From: Greg Kurz <groug@kaod.org>
To: Laszlo Ersek <lersek@redhat.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>,
Cornelia Huck <cornelia.huck@de.ibm.com>,
Fam Zheng <famz@redhat.com>,
qemu-devel@nongnu.org, Stefan Hajnoczi <stefanha@redhat.com>,
Prasad Pandit <ppandit@redhat.com>
Subject: Re: [Qemu-devel] [PATCH v3 00/10] virtio: avoid exit() when device enters invalid states
Date: Tue, 20 Sep 2016 11:26:57 +0200 [thread overview]
Message-ID: <20160920112657.39cf44ab@bahia> (raw)
In-Reply-To: <983e6ea4-c0fd-fad1-9027-c913c2faf796@redhat.com>
On Mon, 19 Sep 2016 21:27:45 +0200
Laszlo Ersek <lersek@redhat.com> wrote:
> On 09/19/16 19:51, Michael S. Tsirkin wrote:
> > On Mon, Sep 19, 2016 at 06:07:40PM +0200, Cornelia Huck wrote:
> >> On Tue, 12 Apr 2016 14:25:24 +0100
> >> Stefan Hajnoczi <stefanha@redhat.com> wrote:
> >>
> >>> v3:
> >>> * Patch 1: Fix typo and clarify commit description [Markus]
> >>> * Use virtio_set_status() instead of open coding assignment [Cornelia]
> >>> * Add live migration
> >>>
> >>> v2:
> >>> * Add VIRTIO_CONFIG_S_NEEDS_RESET notification for VIRTIO 1.0 [Cornelia]
> >>> (Note I've sent a Linux virtio_config.h patch to get the constant added to
> >>> the headers.)
> >>> * Split int -> unsigned int change into separate commit [Fam]
> >>> * Fix double "index" typo in commit description [Fam]
> >>>
> >>> The virtio code calls exit() when the device enters an invalid state. This
> >>> means invalid vring indices and descriptor chains kill the VM. See the patch
> >>> descriptions for why this is a bad thing.
> >>>
> >>> When the virtio device is in the broken state calls to virtqueue_pop() and
> >>> friends will pretend the virtqueue is empty. This means the device will become
> >>> isolated from guest activity until it is reset again.
> >>>
> >>> RFC because two things are missing:
> >>> 1. Live migration support (subsection for broken flag?)
> >>> 2. Auditing devices and replacing exit() calls there too
> >>>
> >>> Stefan Hajnoczi (10):
> >>> virtio: fix stray tab character
> >>> include: update virtio_config.h Linux header
> >>> virtio: stop virtqueue processing if device is broken
> >>> virtio: migrate vdev->broken flag
> >>> virtio: handle virtqueue_map_desc() errors
> >>> virtio: handle virtqueue_get_avail_bytes() errors
> >>> virtio: use unsigned int for virtqueue_get_avail_bytes() index
> >>> virtio: handle virtqueue_read_next_desc() errors
> >>> virtio: handle virtqueue_num_heads() errors
> >>> virtio: handle virtqueue_get_head() errors
> >>>
> >>> hw/virtio/virtio.c | 223 +++++++++++++++++++------
> >>> include/hw/virtio/virtio.h | 3 +
> >>> include/standard-headers/linux/virtio_config.h | 2 +
> >>> 3 files changed, 181 insertions(+), 47 deletions(-)
> >>>
> >>
> >> As the exit-in-virtio question has popped up several times in the
> >> recent past: I think we should go forward with this series, even if we
> >> still need to look at the individual devices. Do you have a version
> >> that fits on current master?
> >
> > I agree.
> >
>
> NB, Prasad just posted a patch (v3 being the latest) that adds another
> such exit(1), at my suggestion.
>
> [Qemu-devel] [PATCH v3] virtio: add check for descriptor's mapped
> address
>
> So a rebase of this series should likely consider that patch as well.
> (But Stefan is aware anyway.)
>
> Thanks!
> Laszlo
>
Stefan's series still applies on the current head, except the virtio_config.h
patch which isn't needed anymore.
