From: John Snow <jsnow@redhat.com>
To: Stefan Hajnoczi <stefanha@gmail.com>
Cc: kwolf@redhat.com, mst@redhat.com, qemu-devel@nongnu.org,
armbru@redhat.com, mreitz@redhat.com, stefanha@redhat.com,
pbonzini@redhat.com
Subject: Re: [Qemu-devel] [PATCH v2 16/17] ahci: Recompute cur_cmd on migrate post load
Date: Tue, 10 Feb 2015 10:11:37 -0500 [thread overview]
Message-ID: <54DA1FA9.2060109@redhat.com> (raw)
In-Reply-To: <20150210095612.GA9229@stefanha-thinkpad.redhat.com>
On 02/10/2015 04:56 AM, Stefan Hajnoczi wrote:
> On Tue, Dec 16, 2014 at 08:36:06PM -0500, John Snow wrote:
>> When the AHCI HBA device is migrated, all of the information that
>> led to the request being created is stored in the AHCIDevice
>> structures, except for pointers into guest data where return
>> information needs to be stored.
>>
>> The "cur_cmd" field is usually responsible for this.
>>
>> To rebuild the cur_cmd pointer post-migration, we can utilize
>> the busy_slot index to figure out where the command header
>> we are still processing is.
>>
>> This allows a machine in a halted state from rerror=stop or
>> werror=stop to be migrated and resume operations without issue.
>>
>> Signed-off-by: John Snow <jsnow@redhat.com>
>> ---
>> hw/ide/ahci.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
>> index c153228..8078d3e 100644
>> --- a/hw/ide/ahci.c
>> +++ b/hw/ide/ahci.c
>> @@ -1373,6 +1373,10 @@ static int ahci_state_post_load(void *opaque, int version_id)
>> */
>> if (ad->busy_slot == -1) {
>> check_cmd(s, i);
>> + } else {
>> + /* We are in the middle of a command, and may need to access
>> + * the command header in guest memory again. */
>> + ad->cur_cmd = &((AHCICmdHdr *)ad->lst)[ad->busy_slot];
>
> Where do we check that ad->busy_slot is within ad->lst[] bounds?
>
> If a malicious source sends a bogus value, this patch will lead to
> out-of-bounds accesses.
>
> Stefan
>
Good point. I'll recheck the series with this in mind.
next prev parent reply other threads:[~2015-02-10 16:08 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-17 1:35 [Qemu-devel] [PATCH v2 00/17] ide: rerror and werror support for IDE and AHCI John Snow
2014-12-17 1:35 ` [Qemu-devel] [PATCH v2 01/17] ide: start extracting ide_restart_dma out of bmdma_restart_dma John Snow
2014-12-17 1:35 ` [Qemu-devel] [PATCH v2 02/17] ide: prepare to move restart to common code John Snow
2014-12-17 1:35 ` [Qemu-devel] [PATCH v2 03/17] ide: introduce ide_register_restart_cb John Snow
2014-12-17 1:35 ` [Qemu-devel] [PATCH v2 04/17] ide: do not use BMDMA in restart callback John Snow
2014-12-17 1:35 ` [Qemu-devel] [PATCH v2 05/17] ide: pass IDEBus to the restart_cb John Snow
2014-12-17 1:35 ` [Qemu-devel] [PATCH v2 06/17] ide: move restart callback to common code John Snow
2014-12-17 1:35 ` [Qemu-devel] [PATCH v2 07/17] ide: remove restart_cb callback John Snow
2014-12-17 1:35 ` [Qemu-devel] [PATCH v2 08/17] ide: replace set_unit callback with more IDEBus state John Snow
2014-12-17 1:35 ` [Qemu-devel] [PATCH v2 09/17] ide: place initial state of the current request to IDEBus John Snow
2014-12-17 1:36 ` [Qemu-devel] [PATCH v2 10/17] ide: migrate initial request state via IDEBus John Snow
2014-12-17 1:36 ` [Qemu-devel] [PATCH v2 11/17] ide: commonize io_buffer_index initialization John Snow
2014-12-17 1:36 ` [Qemu-devel] [PATCH v2 12/17] ide: make more functions static John Snow
2014-12-17 1:36 ` [Qemu-devel] [PATCH v2 13/17] ide: support PIO restart for the ISA controller John Snow
2014-12-17 1:36 ` [Qemu-devel] [PATCH v2 14/17] ahci: Migrate IDEStatus John Snow
2014-12-17 1:49 ` John Snow
2015-01-30 9:35 ` Paolo Bonzini
2014-12-17 1:36 ` [Qemu-devel] [PATCH v2 15/17] ahci: add support for restarting non-queued commands John Snow
2014-12-17 9:41 ` Paolo Bonzini
2014-12-17 1:36 ` [Qemu-devel] [PATCH v2 16/17] ahci: Recompute cur_cmd on migrate post load John Snow
2015-01-30 9:36 ` Paolo Bonzini
2015-02-10 9:56 ` Stefan Hajnoczi
2015-02-10 15:11 ` John Snow [this message]
2014-12-17 1:36 ` [Qemu-devel] [PATCH v2 17/17] qtest/ide: Test flush / retry for ISA and PCI John Snow
2015-01-30 9:37 ` Paolo Bonzini
2014-12-17 8:23 ` [Qemu-devel] [PATCH v2 00/17] ide: rerror and werror support for IDE and AHCI Markus Armbruster
2014-12-17 9:37 ` Paolo Bonzini
2014-12-18 1:40 ` John Snow
2015-01-30 0:44 ` John Snow
2015-01-30 9:38 ` Paolo Bonzini
2015-01-30 16:48 ` John Snow
2015-02-10 9:59 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54DA1FA9.2060109@redhat.com \
--to=jsnow@redhat.com \
--cc=armbru@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@gmail.com \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.