From: Rusty Russell <rusty-8n+1lVoiYb80n/F98K4Iww@public.gmane.org>
To: virtualization-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org
Cc: kvm-devel
<kvm-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org>,
lguest <lguest-mnsaURCQ41sdnm+yROfE0A@public.gmane.org>
Subject: [RFC PATCH 4/5] lguest: ignore bad virtqueues.
Date: Thu, 20 Mar 2008 17:40:28 +1100 [thread overview]
Message-ID: <200803201740.28991.rusty@rustcorp.com.au> (raw)
In-Reply-To: <200803201736.01883.rusty-8n+1lVoiYb80n/F98K4Iww@public.gmane.org>
Currently the lguest Launcher aborts when a Guest puts something bogus
in a virtio queue. If we want to deal with other (untrusted) Guests'
queues, that's a bad idea: simply print a warning and ignore it from
now on.
Signed-off-by: Rusty Russell <rusty-8n+1lVoiYb80n/F98K4Iww@public.gmane.org>
---
Documentation/lguest/lguest.c | 45 +++++++++++++++++++++++++++++++-----------
1 file changed, 34 insertions(+), 11 deletions(-)
diff -r 784299890d4a Documentation/lguest/lguest.c
--- a/Documentation/lguest/lguest.c Thu Mar 13 23:10:14 2008 +1100
+++ b/Documentation/lguest/lguest.c Thu Mar 13 23:21:55 2008 +1100
@@ -156,6 +156,9 @@ struct virtqueue_info
/* Last available index we saw. */
u16 last_avail_idx;
+
+ /* Are we broken? If so, ignore it from now on. */
+ bool broken;
};
struct virtqueue
@@ -676,8 +679,11 @@ static unsigned next_desc(struct virtque
/* Make sure compiler knows to grab that: we don't want it changing! */
wmb();
- if (next >= vqi->vring.num)
- errx(1, "Desc next is %u", next);
+ if (next >= vqi->vring.num) {
+ warnx("Desc next is %u", next);
+ vqi->broken = true;
+ return vqi->vring.num;
+ }
return next;
}
@@ -695,10 +701,16 @@ static int get_vq_desc(struct virtqueue_
{
unsigned int i, head;
+ /* If the queue is broken, we just pretend there's nothing there. */
+ if (vqi->broken)
+ return -1;
+
/* Check it isn't doing very strange things with descriptor numbers. */
- if ((u16)(vqi->vring.avail->idx - vqi->last_avail_idx) > vqi->vring.num)
- errx(1, "Guest moved used index from %u to %u",
- vqi->last_avail_idx, vqi->vring.avail->idx);
+ if ((u16)(vqi->vring.avail->idx-vqi->last_avail_idx) > vqi->vring.num) {
+ warnx("Guest moved used index from %u to %u",
+ vqi->last_avail_idx, vqi->vring.avail->idx);
+ goto broken;
+ }
/* If there's nothing new since last we looked, return invalid. */
if (vqi->vring.avail->idx == vqi->last_avail_idx)
@@ -709,8 +721,10 @@ static int get_vq_desc(struct virtqueue_
head = vqi->vring.avail->ring[vqi->last_avail_idx++ % vqi->vring.num];
/* If their number is silly, that's a fatal mistake. */
- if (head >= vqi->vring.num)
- errx(1, "Guest says index %u is available", head);
+ if (head >= vqi->vring.num) {
+ warnx("Guest says index %u is available", head);
+ goto broken;
+ }
/* When we start there are none of either input nor output. */
*out_num = *in_num = 0;
@@ -728,17 +742,25 @@ static int get_vq_desc(struct virtqueue_
else {
/* If it's an output descriptor, they're all supposed
* to come before any input descriptors. */
- if (*in_num)
- errx(1, "Descriptor has out after in");
+ if (*in_num) {
+ warnx("Descriptor has out after in");
+ goto broken;
+ }
(*out_num)++;
}
/* If we've got too many, that implies a descriptor loop. */
- if (*out_num + *in_num > vqi->vring.num)
- errx(1, "Looped descriptor");
+ if (*out_num + *in_num > vqi->vring.num) {
+ warnx("Looped descriptor");
+ goto broken;
+ }
} while ((i = next_desc(vqi, i)) != vqi->vring.num);
return head;
+
+broken:
+ vqi->broken = true;
+ return -1;
}
/* After we've used one of their buffers, we tell them about it. We'll then
@@ -1127,6 +1149,7 @@ static void add_virtqueue(struct device
vq->dev = dev;
vq->vqi.last_avail_idx = 0;
vq->vqi.mem = &gmem;
+ vq->vqi.broken = false;
/* Initialize the configuration. */
