* [Qemu-devel] [PATCH for 2.3 1/2] virtio-net: validate backend queue numbers against bus limitation
@ 2015-03-19 7:05 Jason Wang
2015-03-19 7:05 ` [Qemu-devel] [PATCH for 2.3 2/2] virtio-net: fix the upper bound when trying to delete queues Jason Wang
2015-03-19 10:10 ` [Qemu-devel] [PATCH for 2.3 1/2] virtio-net: validate backend queue numbers against bus limitation Michael S. Tsirkin
0 siblings, 2 replies; 7+ messages in thread
From: Jason Wang @ 2015-03-19 7:05 UTC (permalink / raw)
To: qemu-devel; +Cc: Jason Wang, qemu-stable, mst
We don't validate the backend queue numbers against bus limitation,
this will easily crash qemu if it exceeds the limitation. Fixing this
by doing the validation and fail early.
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: qemu-stable <qemu-stable@nongnu.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/virtio-net.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 27adcc5..59f76bc 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1588,6 +1588,13 @@ static void virtio_net_device_realize(DeviceState *dev, Error **errp)
virtio_init(vdev, "virtio-net", VIRTIO_ID_NET, n->config_size);
n->max_queues = MAX(n->nic_conf.peers.queues, 1);
+ if (n->max_queues * 2 + 1 > VIRTIO_PCI_QUEUE_MAX) {
+ error_setg(errp, "Invalid number of queues (= %" PRIu32 "), "
+ "must be a postive integer less than %d.",
+ n->max_queues, (VIRTIO_PCI_QUEUE_MAX - 1) / 2);
+ virtio_cleanup(vdev);
+ return;
+ }
n->vqs = g_malloc0(sizeof(VirtIONetQueue) * n->max_queues);
n->vqs[0].rx_vq = virtio_add_queue(vdev, 256, virtio_net_handle_rx);
n->curr_queues = 1;
--
2.1.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Qemu-devel] [PATCH for 2.3 2/2] virtio-net: fix the upper bound when trying to delete queues
2015-03-19 7:05 [Qemu-devel] [PATCH for 2.3 1/2] virtio-net: validate backend queue numbers against bus limitation Jason Wang
@ 2015-03-19 7:05 ` Jason Wang
2015-03-19 10:12 ` Michael S. Tsirkin
2015-03-19 10:10 ` [Qemu-devel] [PATCH for 2.3 1/2] virtio-net: validate backend queue numbers against bus limitation Michael S. Tsirkin
1 sibling, 1 reply; 7+ messages in thread
From: Jason Wang @ 2015-03-19 7:05 UTC (permalink / raw)
To: qemu-devel; +Cc: Jason Wang, qemu-stable, mst
Virtqueue were indexed from zero, so don't delete virtqueue whose
index is n->max_queues * 2 + 1.
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: qemu-stable <qemu-stable@nongnu.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/virtio-net.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 59f76bc..b6fac9c 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1309,7 +1309,7 @@ static void virtio_net_set_multiqueue(VirtIONet *n, int multiqueue)
n->multiqueue = multiqueue;
- for (i = 2; i <= n->max_queues * 2 + 1; i++) {
+ for (i = 2; i < n->max_queues * 2 + 1; i++) {
virtio_del_queue(vdev, i);
}
--
2.1.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] [PATCH for 2.3 1/2] virtio-net: validate backend queue numbers against bus limitation
2015-03-19 7:05 [Qemu-devel] [PATCH for 2.3 1/2] virtio-net: validate backend queue numbers against bus limitation Jason Wang
2015-03-19 7:05 ` [Qemu-devel] [PATCH for 2.3 2/2] virtio-net: fix the upper bound when trying to delete queues Jason Wang
@ 2015-03-19 10:10 ` Michael S. Tsirkin
2015-03-20 5:52 ` Jason Wang
1 sibling, 1 reply; 7+ messages in thread
From: Michael S. Tsirkin @ 2015-03-19 10:10 UTC (permalink / raw)
To: Jason Wang; +Cc: qemu-devel, qemu-stable
On Thu, Mar 19, 2015 at 03:05:51PM +0800, Jason Wang wrote:
> We don't validate the backend queue numbers against bus limitation,
> this will easily crash qemu if it exceeds the limitation. Fixing this
> by doing the validation and fail early.
Can you please include the qemu command line that crashes?
