From: "Michael S. Tsirkin" <mst@redhat.com>
To: "Gonglei (Arei)" <arei.gonglei@huawei.com>
Cc: "pbonzini@redhat.com" <pbonzini@redhat.com>,
"alex.williamson@redhat.com" <alex.williamson@redhat.com>,
"Huangweidong (C)" <weidong.huang@huawei.com>,
"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] [RFC PATCH]pci-assign: Fix memory out of bound when MSI-X table not fit in a single page
Date: Tue, 1 Apr 2014 18:45:28 +0300 [thread overview]
Message-ID: <20140401154528.GA11203@redhat.com> (raw)
In-Reply-To: <33183CC9F5247A488A2544077AF19020815DC9F8@SZXEMA503-MBS.china.huawei.com>
On Tue, Apr 01, 2014 at 03:23:36PM +0000, Gonglei (Arei) wrote:
> Hi,
>
> I have a problem about SR-IOV pass-through.
>
> The PF is Emulex Corporation OneConnect NIC (Lancer)(rev 10),
> and the VF pci config is as follow:
>
> LINUX:/sys/bus/pci/devices/0000:04:00.6 # hexdump config
> 0000000 ffff ffff 0000 0010 0010 0200 0000 0080
> 0000010 0000 0000 0000 0000 0000 0000 0000 0000
> 0000020 0000 0000 0000 0000 0000 0000 10df e264
> 0000030 0000 0000 0054 0000 0000 0000 0000 0000
> 0000040 0000 0000 0008 0000 0000 0000 0000 0000
> 0000050 0000 0000 6009 0008 2b41 c002 0000 0000
> 0000060 7805 018a 0000 0000 0000 0000 0000 0000
> 0000070 0000 0000 0000 0000 8411 03ff 4000 0000
> 0000080 3400 0000 9403 0000 0000 0000 0000 0000
> 0000090 0000 0000 0010 0002 8724 1000 0000 0000
> 00000a0 dc83 0041 0000 0000 0000 0000 0000 0000
> 00000b0 0000 0000 0000 0000 001f 0010 0000 0000
> 00000c0 000e 0000 0000 0000 0000 0000 0000 0000
> 00000d0 0000 0000 0000 0000 0000 0000 0000 0000
>
> We can see the msix_max is 0x3ff and msix_table_entry is 0x4000 (4 pages). But QEMU
> only mmap MSIX_PAGE_SIZE memory for all pci devices in funciton assigned_dev_register_msix_mmio,
> meanwhile the set the one page memmory to zero, so the rest memory will be random value
> (maybe etnry.data is not 0).
>
> In function assigned_dev_update_msix_mmio maybe occur the issue of entry_nr > 256,
> and the kmod reports the EINVAL error.
>
> My patch fix this issue which alloc memory according to the real size of pci device config.
>
> Any ideas? Thnaks.
>
> Signed-off-by: Gonglei <arei.gonglei@huawei.com>
> ---
> hw/i386/kvm/pci-assign.c | 24 +++++++++++++++++++-----
> 1 files changed, 19 insertions(+), 5 deletions(-)
>
> diff --git a/hw/i386/kvm/pci-assign.c b/hw/i386/kvm/pci-assign.c
> index a825871..daa191c 100644
> --- a/hw/i386/kvm/pci-assign.c
> +++ b/hw/i386/kvm/pci-assign.c
> @@ -1591,10 +1591,6 @@ static void assigned_dev_msix_reset(AssignedDevice *dev)
> MSIXTableEntry *entry;
> int i;
>
> - if (!dev->msix_table) {
> - return;
> - }
> -
> memset(dev->msix_table, 0, MSIX_PAGE_SIZE);
>
> for (i = 0, entry = dev->msix_table; i < dev->msix_max; i++, entry++) {
> @@ -1604,13 +1600,31 @@ static void assigned_dev_msix_reset(AssignedDevice *dev)
>
> static int assigned_dev_register_msix_mmio(AssignedDevice *dev)
> {
> - dev->msix_table = mmap(NULL, MSIX_PAGE_SIZE, PROT_READ|PROT_WRITE,
> + int nr_pages;
> + int size;
> + int entry_per_page = MSIX_PAGE_SIZE / sizeof(struct MSIXTableEntry);
> +
> + if (dev->msix_max > entry_per_page) {
> + nr_pages = dev->msix_max / entry_per_page;
> + if (dev->msix_max % entry_per_page) {
> + nr_pages += 1;
> + }
> + } else {
> + nr_pages = 1;
> + }
It's usually not a good idea to special-case corner-cases like this.
> +
> + size = MSIX_PAGE_SIZE * nr_pages;
Just use ROUND_UP?
> + dev->msix_table = mmap(NULL, size, PROT_READ|PROT_WRITE,
> MAP_ANONYMOUS|MAP_PRIVATE, 0, 0);
Need to fix unmap as well?
> if (dev->msix_table == MAP_FAILED) {
> error_report("fail allocate msix_table! %s", strerror(errno));
> return -EFAULT;
> }
> + if (!dev->msix_table) {
> + return -EFAULT;
> + }
>
> + memset(dev->msix_table, 0, size);
> assigned_dev_msix_reset(dev);
>
> memory_region_init_io(&dev->mmio, OBJECT(dev), &assigned_dev_msix_mmio_ops,
> --
> 1.6.0.2
>
> Best regards,
> -Gonglei
>
next prev parent reply other threads:[~2014-04-01 15:46 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-01 15:23 [Qemu-devel] [RFC PATCH]pci-assign: Fix memory out of bound when MSI-X table not fit in a single page Gonglei (Arei)
2014-04-01 15:45 ` Michael S. Tsirkin [this message]
2014-04-02 3:12 ` Gonglei (Arei)
2014-04-02 3:12 ` [Qemu-devel] " Gonglei (Arei)
2014-04-02 3:45 ` Alex Williamson
2014-04-02 4:18 ` Gonglei (Arei)
2014-04-02 4:47 ` Alex Williamson
2014-04-02 8:50 ` Gonglei (Arei)
2014-04-02 15:41 ` Alex Williamson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140401154528.GA11203@redhat.com \
--to=mst@redhat.com \
--cc=alex.williamson@redhat.com \
--cc=arei.gonglei@huawei.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=weidong.huang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.