[PATCH 1/3] virtio: Correct error message of unavailable index

[PATCH 1/3] virtio: Correct error message of unavailable index

[Amos Kong]

'head' is an index of VirtQueueElement, it should less than vring.num

Signed-off-by: Amos Kong <akong@redhat.com>
---
 hw/virtio.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/hw/virtio.c b/hw/virtio.c
index 6e8814c..a3d0eee 100644
--- a/hw/virtio.c
+++ b/hw/virtio.c
@@ -271,7 +271,7 @@ static unsigned int virtqueue_get_head(VirtQueue *vq, unsigned int idx)
 
     /* If their number is silly, that's a fatal mistake. */
     if (head >= vq->vring.num) {
-        error_report("Guest says index %u is available", head);
+        error_report("Guest says index %u is unavailable", head);
         exit(1);
     }
 

[PATCH 2/3] virtio: Strictly check queue_size when adding virtqueue

[Amos Kong]

Qemu should abort when 'queue_size' is less than or equals to zero.

Signed-off-by: Amos Kong <akong@redhat.com>
---
 hw/virtio.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/hw/virtio.c b/hw/virtio.c
index a3d0eee..855fe54 100644
--- a/hw/virtio.c
+++ b/hw/virtio.c
@@ -612,7 +612,8 @@ VirtQueue *virtio_add_queue(VirtIODevice *vdev, int queue_size,
             break;
     }
 
-    if (i == VIRTIO_PCI_QUEUE_MAX || queue_size > VIRTQUEUE_MAX_SIZE)
+    if (i == VIRTIO_PCI_QUEUE_MAX || queue_size > VIRTQUEUE_MAX_SIZE ||
+        queue_size <= 0)
         abort();
 
     vdev->vq[i].vring.num = queue_size;

[PATCH 3/3] virtio: Define max_nr_ports to unsigned

[Amos Kong]

hw/virtio-serial-bus.c:
725 static int virtser_port_qdev_init(DeviceState *qdev, DeviceInfo *base)
726 {
...
730     int ret, max_nr_ports;
...
762     max_nr_ports = tswap32(port->vser->config.max_nr_ports);
763     if (port->id >= max_nr_ports) {

tswap32() returns an uint32_t variable.

Signed-off-by: Amos Kong <akong@redhat.com>
---
 hw/virtio-serial-bus.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/hw/virtio-serial-bus.c b/hw/virtio-serial-bus.c
index 9a12104..aae8456 100644
--- a/hw/virtio-serial-bus.c
+++ b/hw/virtio-serial-bus.c
@@ -727,7 +727,8 @@ static int virtser_port_qdev_init(DeviceState *qdev, DeviceInfo *base)
     VirtIOSerialPort *port = DO_UPCAST(VirtIOSerialPort, dev, qdev);
     VirtIOSerialPortInfo *info = DO_UPCAST(VirtIOSerialPortInfo, qdev, base);
     VirtIOSerialBus *bus = DO_UPCAST(VirtIOSerialBus, qbus, qdev->parent_bus);
-    int ret, max_nr_ports;
+    int ret;
+    uint32_t max_nr_ports;
     bool plugging_port0;
 
     port->vser = bus->vser;

Re: [PATCH 1/3] virtio: Correct error message of unavailable index

[Michael S. Tsirkin]

On Wed, Jun 15, 2011 at 10:25:24PM +0800, Amos Kong wrote:
> 'head' is an index of VirtQueueElement, it should less than vring.num
> 
> Signed-off-by: Amos Kong <akong@redhat.com>
> ---
>  hw/virtio.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/hw/virtio.c b/hw/virtio.c
> index 6e8814c..a3d0eee 100644
> --- a/hw/virtio.c
> +++ b/hw/virtio.c
> @@ -271,7 +271,7 @@ static unsigned int virtqueue_get_head(VirtQueue *vq, unsigned int idx)
>  
>      /* If their number is silly, that's a fatal mistake. */
>      if (head >= vq->vring.num) {
> -        error_report("Guest says index %u is available", head);
> +        error_report("Guest says index %u is unavailable", head);
>          exit(1);
>      }
>  

That does not seem right. So the message says that an illegal value
was made available - that is, put in the available ring.
The original message seems correct to me.



-- 
MST

Re: [PATCH 2/3] virtio: Strictly check queue_size when adding virtqueue

[Michael S. Tsirkin]

On Wed, Jun 15, 2011 at 10:25:33PM +0800, Amos Kong wrote:
> Qemu should abort when 'queue_size' is less than or equals to zero.
> 
> Signed-off-by: Amos Kong <akong@redhat.com>

BTW, these patches apply upstream so should be sent to qemu-devel.