> Cc: qemu-stable <qemu-stable@nongnu.org>
> Signed-off-by: Jason Wang <jasowang@redhat.com>
> ---
> hw/net/virtio-net.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
> index 27adcc5..59f76bc 100644
> --- a/hw/net/virtio-net.c
> +++ b/hw/net/virtio-net.c
> @@ -1588,6 +1588,13 @@ static void virtio_net_device_realize(DeviceState *dev, Error **errp)
> virtio_init(vdev, "virtio-net", VIRTIO_ID_NET, n->config_size);
>
> n->max_queues = MAX(n->nic_conf.peers.queues, 1);
> + if (n->max_queues * 2 + 1 > VIRTIO_PCI_QUEUE_MAX) {
> + error_setg(errp, "Invalid number of queues (= %" PRIu32 "), "
> + "must be a postive integer less than %d.",
> + n->max_queues, (VIRTIO_PCI_QUEUE_MAX - 1) / 2);
> + virtio_cleanup(vdev);
> + return;
> + }
> n->vqs = g_malloc0(sizeof(VirtIONetQueue) * n->max_queues);
> n->vqs[0].rx_vq = virtio_add_queue(vdev, 256, virtio_net_handle_rx);
> n->curr_queues = 1;
> --
> 2.1.0
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] [PATCH for 2.3 2/2] virtio-net: fix the upper bound when trying to delete queues
2015-03-19 7:05 ` [Qemu-devel] [PATCH for 2.3 2/2] virtio-net: fix the upper bound when trying to delete queues Jason Wang
@ 2015-03-19 10:12 ` Michael S. Tsirkin
2015-03-20 5:53 ` Jason Wang
0 siblings, 1 reply; 7+ messages in thread
From: Michael S. Tsirkin @ 2015-03-19 10:12 UTC (permalink / raw)
To: Jason Wang; +Cc: qemu-devel, qemu-stable
On Thu, Mar 19, 2015 at 03:05:52PM +0800, Jason Wang wrote:
> Virtqueue were indexed from zero, so don't delete virtqueue whose
> index is n->max_queues * 2 + 1.
But what's the current behaviour?
Can it lead to aborts? virtio_del_queue does:
if (n < 0 || n >= VIRTIO_PCI_QUEUE_MAX) {
abort();
}
> Cc: Michael S. Tsirkin <mst@redhat.com>
> Cc: qemu-stable <qemu-stable@nongnu.org>
> Signed-off-by: Jason Wang <jasowang@redhat.com>
> ---
> hw/net/virtio-net.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
> index 59f76bc..b6fac9c 100644
> --- a/hw/net/virtio-net.c
> +++ b/hw/net/virtio-net.c
> @@ -1309,7 +1309,7 @@ static void virtio_net_set_multiqueue(VirtIONet *n, int multiqueue)
>
> n->multiqueue = multiqueue;
>
> - for (i = 2; i <= n->max_queues * 2 + 1; i++) {
> + for (i = 2; i < n->max_queues * 2 + 1; i++) {
> virtio_del_queue(vdev, i);
> }
>
> --
> 2.1.0
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] [PATCH for 2.3 1/2] virtio-net: validate backend queue numbers against bus limitation
2015-03-19 10:10 ` [Qemu-devel] [PATCH for 2.3 1/2] virtio-net: validate backend queue numbers against bus limitation Michael S. Tsirkin
@ 2015-03-20 5:52 ` Jason Wang
0 siblings, 0 replies; 7+ messages in thread
From: Jason Wang @ 2015-03-20 5:52 UTC (permalink / raw)
To: Michael S. Tsirkin; +Cc: qemu-devel, qemu-stable
On Thu, Mar 19, 2015 at 6:10 PM, Michael S. Tsirkin <mst@redhat.com>
wrote:
> On Thu, Mar 19, 2015 at 03:05:51PM +0800, Jason Wang wrote:
>> We don't validate the backend queue numbers against bus limitation,
>> this will easily crash qemu if it exceeds the limitation. Fixing
>> this
>> by doing the validation and fail early.
>
> Can you please include the qemu command line that crashes?
Ok, will include it in v2. cli is something like:
qemu-system-x86_64 -netdev tap,id=hn0,queues=256 -device
virtio-net-pci,netdev=hn0 -enable-kvm
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] [PATCH for 2.3 2/2] virtio-net: fix the upper bound when trying to delete queues
2015-03-19 10:12 ` Michael S. Tsirkin
@ 2015-03-20 5:53 ` Jason Wang
2015-03-20 6:04 ` Jason Wang
0 siblings, 1 reply; 7+ messages in thread
From: Jason Wang @ 2015-03-20 5:53 UTC (permalink / raw)
To: Michael S. Tsirkin; +Cc: qemu-devel, qemu-stable
On Thu, Mar 19, 2015 at 6:12 PM, Michael S. Tsirkin <mst@redhat.com>
wrote:
> On Thu, Mar 19, 2015 at 03:05:52PM +0800, Jason Wang wrote:
>> Virtqueue were indexed from zero, so don't delete virtqueue whose
>> index is n->max_queues * 2 + 1.
