[1/1] s390/virtio: handle find on invalid queue gracefully
diff mbox series

Message ID 20190107123147.97038-1-pasic@linux.ibm.com
State New
Headers show
Series
  • [1/1] s390/virtio: handle find on invalid queue gracefully
Related show

Commit Message

Halil Pasic Jan. 7, 2019, 12:31 p.m. UTC
A queue with a capacity of zero is clearly not a valid virtio queue.
Some emulators report zero queue size if queried with an invalid queue
index. Instead of crashing in this case let us just return -EINVAL. To
make that work properly, let us fix the notifier cleanup logic as well.

Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
---
This patch is motivated by commit 86a5597 "virtio-balloon:
VIRTIO_BALLOON_F_FREE_PAGE_HINT" (Wei Wang, 2018-08-27) which triggered
the described scenario.  The emulator in question is the current QEMU.
The problem we run into is the underflow in the following loop
in  __vring_new_virtqueue():
for (i = 0; i < vring.num-1; i++)
	vq->vring.desc[i].next = cpu_to_virtio16(vdev, i + 1)
Namely vring.num is an unsigned int.

RFC --> v1:
* Change error code from -EINVAL to -ENOENT, so we are in line with the
other transports.
* Push down the detection of the error into virtio_ccw_read_vq_conf().
---
 drivers/s390/virtio/virtio_ccw.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

Cornelia Huck Jan. 7, 2019, 3:06 p.m. UTC | #1
On Mon,  7 Jan 2019 13:31:46 +0100
Halil Pasic <pasic@linux.ibm.com> wrote:

> A queue with a capacity of zero is clearly not a valid virtio queue.
> Some emulators report zero queue size if queried with an invalid queue
> index. Instead of crashing in this case let us just return -EINVAL. To

s/-EINVAL/-ENOENT/

> make that work properly, let us fix the notifier cleanup logic as well.
> 
> Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
> ---
> This patch is motivated by commit 86a5597 "virtio-balloon:
> VIRTIO_BALLOON_F_FREE_PAGE_HINT" (Wei Wang, 2018-08-27) which triggered
> the described scenario.  The emulator in question is the current QEMU.
> The problem we run into is the underflow in the following loop
> in  __vring_new_virtqueue():
> for (i = 0; i < vring.num-1; i++)
> 	vq->vring.desc[i].next = cpu_to_virtio16(vdev, i + 1)
> Namely vring.num is an unsigned int.
> 
> RFC --> v1:
> * Change error code from -EINVAL to -ENOENT, so we are in line with the
> other transports.
> * Push down the detection of the error into virtio_ccw_read_vq_conf().
> ---
>  drivers/s390/virtio/virtio_ccw.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)

Thanks, applied.
Halil Pasic Jan. 7, 2019, 3:33 p.m. UTC | #2
On Mon, 7 Jan 2019 16:06:32 +0100
Cornelia Huck <cohuck@redhat.com> wrote:

> On Mon,  7 Jan 2019 13:31:46 +0100
> Halil Pasic <pasic@linux.ibm.com> wrote:
> 
> > A queue with a capacity of zero is clearly not a valid virtio queue.
> > Some emulators report zero queue size if queried with an invalid queue
> > index. Instead of crashing in this case let us just return -EINVAL. To
> 
> s/-EINVAL/-ENOENT/
> 

So I did forget something, again. :/ Thanks for spotting it!

> > make that work properly, let us fix the notifier cleanup logic as well.
> > 
> > Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
> > ---
> > This patch is motivated by commit 86a5597 "virtio-balloon:
> > VIRTIO_BALLOON_F_FREE_PAGE_HINT" (Wei Wang, 2018-08-27) which triggered
> > the described scenario.  The emulator in question is the current QEMU.
> > The problem we run into is the underflow in the following loop
> > in  __vring_new_virtqueue():
> > for (i = 0; i < vring.num-1; i++)
> > 	vq->vring.desc[i].next = cpu_to_virtio16(vdev, i + 1)
> > Namely vring.num is an unsigned int.
> > 
> > RFC --> v1:
> > * Change error code from -EINVAL to -ENOENT, so we are in line with the
> > other transports.
> > * Push down the detection of the error into virtio_ccw_read_vq_conf().
> > ---
> >  drivers/s390/virtio/virtio_ccw.c | 4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> Thanks, applied.
> 

Thanks!
Halil

Patch
diff mbox series

diff --git a/drivers/s390/virtio/virtio_ccw.c b/drivers/s390/virtio/virtio_ccw.c
index fc9dbad476c0..2c6f8a5009ed 100644
--- a/drivers/s390/virtio/virtio_ccw.c
+++ b/drivers/s390/virtio/virtio_ccw.c
@@ -272,6 +272,8 @@  static void virtio_ccw_drop_indicators(struct virtio_ccw_device *vcdev)
 {
 	struct virtio_ccw_vq_info *info;
 
+	if (!vcdev->airq_info)
+		return;
 	list_for_each_entry(info, &vcdev->virtqueues, node)
 		drop_airq_indicator(info->vq, vcdev->airq_info);
 }
@@ -413,7 +415,7 @@  static int virtio_ccw_read_vq_conf(struct virtio_ccw_device *vcdev,
 	ret = ccw_io_helper(vcdev, ccw, VIRTIO_CCW_DOING_READ_VQ_CONF);
 	if (ret)
 		return ret;
-	return vcdev->config_block->num;
+	return vcdev->config_block->num ?: -ENOENT;
 }
 
 static void virtio_ccw_del_vq(struct virtqueue *vq, struct ccw1 *ccw)