Re: [PATCH v2 3/8] s390/sclp: rework sclp boundary and length checks

[Cornelia Huck]

On Mon, 18 May 2020 11:15:07 -0400
Collin Walling <address@hidden> wrote:

> On 5/18/20 4:50 AM, Janosch Frank wrote:
> > On 5/16/20 12:20 AM, Collin Walling wrote:  
> >> Rework the SCLP boundary check to account for different SCLP commands
> >> (eventually) allowing different boundary sizes.
> >>
> >> Move the length check code into a separate function, and introduce a
> >> new function to determine the length of the read SCP data (i.e. the size
> >> from the start of the struct to where the CPU entries should begin).
> >>
> >> Signed-off-by: Collin Walling <address@hidden>
> >> ---
> >>  hw/s390x/sclp.c | 57 ++++++++++++++++++++++++++++++++++++++++++-------
> >>  1 file changed, 49 insertions(+), 8 deletions(-)
> >>
> >> diff --git a/hw/s390x/sclp.c b/hw/s390x/sclp.c
> >> index 2bd618515e..987699e3c4 100644
> >> --- a/hw/s390x/sclp.c
> >> +++ b/hw/s390x/sclp.c
> >> @@ -49,6 +49,34 @@ static inline bool sclp_command_code_valid(uint32_t 
> >> code)
> >>      return false;
> >>  }
> >>  
> >> +static bool sccb_has_valid_boundary(uint64_t sccb_addr, uint32_t code,
> >> +                                    SCCBHeader *header)
> >> +{
> >> +    uint64_t current_len = sccb_addr + be16_to_cpu(header->length);
> >> +    uint64_t allowed_len = (sccb_addr & PAGE_MASK) + PAGE_SIZE;  
> > 
> > Those are addresses not length indications and the names should reflect
> > that.  
> 
> True
> 
> > Also don't we need to use PAGE_SIZE - 1?
> >   
> 
> Technically we need to -1 on both sides since length denotes the size of
> the sccb in bytes, not the max address.
> 
> How about this:
> 
> s/current_len/sccb_max_addr
> s/allowed_len/sccb_boundary

+1, like the names.

> 
> -1 to sccb_max_addr
> 
> Change the check to: sccb_max_addr < sccb_boundary
> 
> ?
> 
> > I'm still trying to wake up, so take this with a grain of salt.
> >   
> 
> No worries. I appreciate the review nonetheless :)
> 
> >> +
> >> +    switch (code & SCLP_CMD_CODE_MASK) {
> >> +    default:
> >> +        if (current_len <= allowed_len) {
> >> +            return true;
> >> +        }
> >> +    }
> >> +    header->response_code = cpu_to_be16(SCLP_RC_SCCB_BOUNDARY_VIOLATION);
> >> +    return false;
> >> +}
> >> +
> >> +/* Calculates sufficient SCCB length to store a full Read SCP/CPU 
> >> response */
> >> +static bool sccb_has_sufficient_len(SCCB *sccb, int num_cpus, int 
> >> data_len)
> >> +{
> >> +    int required_len = data_len + num_cpus * sizeof(CPUEntry);
> >> +
> >> +    if (be16_to_cpu(sccb->h.length) < required_len) {
> >> +        sccb->h.response_code = 
> >> cpu_to_be16(SCLP_RC_INSUFFICIENT_SCCB_LENGTH);
> >> +        return false;
> >> +    }
> >> +    return true;
> >> +}  
> > 
> > Hm, from the function name alone I'd not have expected it to also set
> > the response code.
> >   
> 
> It also sets the required length in the header for an extended-length
> sccb. Perhaps this function name doesn't hold up well.
> 
> Does sccb_check_sufficient_len make more sense?

To me it does.

> 
> I think the same could be said of the boundary check function, which
> also sets the response code.
> 
> What about setting the response code outside the function, similar to
> what sclp_comand_code_valid does?

Whatever results in the least code churn to make it consistent ;)

> 
> >> +
> >>  static void prepare_cpu_entries(MachineState *ms, CPUEntry *entry, int 
> >> *count)
> >>  {
> >>      uint8_t features[SCCB_CPU_FEATURE_LEN] = { 0 };
> >> @@ -66,6 +94,16 @@ static void prepare_cpu_entries(MachineState *ms, 
> >> CPUEntry *entry, int *count)
> >>      }
> >>  }
> >>  
> >> +/*
> >> + * The data length denotes the start of the struct to where the first
> >> + * CPU entry is to be allocated. This value also denotes the offset_cpu
> >> + * field.
> >> + */
> >> +static int get_read_scp_info_data_len(void)
> >> +{
> >> +    return offsetof(ReadInfo, entries);
> >> +}  
> > 
> > Not sure what the policy for this is, but maybe this can go into a
> > header file?
> > David and Conny will surely make that clear to me :)
> >   
> 
> Not sure either. If anything it might be a good candidate for an inline
> function.

If we don't process read info outside of this file, no need to move it
to a header. The compiler is probably also smart enough to inline it on
its own, I guess.