vq->config.num = num_descs;
next prev parent reply other threads:[~2008-03-20 6:40 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-03-20 5:59 [RFC PATCH 0/4] Inter-guest virtio I/O example with lguest Rusty Russell
[not found] ` <200803201659.14344.rusty-8n+1lVoiYb80n/F98K4Iww@public.gmane.org>
2008-03-20 6:05 ` [RFC PATCH 1/5] lguest: mmap backing file Rusty Russell
2008-03-20 6:22 ` [RFC PATCH 2/5] lguest: Encapsulate Guest memory ready for dealing with other Guests Rusty Russell
2008-03-20 8:16 ` [Lguest] [RFC PATCH 1/5] lguest: mmap backing file Tim Post
2008-03-20 14:07 ` Paul TBBle Hampson
2008-03-21 0:29 ` Rusty Russell
[not found] ` <1206000960.6873.124.camel-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2008-03-20 14:07 ` Paul TBBle Hampson
2008-03-21 0:29 ` Rusty Russell
2008-03-20 8:16 ` [Lguest] " Tim Post
[not found] ` <200803201705.44422.rusty-8n+1lVoiYb80n/F98K4Iww@public.gmane.org>
2008-03-20 6:22 ` [RFC PATCH 2/5] lguest: Encapsulate Guest memory ready for dealing with other Guests Rusty Russell
2008-03-20 6:36 ` [RFC PATCH 3/5] lguest: separate out virtqueue info from device info Rusty Russell
2008-03-20 6:36 ` Rusty Russell
[not found] ` <200803201736.01883.rusty-8n+1lVoiYb80n/F98K4Iww@public.gmane.org>
2008-03-20 6:40 ` Rusty Russell [this message]
2008-03-20 6:45 ` [RFC PATCH 5/5] lguest: Inter-guest networking Rusty Russell
2008-03-20 6:45 ` Rusty Russell
2008-03-20 6:40 ` [RFC PATCH 4/5] lguest: ignore bad virtqueues Rusty Russell
2008-03-20 14:04 ` [kvm-devel] [RFC PATCH 1/5] lguest: mmap backing file Anthony Liguori
2008-03-20 14:32 ` [Lguest] " Paul TBBle Hampson
[not found] ` <47E26EE1.5030706-rdkfGonbjUSkNkDKm+mE6A@public.gmane.org>
2008-03-20 14:32 ` Paul TBBle Hampson
2008-03-20 15:07 ` Avi Kivity
2008-03-20 15:24 ` Anthony Liguori
2008-03-20 15:24 ` Anthony Liguori
2008-03-20 22:12 ` [kvm-devel] " Rusty Russell
2008-03-20 23:46 ` Anthony Liguori
2008-03-23 9:11 ` [kvm-devel] " Avi Kivity
2008-03-23 9:11 ` Avi Kivity
2008-03-20 23:46 ` [kvm-devel] " Anthony Liguori
2008-03-20 15:07 ` Avi Kivity
2008-03-20 22:12 ` Rusty Russell
2008-03-20 14:04 ` Anthony Liguori
2008-03-20 6:54 ` [kvm-devel] [RFC PATCH 0/4] Inter-guest virtio I/O example with lguest Avi Kivity
[not found] ` <47E20A35.2000600-atKUWr5tajBWk0Htik3J/w@public.gmane.org>
2008-03-20 13:55 ` Anthony Liguori
[not found] ` <47E26CC1.8080900-rdkfGonbjUSkNkDKm+mE6A@public.gmane.org>
2008-03-20 14:27 ` Avi Kivity
[not found] ` <47E27461.4090404-atKUWr5tajBWk0Htik3J/w@public.gmane.org>
2008-03-20 14:39 ` Anthony Liguori
2008-03-20 14:55 ` Avi Kivity
2008-03-20 15:05 ` [kvm-devel] " Anthony Liguori
2008-03-20 15:05 ` Anthony Liguori
2008-03-20 15:36 ` [kvm-devel] " Avi Kivity
2008-03-20 15:36 ` Avi Kivity
2008-03-20 15:52 ` [kvm-devel] " Anthony Liguori
[not found] ` <47E28482.9010501-atKUWr5tajBWk0Htik3J/w@public.gmane.org>
2008-03-20 15:52 ` Anthony Liguori
2008-03-20 14:55 ` Avi Kivity
2008-03-20 14:39 ` Anthony Liguori
2008-03-20 14:27 ` Avi Kivity
2008-03-20 13:55 ` Anthony Liguori
2008-03-20 22:14 ` Rusty Russell
2008-03-20 22:14 ` [kvm-devel] " Rusty Russell
2008-03-20 14:11 ` Anthony Liguori
2008-03-23 12:05 ` Rusty Russell
2008-03-23 12:05 ` [kvm-devel] " Rusty Russell
2008-03-20 6:05 ` [RFC PATCH 1/5] lguest: mmap backing file Rusty Russell
2008-03-20 6:54 ` [kvm-devel] [RFC PATCH 0/4] Inter-guest virtio I/O example with lguest Avi Kivity
2008-03-20 14:11 ` Anthony Liguori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200803201740.28991.rusty@rustcorp.com.au \
--to=rusty-8n+1lvoiyb80n/f98k4iww@public.gmane.org \
--cc=kvm-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
--cc=lguest-mnsaURCQ41sdnm+yROfE0A@public.gmane.org \
--cc=virtualization-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.