From: Greg Kurz <groug@kaod.org>
To: Laszlo Ersek <lersek@redhat.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>,
Cornelia Huck <cornelia.huck@de.ibm.com>,
Fam Zheng <famz@redhat.com>,
qemu-devel@nongnu.org, Stefan Hajnoczi <stefanha@redhat.com>,
Prasad Pandit <ppandit@redhat.com>
Subject: Re: [Qemu-devel] [PATCH v3 00/10] virtio: avoid exit() when device enters invalid states
Date: Tue, 20 Sep 2016 11:26:57 +0200 [thread overview]
Message-ID: <20160920112657.39cf44ab@bahia> (raw)
In-Reply-To: <983e6ea4-c0fd-fad1-9027-c913c2faf796@redhat.com>
On Mon, 19 Sep 2016 21:27:45 +0200
Laszlo Ersek <lersek@redhat.com> wrote:
> On 09/19/16 19:51, Michael S. Tsirkin wrote:
> > On Mon, Sep 19, 2016 at 06:07:40PM +0200, Cornelia Huck wrote:
> >> On Tue, 12 Apr 2016 14:25:24 +0100
> >> Stefan Hajnoczi <stefanha@redhat.com> wrote:
> >>
> >>> v3:
> >>> * Patch 1: Fix typo and clarify commit description [Markus]
> >>> * Use virtio_set_status() instead of open coding assignment [Cornelia]
> >>> * Add live migration
> >>>
> >>> v2:
> >>> * Add VIRTIO_CONFIG_S_NEEDS_RESET notification for VIRTIO 1.0 [Cornelia]
> >>> (Note I've sent a Linux virtio_config.h patch to get the constant added to
> >>> the headers.)
> >>> * Split int -> unsigned int change into separate commit [Fam]
> >>> * Fix double "index" typo in commit description [Fam]
> >>>
> >>> The virtio code calls exit() when the device enters an invalid state. This
> >>> means invalid vring indices and descriptor chains kill the VM. See the patch
> >>> descriptions for why this is a bad thing.
> >>>
> >>> When the virtio device is in the broken state calls to virtqueue_pop() and
> >>> friends will pretend the virtqueue is empty. This means the device will become
> >>> isolated from guest activity until it is reset again.
> >>>
> >>> RFC because two things are missing:
> >>> 1. Live migration support (subsection for broken flag?)
> >>> 2. Auditing devices and replacing exit() calls there too
> >>>
> >>> Stefan Hajnoczi (10):
> >>> virtio: fix stray tab character
> >>> include: update virtio_config.h Linux header
> >>> virtio: stop virtqueue processing if device is broken
> >>> virtio: migrate vdev->broken flag
> >>> virtio: handle virtqueue_map_desc() errors
> >>> virtio: handle virtqueue_get_avail_bytes() errors
> >>> virtio: use unsigned int for virtqueue_get_avail_bytes() index
> >>> virtio: handle virtqueue_read_next_desc() errors
> >>> virtio: handle virtqueue_num_heads() errors
> >>> virtio: handle virtqueue_get_head() errors
> >>>
> >>> hw/virtio/virtio.c | 223 +++++++++++++++++++------
> >>> include/hw/virtio/virtio.h | 3 +
> >>> include/standard-headers/linux/virtio_config.h | 2 +
> >>> 3 files changed, 181 insertions(+), 47 deletions(-)
> >>>
> >>
> >> As the exit-in-virtio question has popped up several times in the
> >> recent past: I think we should go forward with this series, even if we
> >> still need to look at the individual devices. Do you have a version
> >> that fits on current master?
> >
> > I agree.
> >
>
> NB, Prasad just posted a patch (v3 being the latest) that adds another
> such exit(1), at my suggestion.
>
> [Qemu-devel] [PATCH v3] virtio: add check for descriptor's mapped
> address
>
> So a rebase of this series should likely consider that patch as well.
> (But Stefan is aware anyway.)
>
> Thanks!
> Laszlo
>
Stefan's series still applies on the current head, except the virtio_config.h
patch which isn't needed anymore.