And indeed there are a bunch of places where QEMU exits:
[greg@bahia qemu-virtio]$ git grep 'exit(1)' hw/virtio hw/*/virtio*
hw/block/virtio-blk.c: exit(1);
hw/block/virtio-blk.c: exit(1);
hw/block/virtio-blk.c: exit(1);
hw/net/virtio-net.c: exit(1);
hw/net/virtio-net.c: exit(1);
hw/net/virtio-net.c: exit(1);
hw/net/virtio-net.c: exit(1);
hw/net/virtio-net.c: exit(1);
hw/scsi/virtio-scsi-dataplane.c: exit(1);
hw/scsi/virtio-scsi.c: exit(1);
hw/scsi/virtio-scsi.c: exit(1);
hw/scsi/virtio-scsi.c: exit(1);
hw/virtio/virtio.c: exit(1);
hw/virtio/virtio.c: exit(1);
hw/virtio/virtio.c: exit(1);
hw/virtio/virtio.c: exit(1);
And also even more places with assert() or BUG_ON(), some of which are
guest errors actually.
For example, in virtio-9p, we have:
static void handle_9p_output(VirtIODevice *vdev, VirtQueue *vq)
{
...
len = iov_to_buf(elem->out_sg, elem->out_num, 0,
&out, sizeof out);
BUG_ON(len != sizeof out);
...
}
The condition may only be true if the guest sent less than the expected
9P message header which is 7-byte long.
I have a patch for this based on Stefan's series BTW.
Cheers.
--
Greg
next prev parent reply other threads:[~2016-09-20 9:27 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-12 13:25 [Qemu-devel] [PATCH v3 00/10] virtio: avoid exit() when device enters invalid states Stefan Hajnoczi
2016-04-12 13:25 ` [Qemu-devel] [PATCH v3 01/10] virtio: fix stray tab character Stefan Hajnoczi
2016-09-20 11:32 ` Cornelia Huck
2016-04-12 13:25 ` [Qemu-devel] [PATCH v3 02/10] include: update virtio_config.h Linux header Stefan Hajnoczi
2016-04-12 13:25 ` [Qemu-devel] [PATCH v3 03/10] virtio: stop virtqueue processing if device is broken Stefan Hajnoczi
2016-09-20 11:35 ` Cornelia Huck
2016-04-12 13:25 ` [Qemu-devel] [PATCH v3 04/10] virtio: migrate vdev->broken flag Stefan Hajnoczi
2016-09-20 11:36 ` Cornelia Huck
2016-04-12 13:25 ` [Qemu-devel] [PATCH v3 05/10] virtio: handle virtqueue_map_desc() errors Stefan Hajnoczi
2016-09-20 11:41 ` Cornelia Huck
2016-04-12 13:25 ` [Qemu-devel] [PATCH v3 06/10] virtio: handle virtqueue_get_avail_bytes() errors Stefan Hajnoczi
2016-09-20 11:44 ` Cornelia Huck
2016-04-12 13:25 ` [Qemu-devel] [PATCH v3 07/10] virtio: use unsigned int for virtqueue_get_avail_bytes() index Stefan Hajnoczi
2016-09-20 11:45 ` Cornelia Huck
2016-04-12 13:25 ` [Qemu-devel] [PATCH v3 08/10] virtio: handle virtqueue_read_next_desc() errors Stefan Hajnoczi
2016-09-20 11:48 ` Cornelia Huck
2016-04-12 13:25 ` [Qemu-devel] [PATCH v3 09/10] virtio: handle virtqueue_num_heads() errors Stefan Hajnoczi
2016-09-20 11:50 ` Cornelia Huck
2016-04-12 13:25 ` [Qemu-devel] [PATCH v3 10/10] virtio: handle virtqueue_get_head() errors Stefan Hajnoczi
2016-09-20 11:52 ` Cornelia Huck
2016-09-19 16:07 ` [Qemu-devel] [PATCH v3 00/10] virtio: avoid exit() when device enters invalid states Cornelia Huck
2016-09-19 17:51 ` Michael S. Tsirkin
2016-09-19 19:27 ` Laszlo Ersek
2016-09-20 9:26 ` Greg Kurz [this message]
2016-09-20 12:00 ` Cornelia Huck
2016-09-20 13:35 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160920112657.39cf44ab@bahia \
--to=groug@kaod.org \
--cc=cornelia.huck@de.ibm.com \
--cc=famz@redhat.com \
--cc=lersek@redhat.com \
--cc=mst@redhat.com \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).