> ---
>  hw/virtio.c |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)
> 
> diff --git a/hw/virtio.c b/hw/virtio.c
> index a3d0eee..855fe54 100644
> --- a/hw/virtio.c
> +++ b/hw/virtio.c
> @@ -612,7 +612,8 @@ VirtQueue *virtio_add_queue(VirtIODevice *vdev, int queue_size,
>              break;
>      }
>  
> -    if (i == VIRTIO_PCI_QUEUE_MAX || queue_size > VIRTQUEUE_MAX_SIZE)
> +    if (i == VIRTIO_PCI_QUEUE_MAX || queue_size > VIRTQUEUE_MAX_SIZE ||
> +        queue_size <= 0)
>          abort();
>  
>      vdev->vq[i].vring.num = queue_size;

These checks are just a debugging aid - there's no way
for the guest or user to trigger this.
I guess it does no harm, but what are we guarding against?
Why would anyone pass in a negative value?

-- 
MST

Re: [PATCH 3/3] virtio: Define max_nr_ports to unsigned

[Michael S. Tsirkin]

On Wed, Jun 15, 2011 at 10:25:41PM +0800, Amos Kong wrote:
> hw/virtio-serial-bus.c:
> 725 static int virtser_port_qdev_init(DeviceState *qdev, DeviceInfo *base)
> 726 {
> ...
> 730     int ret, max_nr_ports;
> ...
> 762     max_nr_ports = tswap32(port->vser->config.max_nr_ports);
> 763     if (port->id >= max_nr_ports) {
> 
> tswap32() returns an uint32_t variable.
> 
> Signed-off-by: Amos Kong <akong@redhat.com>

I guess 2^31 ports isn't really feasible, but it's good
to be consistent.

Acked-by: Michael S. Tsirkin <mst@redhat.com>


> ---
>  hw/virtio-serial-bus.c |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)
> 
> diff --git a/hw/virtio-serial-bus.c b/hw/virtio-serial-bus.c
> index 9a12104..aae8456 100644
> --- a/hw/virtio-serial-bus.c
> +++ b/hw/virtio-serial-bus.c
> @@ -727,7 +727,8 @@ static int virtser_port_qdev_init(DeviceState *qdev, DeviceInfo *base)
>      VirtIOSerialPort *port = DO_UPCAST(VirtIOSerialPort, dev, qdev);
>      VirtIOSerialPortInfo *info = DO_UPCAST(VirtIOSerialPortInfo, qdev, base);
>      VirtIOSerialBus *bus = DO_UPCAST(VirtIOSerialBus, qbus, qdev->parent_bus);
> -    int ret, max_nr_ports;
> +    int ret;
> +    uint32_t max_nr_ports;
>      bool plugging_port0;
>  
>      port->vser = bus->vser;

Re: [PATCH 2/3] virtio: Strictly check queue_size when adding virtqueue

[Amos Kong]

On Wed, Jun 15, 2011 at 11:36:02PM +0300, Michael S. Tsirkin wrote:
> On Wed, Jun 15, 2011 at 10:25:33PM +0800, Amos Kong wrote:
> > Qemu should abort when 'queue_size' is less than or equals to zero.
> > 
> > Signed-off-by: Amos Kong <akong@redhat.com>
> 
> BTW, these patches apply upstream so should be sent to qemu-devel.
> 
> > ---
> >  hw/virtio.c |    3 ++-
> >  1 files changed, 2 insertions(+), 1 deletions(-)
> > 
> > diff --git a/hw/virtio.c b/hw/virtio.c
> > index a3d0eee..855fe54 100644
> > --- a/hw/virtio.c
> > +++ b/hw/virtio.c
> > @@ -612,7 +612,8 @@ VirtQueue *virtio_add_queue(VirtIODevice *vdev, int queue_size,
> >              break;
> >      }
> >  
> > -    if (i == VIRTIO_PCI_QUEUE_MAX || queue_size > VIRTQUEUE_MAX_SIZE)
> > +    if (i == VIRTIO_PCI_QUEUE_MAX || queue_size > VIRTQUEUE_MAX_SIZE ||
> > +        queue_size <= 0)
> >          abort();
> >  
> >      vdev->vq[i].vring.num = queue_size;
> 
> These checks are just a debugging aid - there's no way
> for the guest or user to trigger this.
> I guess it does no harm, but what are we guarding against?
> Why would anyone pass in a negative value?

It seems all exist usage of this function are all right, guest/user could not trigger this right now.
So we don't need to fix this kind of problem?