And indeed there are a bunch of places where QEMU exits:
[greg@bahia qemu-virtio]$ git grep 'exit(1)' hw/virtio hw/*/virtio*
hw/block/virtio-blk.c: exit(1);
hw/block/virtio-blk.c: exit(1);
hw/block/virtio-blk.c: exit(1);
hw/net/virtio-net.c: exit(1);
hw/net/virtio-net.c: exit(1);
hw/net/virtio-net.c: exit(1);
hw/net/virtio-net.c: exit(1);
hw/net/virtio-net.c: exit(1);
hw/scsi/virtio-scsi-dataplane.c: exit(1);
hw/scsi/virtio-scsi.c: exit(1);
hw/scsi/virtio-scsi.c: exit(1);
hw/scsi/virtio-scsi.c: exit(1);
hw/virtio/virtio.c: exit(1);
hw/virtio/virtio.c: exit(1);
hw/virtio/virtio.c: exit(1);
hw/virtio/virtio.c: exit(1);
And also even more places with assert() or BUG_ON(), some of which are
guest errors actually.
For example, in virtio-9p, we have:
static void handle_9p_output(VirtIODevice *vdev, VirtQueue *vq)
{
...
len = iov_to_buf(elem->out_sg, elem->out_num, 0,
&out, sizeof out);
BUG_ON(len != sizeof out);
...
}
The condition may only be true if the guest sent less than the expected
9P message header which is 7-byte long.
I have a patch for this based on Stefan's series BTW.
Cheers.
--
Greg
next prev parent reply other threads:[~2016-09-20 9:27 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-12 13:25 [Qemu-devel] [PATCH v3 00/10] virtio: avoid exit() when device enters invalid states Stefan Hajnoczi
2016-04-12 13:25 ` [Qemu-devel] [PATCH v3 01/10] virtio: fix stray tab character Stefan Hajnoczi
2016-09-20 11:32 ` Cornelia Huck
2016-04-12 13:25 ` [Qemu-devel] [PATCH v3 02/10] include: update virtio_config.h Linux header Stefan Hajnoczi
2016-04-12 13:25 ` [Qemu-devel] [PATCH v3 03/10] virtio: stop virtqueue processing if device is broken Stefan Hajnoczi
2016-09-20 11:35 ` Cornelia Huck
2016-04-12 13:25 ` [Qemu-devel] [PATCH v3 04/10] virtio: migrate vdev->broken flag Stefan Hajnoczi
2016-09-20 11:36 ` Cornelia Huck
2016-04-12 13:25 ` [Qemu-devel] [PATCH v3 05/10] virtio: handle virtqueue_map_desc() errors Stefan Hajnoczi
2016-09-20 11:41 ` Cornelia Huck
2016-04-12 13:25 ` [Qemu-devel] [PATCH v3 06/10] virtio: handle virtqueue_get_avail_bytes() errors Stefan Hajnoczi
2016-09-20 11:44 ` Cornelia Huck
2016-04-12 13:25 ` [Qemu-devel] [PATCH v3 07/10] virtio: use unsigned int for virtqueue_get_avail_bytes() index Stefan Hajnoczi
2016-09-20 11:45 ` Cornelia Huck
2016-04-12 13:25 ` [Qemu-devel] [PATCH v3 08/10] virtio: handle virtqueue_read_next_desc() errors Stefan Hajnoczi
2016-09-20 11:48 ` Cornelia Huck
2016-04-12 13:25 ` [Qemu-devel] [PATCH v3 09/10] virtio: handle virtqueue_num_heads() errors Stefan Hajnoczi
2016-09-20 11:50 ` Cornelia Huck
2016-04-12 13:25 ` [Qemu-devel] [PATCH v3 10/10] virtio: handle virtqueue_get_head() errors Stefan Hajnoczi
2016-09-20 11:52 ` Cornelia Huck
2016-09-19 16:07 ` [Qemu-devel] [PATCH v3 00/10] virtio: avoid exit() when device enters invalid states Cornelia Huck
2016-09-19 17:51 ` Michael S. Tsirkin
2016-09-19 19:27 ` Laszlo Ersek
2016-09-20 9:26 ` Greg Kurz [this message]
2016-09-20 12:00 ` Cornelia Huck
2016-09-20 13:35 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160920112657.39cf44ab@bahia \
--to=groug@kaod.org \
--cc=cornelia.huck@de.ibm.com \
--cc=famz@redhat.com \
--cc=lersek@redhat.com \
--cc=mst@redhat.com \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.