qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] pci: Factor out bounds checking on config space

From: Michael S. Tsirkin
Subject: Re: [Qemu-devel] [PATCH] pci: Factor out bounds checking on config space accesses
Date: Thu, 29 Mar 2012 11:28:19 +0200
User-agent: Mutt/1.5.21 (2010-09-15) 
On Thu, Mar 29, 2012 at 02:53:52PM +1100, David Gibson wrote:
> On Wed, Mar 28, 2012 at 11:30:56AM +0200, Michael S. Tsirkin wrote:
> > On Wed, Mar 28, 2012 at 12:11:52PM +1100, David Gibson wrote:
> > > Michael,
> > > 
> > > Any chance of an ack or nack on this one?
> > > 
> > > On Mon, Mar 19, 2012 at 03:58:11PM +1100, David Gibson wrote:
> > > > There are several paths into the code to emulate PCI config space 
> > > > accesses:
> > > > one for MMIO to a plain old PCI bridge one for MMIO to a PCIe bridge and
> > > > one for the pseries machine which provides para-virtualized access to 
> > > > PCI
> > > > config space.  Each of these functions does their own bounds checking
> > > > against the size of config space to check for addresses outside the
> > > > size of config space.  The pci_host_config_{read,write}_common() (sort
> > > > of) checks for partial overruns, that is where the address is within
> > > > the size of config space, but address + length is not, it takes a
> > > > limit parameter for this purpose.
> > > > 
> > > > As well as being a small code duplication, and it being weird to
> > > > separate the checks for partial and total overruns, this checking
> > > > currently has a few buglets:
> > > > 
> > > >     * For non PCI-Express we assume that the size of config space is
> > > >       PCI_CONFIG_SPACE_SIZE.  That's true for everything we emulate
> > > >       now, but is not necessarily true (e.g. PCI-X devices can have
> > > >       extended config space)
> > > > 
> > > >     * The limit parameter is not necessary, since the size of config
> > > >       space can be obtained using pci_config_size()
> > > > 
> > > >     * Partial overruns could only occur with a misaligned access,
> > > >       which should have already been dealt with by this point
> > > > 
> > > >     * Partial overruns are handled as a partial read or write, which
> > > >       is very unlikely behaviour for real hardware
> > > > 
> > > >     * Furthermore, partial reads are 0x0 padded, whereas returning
> > > >       0xff for unimplemented addresses us much more common.
> > > > 
> > > >     * The partial reads/writes only work correctly by assuming
> > > >       little-endian byte layout.  While that is always true for PCI
> > > >       config space, it's an awfully subtle thing to rely on without
> > > >       comment.
> > 
> > This last point can be addressed by adding a comment?
> > Patch welcome.
> 
> Well, it could.  But why comment on the subtle assumptions of code
> which implements a totally bizarre behaviour, rather than just
> removing the bizarre behaviour.
> 
> > 
> > > > This patch, therefore, moves the bounds checking wholly into
> > > > pci_host_config_{read,write}_common().  No partial reads or writes are
> > > > performed, instead any out-of-bounds write is simply ignored and an
> > > > out-of-bounds read returns 0xff.
> > > > 
> > > > This simplifies all the callers, and makes the overall semantics saner
> > > > for edge cases.
> > > > 
> > > > Cc: Michael S. Tsirkin <address@hidden>
> > > > 
> > > > Signed-off-by: David Gibson <address@hidden>
> > 
> > Sorry, I didn't reply because I have no idea whether this patch is
> > correct.
> 
> Well, what do you need to decide one way or the other?
> 
> Would it help to split this up into micro-patches which address single
> aspects of the points covered in the patch description?

That's always good.
But most importantly, I'd like to get the motivation straight.

> > Couldn't figure out from the description whether there's a test case
> > where we differ from real hardware in our behaviour.
> 
> Not sure what you mean by a testcase here.  Do you mean a formal
> automated testcase somewhere, or just are there cases in which the
> existing behaviour differs from hardware.

No, not formal. Simply
- what these cases are
- what is the actual versus expected behaviour
- how to observe the difference from the guest

>  If the latter, then yes,
> absolutely.  In fact I'd be astonished if there is *any* hardware
> which implements partial writes (or reads) the way the existing code
> does.

We could classify such a difference as a minor bug.
The fix might turn out to be different for different platforms.

> > The change affects lots of platforms and there's no mention of which
> > ones were tested.
> 
> Only pseries, I'm afraid, because that's all I've really got guest
> setups available to try.

Then it would be better to find a way to limit the change to that
platform.

Alternatively need to get others interested enough to spend cycles
on testing your patches.

> -- 
> David Gibson                  | I'll have my music baroque, and my code
> david AT gibson.dropbear.id.au        | minimalist, thank you.  NOT _the_ 
> _other_
>                               | _way_ _around_!
> http://www.ozlabs.org/~dgibson
reply via email to
[Prev in Thread] Current Thread [Next in Thread]