Re: port-xen/49919: Bugs in xenevt.c

[Wei Liu <liuw%liuw.name@localhost>]

On Fri, May 22, 2015 at 11:35 AM, Manuel Bouyer <bouyer%antioche.eu.org@localhost> wrote:
> The following reply was made to PR port-xen/49919; it has been noted by GNATS.
>
> From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
> To: gnats-bugs%NetBSD.org@localhost
> Cc: port-xen-maintainer%NetBSD.org@localhost, gnats-admin%NetBSD.org@localhost,
>         netbsd-bugs%NetBSD.org@localhost
> Subject: Re: port-xen/49919: Bugs in xenevt.c
> Date: Fri, 22 May 2015 12:32:00 +0200
>
>  On Fri, May 22, 2015 at 10:10:07AM +0000, liuw%liuw.name@localhost wrote:
>  > 1. The critical region is too small in xenevt_fread.
>
>  Why do you think it's too small ? The code not covered by the
>  lock only manipulates local (on-stack) variables.
>

Multiple concurrent readers reading the same instance.

Reading while as the same time doing IOCTL_EVTCHN_RESET.

The main concern is that d->ring_read is updated in second critical
region in that function. Another thread can come in between the gap
and manipulate those indices.

>  > 2. Range check under IOCTL_EVTCHN_UNBIND should be ">=".
>  > 3. Range check under IOCTL_EVTCHN_NOTIFY should be ">=".
>
>  Right, there's a off-by-one error. There's also one in xenevt_fwrite().
>

You mean the nentries check? I think that's OK because it's the number
of entries not index to array.

>  --
>  Manuel Bouyer <bouyer%antioche.eu.org@localhost>
>       NetBSD: 26 ans d'experience feront toujours la difference
>  --
>