io * support data_is_ptr we do not waste space for the count field either */ if ( (p->addr > 0xfffffUL) || p->data_is_ptr || (p->count != 1) ) - return 0; + return IOREQ_STATUS_BAD; switch ( p->size ) {
Returning a literal number is a bad idea anyway when all other returns use IOREQ_STATUS_* values. While that's maybe intended on Arm (mapping to IO_ABORT), mapping to X86EMUL_OKAY is surely wrong on x86. Fixes: f6bf39f84f82 ("x86/hvm: add support for broadcast of buffered ioreqs...") Signed-off-by: Jan Beulich <jbeulich@suse.com> --- Judging from history, it may want to be IOREQ_STATUS_UNHANDLED instead, eliminating the need for IOREQ_STATUS_BAD. That'll be a behavioral change on Arm then too, though. Shouldn't IOREQ_READ requests also be rejected here, for the result of a read not possibly coming from anywhere, yet a (bogus) caller then assuming some data was actually returned?