| Message ID | 1477892309-7150-1-git-send-email-dongli.zhang@oracle.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
>>> On 31.10.16 at 06:38, <dongli.zhang@oracle.com> wrote: > --- a/drivers/net/xen-netfront.c > +++ b/drivers/net/xen-netfront.c > @@ -304,7 +304,7 @@ static void xennet_alloc_rx_buffers(struct netfront_queue *queue) > queue->rx_skbs[id] = skb; > > ref = gnttab_claim_grant_reference(&queue->gref_rx_head); > - BUG_ON((signed short)ref < 0); > + WARN_ON_ONCE(IS_ERR_VALUE((unsigned long)ref)); You really need to cast to plain (or signed) long here - casting to unsigned long will work only in 32-bit configurations, as otherwise you lose the sign of the value. And then just issuing a warning here is insufficient, I think: Either you follow David's line of thought assuming that no failure here is possible at all (in which case the BUG_ON() can be ditched without replacement), or you follow your original one (which matches mine) that we can't exclude an error here because of a bug elsewhere, in which case this either needs to stay BUG_ON() or should be followed by some form of bailing out (so that the bad ref won't get stored, preventing its later use from causing further damage). Jan
From: Dongli Zhang <dongli.zhang@oracle.com> Date: Mon, 31 Oct 2016 13:38:29 +0800 > While grant reference is of type uint32_t, xen-netfront erroneously casts > it to signed short in BUG_ON(). > > This would lead to the xen domU panic during boot-up or migration when it > is attached with lots of paravirtual devices. > > Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com> Since this is consistent with how the macros in linux/err.h handle "is this an error" checks, this change looks good to me. Applied, thanks.
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c index e17879d..189a28d 100644 --- a/drivers/net/xen-netfront.c +++ b/drivers/net/xen-netfront.c @@ -304,7 +304,7 @@ static void xennet_alloc_rx_buffers(struct netfront_queue *queue) queue->rx_skbs[id] = skb; ref = gnttab_claim_grant_reference(&queue->gref_rx_head); - BUG_ON((signed short)ref < 0); + WARN_ON_ONCE(IS_ERR_VALUE((unsigned long)ref)); queue->grant_rx_ref[id] = ref; page = skb_frag_page(&skb_shinfo(skb)->frags[0]); @@ -428,7 +428,7 @@ static void xennet_tx_setup_grant(unsigned long gfn, unsigned int offset, id = get_id_from_freelist(&queue->tx_skb_freelist, queue->tx_skbs); tx = RING_GET_REQUEST(&queue->tx, queue->tx.req_prod_pvt++); ref = gnttab_claim_grant_reference(&queue->gref_tx_head); - BUG_ON((signed short)ref < 0); + WARN_ON_ONCE(IS_ERR_VALUE((unsigned long)ref)); gnttab_grant_foreign_access_ref(ref, queue->info->xbdev->otherend_id, gfn, GNTMAP_readonly);
While grant reference is of type uint32_t, xen-netfront erroneously casts it to signed short in BUG_ON(). This would lead to the xen domU panic during boot-up or migration when it is attached with lots of paravirtual devices. Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com> --- drivers/net/xen-netfront.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)