From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46733) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WXsv7-00066Z-3z for qemu-devel@nongnu.org; Wed, 09 Apr 2014 09:52:09 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WXsv2-0005K4-3P for qemu-devel@nongnu.org; Wed, 09 Apr 2014 09:52:05 -0400 Received: from mx1.redhat.com ([209.132.183.28]:13763) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WXsv1-0005Hs-R9 for qemu-devel@nongnu.org; Wed, 09 Apr 2014 09:52:00 -0400 Date: Wed, 9 Apr 2014 16:52:31 +0300 From: "Michael S. Tsirkin" Message-ID: <20140409135231.GA12232@redhat.com> References: <1396502304-7456-1-git-send-email-arei.gonglei@huawei.com> <1396502304-7456-2-git-send-email-arei.gonglei@huawei.com> <20140408153212.GA8087@redhat.com> <33183CC9F5247A488A2544077AF19020815DE57B@SZXEMA503-MBS.china.huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <33183CC9F5247A488A2544077AF19020815DE57B@SZXEMA503-MBS.china.huawei.com> Subject: Re: [Qemu-devel] [PATCH 2/2] pci-assign: Fix memory out of bound when MSI-X table not fit in a single page List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Gonglei (Arei)" Cc: "pbonzini@redhat.com" , "alex.williamson@redhat.com" , "Huangweidong (C)" , "qemu-devel@nongnu.org" On Wed, Apr 09, 2014 at 10:56:57AM +0000, Gonglei (Arei) wrote: > Hi, > > > > QEMU only mmap MSIX_PAGE_SIZE memory for all pci devices in > > > assigned_dev_register_msix_mmio(), meanwhile the set the one > > > page memmory to zero, so the rest memory will be random value > > > (maybe etnry.data is not 0). In the assigned_dev_update_msix_mmio() > > > maybe occur the issue of entry_nr > 256, and the kmod reports > > > the EINVAL error. > > > > > > Signed-off-by: Gonglei > > > > Okay so this kind of works because guest does not try > > to use so many vectors. > > > Yes. It's true. > > > But I think it's better not to give guest more entries > > than we can actually support. > > > > How about tweaking MSIX capability exposed to guest to limit table size? > > > IMHO, the MSIX table entry size got form the physic NIC hardware. The software > layer shouldn't tweak the capability of real hardware, neither QEMU nor KVM. > > > Best regards, > -Gonglei Should be easy to fix though. Does the following help? --> pci-assign: limit # of msix vectors Signed-off-by: Michael S. Tsirkin diff --git a/hw/i386/kvm/pci-assign.c b/hw/i386/kvm/pci-assign.c index a825871..76aa86e 100644 --- a/hw/i386/kvm/pci-assign.c +++ b/hw/i386/kvm/pci-assign.c @@ -1258,6 +1258,7 @@ static int assigned_device_pci_cap_init(PCIDevice *pci_dev) if (pos != 0 && kvm_device_msix_supported(kvm_state)) { int bar_nr; uint32_t msix_table_entry; + uint16_t msix_max; if (!check_irqchip_in_kernel()) { return -ENOTSUP; @@ -1269,9 +1270,10 @@ static int assigned_device_pci_cap_init(PCIDevice *pci_dev) } pci_dev->msix_cap = pos; - pci_set_word(pci_dev->config + pos + PCI_MSIX_FLAGS, - pci_get_word(pci_dev->config + pos + PCI_MSIX_FLAGS) & - PCI_MSIX_FLAGS_QSIZE); + msix_max = (pci_get_word(pci_dev->config + pos + PCI_MSIX_FLAGS) & + PCI_MSIX_FLAGS_QSIZE) + 1; + msix_max = MIN(msix_max, KVM_MAX_MSIX_PER_DEV); + pci_set_word(pci_dev->config + pos + PCI_MSIX_FLAGS, msix_max - 1); /* Only enable and function mask bits are writable */ pci_set_word(pci_dev->wmask + pos + PCI_MSIX_FLAGS, @@ -1281,9 +1283,7 @@ static int assigned_device_pci_cap_init(PCIDevice *pci_dev) bar_nr = msix_table_entry & PCI_MSIX_FLAGS_BIRMASK; msix_table_entry &= ~PCI_MSIX_FLAGS_BIRMASK; dev->msix_table_addr = pci_region[bar_nr].base_addr + msix_table_entry; - dev->msix_max = pci_get_word(pci_dev->config + pos + PCI_MSIX_FLAGS); - dev->msix_max &= PCI_MSIX_FLAGS_QSIZE; - dev->msix_max += 1; + dev->msix_max = msix_max; } /* Minimal PM support, nothing writable, device appears to NAK changes */