Re: [Qemu-devel] [PATCH 2/3] virtio: Strictly check queue_size when adding virtqueue

[Anthony Liguori]

On 06/15/2011 05:53 PM, Amos Kong wrote:
> On Wed, Jun 15, 2011 at 11:36:02PM +0300, Michael S. Tsirkin wrote:
>> On Wed, Jun 15, 2011 at 10:25:33PM +0800, Amos Kong wrote:
>>> Qemu should abort when 'queue_size' is less than or equals to zero.
>>>
>>> Signed-off-by: Amos Kong<akong@redhat.com>
>>
>> BTW, these patches apply upstream so should be sent to qemu-devel.
>>
>>> ---
>>>   hw/virtio.c |    3 ++-
>>>   1 files changed, 2 insertions(+), 1 deletions(-)
>>>
>>> diff --git a/hw/virtio.c b/hw/virtio.c
>>> index a3d0eee..855fe54 100644
>>> --- a/hw/virtio.c
>>> +++ b/hw/virtio.c
>>> @@ -612,7 +612,8 @@ VirtQueue *virtio_add_queue(VirtIODevice *vdev, int queue_size,
>>>               break;
>>>       }
>>>
>>> -    if (i == VIRTIO_PCI_QUEUE_MAX || queue_size>  VIRTQUEUE_MAX_SIZE)
>>> +    if (i == VIRTIO_PCI_QUEUE_MAX || queue_size>  VIRTQUEUE_MAX_SIZE ||
>>> +        queue_size<= 0)
>>>           abort();
>>>
>>>       vdev->vq[i].vring.num = queue_size;
>>
>> These checks are just a debugging aid - there's no way
>> for the guest or user to trigger this.
>> I guess it does no harm, but what are we guarding against?
>> Why would anyone pass in a negative value?
>
> It seems all exist usage of this function are all right, guest/user could not trigger this right now.
> So we don't need to fix this kind of problem?

If it's not valid for queue_size to be negative, then the type ought to 
be unsigned.

Regards,

Anthony Liguori

>

Re: [PATCH 1/3] virtio: Correct error message of unavailable index

[Amos Kong]

On Wed, Jun 15, 2011 at 11:30:32PM +0300, Michael S. Tsirkin wrote:
> On Wed, Jun 15, 2011 at 10:25:24PM +0800, Amos Kong wrote:
> > 'head' is an index of VirtQueueElement, it should less than vring.num
> > 
> > Signed-off-by: Amos Kong <akong@redhat.com>
> > ---
> >  hw/virtio.c |    2 +-
> >  1 files changed, 1 insertions(+), 1 deletions(-)
> > 
> > diff --git a/hw/virtio.c b/hw/virtio.c
> > index 6e8814c..a3d0eee 100644
> > --- a/hw/virtio.c
> > +++ b/hw/virtio.c
> > @@ -271,7 +271,7 @@ static unsigned int virtqueue_get_head(VirtQueue *vq, unsigned int idx)
> >  
> >      /* If their number is silly, that's a fatal mistake. */
> >      if (head >= vq->vring.num) {
> > -        error_report("Guest says index %u is available", head);
> > +        error_report("Guest says index %u is unavailable", head);
> >          exit(1);
> >      }
> >  
> 
> That does not seem right. So the message says that an illegal value
> was made available - that is, put in the available ring.
> The original message seems correct to me.

It's my misunderstanding, thanks for pointing this.

[PATCH v2] virtio: Define queue_size to unsigned

[Amos Kong]

It's not valid for queue_size to be negative, then the type ought
to be unsigned.

Changes from V1:
- drop the check and just define it to unsigned.

Signed-off-by: Amos Kong <akong@redhat.com>
---
 hw/virtio.c |    2 +-
 hw/virtio.h |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/virtio.c b/hw/virtio.c
index 6e8814c..4c1e334 100644
--- a/hw/virtio.c
+++ b/hw/virtio.c
@@ -602,7 +602,7 @@ void virtio_queue_set_vector(VirtIODevice *vdev, int n, uint16_t vector)
         vdev->vq[n].vector = vector;
 }
 
-VirtQueue *virtio_add_queue(VirtIODevice *vdev, int queue_size,
+VirtQueue *virtio_add_queue(VirtIODevice *vdev, unsigned int queue_size,
                             void (*handle_output)(VirtIODevice *, VirtQueue *))
 {
     int i;
diff --git a/hw/virtio.h b/hw/virtio.h
index bc72289..ff0c9b5 100644
--- a/hw/virtio.h
+++ b/hw/virtio.h
@@ -138,7 +138,7 @@ static inline void virtio_set_status(VirtIODevice *vdev, uint8_t val)
     vdev->status = val;
 }
 
-VirtQueue *virtio_add_queue(VirtIODevice *vdev, int queue_size,
+VirtQueue *virtio_add_queue(VirtIODevice *vdev, unsigned int queue_size,
                             void (*handle_output)(VirtIODevice *,
                                                   VirtQueue *));