From patchwork Mon Aug 31 19:27:15 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?J=2E_Neusch=C3=A4fer?= X-Patchwork-Id: 512577 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 5FD1B14055A for ; Tue, 1 Sep 2015 05:27:55 +1000 (AEST) Received: from localhost ([::1]:40007 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZWUkD-0008Fn-H2 for incoming@patchwork.ozlabs.org; Mon, 31 Aug 2015 15:27:53 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:45137) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZWUjr-0007y7-Mv for qemu-devel@nongnu.org; Mon, 31 Aug 2015 15:27:35 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZWUjl-00017k-FP for qemu-devel@nongnu.org; Mon, 31 Aug 2015 15:27:31 -0400 Received: from mout.gmx.net ([212.227.15.18]:57838) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZWUjl-00015o-6O for qemu-devel@nongnu.org; Mon, 31 Aug 2015 15:27:25 -0400 Received: from latitude ([178.201.237.132]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0MH07e-1ZScr33bRi-00DmLu; Mon, 31 Aug 2015 21:27:15 +0200 Date: Mon, 31 Aug 2015 21:27:15 +0200 From: Jonathan =?utf-8?Q?Neusch=C3=A4fer?= To: QEMU Developers Message-ID: <20150831192715.GA1761@latitude> References: <20150829160449.GB8212@latitude> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20150829160449.GB8212@latitude> User-Agent: Mutt/1.5.23 (2014-03-12) X-Provags-ID: V03:K0:z6Supne6ExyVifXcCq+Bl0iZox72Qa3nHG5hHHsKareRAMIds22 c+hfpsuTvyIma7uHggc6w6s5fsz+/PNKViT1Ars50Mkh1Xoo55QqkopBJKGwEjExjlg0SyQ qwZPv5ExbxSkVYBwZ0rKZJvocQD/Odsx0okCO5+m4ULLCAYK60WF9TDqu4aHX2z5V9ySejI aUuEuKA8JSdHbniRJnWfg== X-UI-Out-Filterresults: notjunk:1; V01:K0:e6vtoCUPYpM=:c2GEhTeh0RLuDNIug7liVJ cZOqznAvqie1me9WMAo37YNqtIZtf1T3jkW+9jnjNcpRNLaDKvDkq04lOxV7UJU5XLgH5quwx xJ+8zgkLM44r6vY8BAN/xGYC4KAG4YDsjYqJO73R6b4rPKAVX9IkRZErygKpup5iPZbyVQnXK jO4GD2/EUKBbVltM3DYvWwA9Jl5yMHt/m/rNRP8U4jtnWEDD6D0RTcWZjQagFi4qnH9fbibQx q5R2UPbjlR9aHHblOkhmQ56r4mkXvmwJ3avA3VjOyS/9tyCS7GYlX6/EXHbj7GvDkjWcTpa9D Be87OPcNng2dQAvNTT1/gd7XiAGMAAkLCaPEbxDwW2qXBUnLDFYQcE7FE45bzC4kA5UIC7JYS hs4DThBgbR8A3lO29LYL6TTPKVgpw14sxOztDrzJ4Ay3CNycS02XYQHW4FndRaz1YYNDns04i fv/2u+AU5aT5C8OZsZc+RsNU+WXS7voLdZx3U4xS/Z4OlhRNo6mus1R0FXmMJh63nWxyx3kUp +T6RECTLqr0hKnatJNllxYJMfC1K0riKrA3koHJbFo0nTJ9vjaiz2WV6uW0tqEbWuNzKQBGy+ aiXZ55pOUTFoK8fZqBp2kCD9jcV/Dr/0pJkK9wx2QvSpC0NUq/JEtgE7W9Fq4hw8zgDMDnmDf t5zQp41BVKDsxt9pJYtVJ5rsDF8CKzXnETTwX55Ut4ap1n+oVLF1FYdZrBbwx0TxZNOPHYH5z x4yVxYLciUTa0ayu X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 212.227.15.18 Cc: Peter Maydell , Riku Voipio , Jonathan =?utf-8?Q?Neusch=C3=A4fer?= Subject: [Qemu-devel] [PATCH] linux-user: fix cmsg conversion in case of multiple headers X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Currently, __target_cmsg_nxthdr compares a pointer derived from target_cmsg against the msg_control field of target_msgh (through subtraction). This failed for me when emulating i386 code under x86_64, because pointers in the host address space and pointers in the guest address space were not the same. This patch passes the initial value of target_cmsg into __target_cmsg_nxthdr. I found and fixed two more related bugs: - __target_cmsg_nxthdr now returns the new cmsg pointer instead of the old one. - tgt_space (in host_to_target_cmsg) doesn't count "sizeof (struct target_cmsghdr)" twice anymore. Signed-off-by: Jonathan Neuschäfer --- Changes since v1: - Follow Peter Maydell's advice on how to fix the first bug - The "two more related bugs" --- linux-user/syscall.c | 14 +++++++++----- linux-user/syscall_defs.h | 9 +++++---- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index f62c698..12a6cd2 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -1181,7 +1181,7 @@ static inline abi_long target_to_host_cmsg(struct msghdr *msgh, struct cmsghdr *cmsg = CMSG_FIRSTHDR(msgh); abi_long msg_controllen; abi_ulong target_cmsg_addr; - struct target_cmsghdr *target_cmsg; + struct target_cmsghdr *target_cmsg, *target_cmsg_start; socklen_t space = 0; msg_controllen = tswapal(target_msgh->msg_controllen); @@ -1189,6 +1189,7 @@ static inline abi_long target_to_host_cmsg(struct msghdr *msgh, goto the_end; target_cmsg_addr = tswapal(target_msgh->msg_control); target_cmsg = lock_user(VERIFY_READ, target_cmsg_addr, msg_controllen, 1); + target_cmsg_start = target_cmsg; if (!target_cmsg) return -TARGET_EFAULT; @@ -1247,7 +1248,8 @@ static inline abi_long target_to_host_cmsg(struct msghdr *msgh, } cmsg = CMSG_NXTHDR(msgh, cmsg); - target_cmsg = TARGET_CMSG_NXTHDR(target_msgh, target_cmsg); + target_cmsg = TARGET_CMSG_NXTHDR(target_msgh, target_cmsg, + target_cmsg_start); } unlock_user(target_cmsg, target_cmsg_addr, 0); the_end: @@ -1261,7 +1263,7 @@ static inline abi_long host_to_target_cmsg(struct target_msghdr *target_msgh, struct cmsghdr *cmsg = CMSG_FIRSTHDR(msgh); abi_long msg_controllen; abi_ulong target_cmsg_addr; - struct target_cmsghdr *target_cmsg; + struct target_cmsghdr *target_cmsg, *target_cmsg_start; socklen_t space = 0; msg_controllen = tswapal(target_msgh->msg_controllen); @@ -1269,6 +1271,7 @@ static inline abi_long host_to_target_cmsg(struct target_msghdr *target_msgh, goto the_end; target_cmsg_addr = tswapal(target_msgh->msg_control); target_cmsg = lock_user(VERIFY_WRITE, target_cmsg_addr, msg_controllen, 0); + target_cmsg_start = target_cmsg; if (!target_cmsg) return -TARGET_EFAULT; @@ -1382,14 +1385,15 @@ static inline abi_long host_to_target_cmsg(struct target_msghdr *target_msgh, } target_cmsg->cmsg_len = tswapal(tgt_len); - tgt_space = TARGET_CMSG_SPACE(tgt_len); + tgt_space = TARGET_CMSG_SPACE(len); if (msg_controllen < tgt_space) { tgt_space = msg_controllen; } msg_controllen -= tgt_space; space += tgt_space; cmsg = CMSG_NXTHDR(msgh, cmsg); - target_cmsg = TARGET_CMSG_NXTHDR(target_msgh, target_cmsg); + target_cmsg = TARGET_CMSG_NXTHDR(target_msgh, target_cmsg, + target_cmsg_start); } unlock_user(target_cmsg, target_cmsg_addr, space); the_end: diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h index edd5f3c..8b0e354 100644 --- a/linux-user/syscall_defs.h +++ b/linux-user/syscall_defs.h @@ -234,7 +234,8 @@ struct target_cmsghdr { }; #define TARGET_CMSG_DATA(cmsg) ((unsigned char *) ((struct target_cmsghdr *) (cmsg) + 1)) -#define TARGET_CMSG_NXTHDR(mhdr, cmsg) __target_cmsg_nxthdr (mhdr, cmsg) +#define TARGET_CMSG_NXTHDR(mhdr, cmsg, cmsg_start) \ + __target_cmsg_nxthdr (mhdr, cmsg, cmsg_start) #define TARGET_CMSG_ALIGN(len) (((len) + sizeof (abi_long) - 1) \ & (size_t) ~(sizeof (abi_long) - 1)) #define TARGET_CMSG_SPACE(len) (TARGET_CMSG_ALIGN (len) \ @@ -242,17 +243,17 @@ struct target_cmsghdr { #define TARGET_CMSG_LEN(len) (TARGET_CMSG_ALIGN (sizeof (struct target_cmsghdr)) + (len)) static __inline__ struct target_cmsghdr * -__target_cmsg_nxthdr (struct target_msghdr *__mhdr, struct target_cmsghdr *__cmsg) +__target_cmsg_nxthdr (struct target_msghdr *__mhdr, struct target_cmsghdr *__cmsg, struct target_cmsghdr *__cmsg_start) { struct target_cmsghdr *__ptr; __ptr = (struct target_cmsghdr *)((unsigned char *) __cmsg + TARGET_CMSG_ALIGN (tswapal(__cmsg->cmsg_len))); - if ((unsigned long)((char *)(__ptr+1) - (char *)(size_t)tswapal(__mhdr->msg_control)) + if ((unsigned long)((char *)(__ptr+1) - (char *)__cmsg_start) > tswapal(__mhdr->msg_controllen)) /* No more entries. */ return (struct target_cmsghdr *)0; - return __cmsg; + return __ptr; } struct target_mmsghdr {