>
> But what's the current behaviour?
>
> Can it lead to aborts? virtio_del_queue does:
> if (n < 0 || n >= VIRTIO_PCI_QUEUE_MAX) {
> abort();
> }
Yes, it will hit abort() above.
>
>
>
>> Cc: Michael S. Tsirkin <mst@redhat.com>
>> Cc: qemu-stable <qemu-stable@nongnu.org>
>> Signed-off-by: Jason Wang <jasowang@redhat.com>
>> ---
>> hw/net/virtio-net.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
>> index 59f76bc..b6fac9c 100644
>> --- a/hw/net/virtio-net.c
>> +++ b/hw/net/virtio-net.c
>> @@ -1309,7 +1309,7 @@ static void
>> virtio_net_set_multiqueue(VirtIONet *n, int multiqueue)
>>
>> n->multiqueue = multiqueue;
>>
>> - for (i = 2; i <= n->max_queues * 2 + 1; i++) {
>> + for (i = 2; i < n->max_queues * 2 + 1; i++) {
>> virtio_del_queue(vdev, i);
>> }
>>
>> --
>> 2.1.0
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] [PATCH for 2.3 2/2] virtio-net: fix the upper bound when trying to delete queues
2015-03-20 5:53 ` Jason Wang
@ 2015-03-20 6:04 ` Jason Wang
0 siblings, 0 replies; 7+ messages in thread
From: Jason Wang @ 2015-03-20 6:04 UTC (permalink / raw)
To: Michael S. Tsirkin; +Cc: qemu-devel, qemu-stable
On Fri, Mar 20, 2015 at 1:53 PM, Jason Wang <jasowang@redhat.com> wrote:
>
>
> On Thu, Mar 19, 2015 at 6:12 PM, Michael S. Tsirkin <mst@redhat.com>
> wrote:
>> On Thu, Mar 19, 2015 at 03:05:52PM +0800, Jason Wang wrote:
>>> Virtqueue were indexed from zero, so don't delete virtqueue whose
>>> index is n->max_queues * 2 + 1.
>>
>> But what's the current behaviour?
>>
>> Can it lead to aborts? virtio_del_queue does:
>> if (n < 0 || n >= VIRTIO_PCI_QUEUE_MAX) {
>> abort();
>> }
>
> Yes, it will hit abort() above.
With patch 1/1 on top, there will be no crash. Will drop this from V2.
This patch was only needed for more virtio queues series.
>
>>
>>
>>
>>> Cc: Michael S. Tsirkin <mst@redhat.com>
>>> Cc: qemu-stable <qemu-stable@nongnu.org>
>>> Signed-off-by: Jason Wang <jasowang@redhat.com>
>>> ---
>>> hw/net/virtio-net.c | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>> diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
>>> index 59f76bc..b6fac9c 100644
>>> --- a/hw/net/virtio-net.c
>>> +++ b/hw/net/virtio-net.c
>>> @@ -1309,7 +1309,7 @@ static void
>>> virtio_net_set_multiqueue(VirtIONet *n, int multiqueue)
>>> n->multiqueue = multiqueue;
>>> - for (i = 2; i <= n->max_queues * 2 + 1; i++) {
>>> + for (i = 2; i < n->max_queues * 2 + 1; i++) {
>>> virtio_del_queue(vdev, i);
>>> }
>>> -- 2.1.0
>>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2015-03-20 6:04 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-03-19 7:05 [Qemu-devel] [PATCH for 2.3 1/2] virtio-net: validate backend queue numbers against bus limitation Jason Wang
2015-03-19 7:05 ` [Qemu-devel] [PATCH for 2.3 2/2] virtio-net: fix the upper bound when trying to delete queues Jason Wang
2015-03-19 10:12 ` Michael S. Tsirkin
2015-03-20 5:53 ` Jason Wang
2015-03-20 6:04 ` Jason Wang
2015-03-19 10:10 ` [Qemu-devel] [PATCH for 2.3 1/2] virtio-net: validate backend queue numbers against bus limitation Michael S. Tsirkin
2015-03-20 5:52 ` Jason Wang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).