From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59945) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YLDMZ-0003qf-Nb for qemu-devel@nongnu.org; Tue, 10 Feb 2015 11:08:41 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YLDMW-00079R-Ho for qemu-devel@nongnu.org; Tue, 10 Feb 2015 11:08:35 -0500 Received: from mx1.redhat.com ([209.132.183.28]:55628) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YLDMW-00079L-8w for qemu-devel@nongnu.org; Tue, 10 Feb 2015 11:08:32 -0500 Message-ID: <54DA1FA9.2060109@redhat.com> Date: Tue, 10 Feb 2015 10:11:37 -0500 From: John Snow MIME-Version: 1.0 References: <1418780167-16231-1-git-send-email-jsnow@redhat.com> <1418780167-16231-17-git-send-email-jsnow@redhat.com> <20150210095612.GA9229@stefanha-thinkpad.redhat.com> In-Reply-To: <20150210095612.GA9229@stefanha-thinkpad.redhat.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH v2 16/17] ahci: Recompute cur_cmd on migrate post load List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Stefan Hajnoczi Cc: kwolf@redhat.com, mst@redhat.com, qemu-devel@nongnu.org, armbru@redhat.com, mreitz@redhat.com, stefanha@redhat.com, pbonzini@redhat.com On 02/10/2015 04:56 AM, Stefan Hajnoczi wrote: > On Tue, Dec 16, 2014 at 08:36:06PM -0500, John Snow wrote: >> When the AHCI HBA device is migrated, all of the information that >> led to the request being created is stored in the AHCIDevice >> structures, except for pointers into guest data where return >> information needs to be stored. >> >> The "cur_cmd" field is usually responsible for this. >> >> To rebuild the cur_cmd pointer post-migration, we can utilize >> the busy_slot index to figure out where the command header >> we are still processing is. >> >> This allows a machine in a halted state from rerror=stop or >> werror=stop to be migrated and resume operations without issue. >> >> Signed-off-by: John Snow >> --- >> hw/ide/ahci.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c >> index c153228..8078d3e 100644 >> --- a/hw/ide/ahci.c >> +++ b/hw/ide/ahci.c >> @@ -1373,6 +1373,10 @@ static int ahci_state_post_load(void *opaque, int version_id) >> */ >> if (ad->busy_slot == -1) { >> check_cmd(s, i); >> + } else { >> + /* We are in the middle of a command, and may need to access >> + * the command header in guest memory again. */ >> + ad->cur_cmd = &((AHCICmdHdr *)ad->lst)[ad->busy_slot]; > > Where do we check that ad->busy_slot is within ad->lst[] bounds? > > If a malicious source sends a bogus value, this patch will lead to > out-of-bounds accesses. > > Stefan > Good point. I'll recheck the series with this in mind.