| Message ID | 1471613966-7267-2-git-send-email-rkagan@virtuozzo.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Fri, Aug 19, 2016 at 04:39:20PM +0300, Roman Kagan wrote: > Make sure that ->inuse counter on virtqueue never goes negative. > > This complements commit afd9096eb1882f23929f5b5c177898ed231bac66, > "virtio: error out if guest exceeds virtqueue size", which, due to > signed ->inuse comparison against unsigned ->vring.num, manifested a bug > in virtio-balloon where virtqueue_push() was called before the matching > virtqueu_pop(). [That problem will be addressed in followup patches]. > > Signed-off-by: Roman Kagan <rkagan@virtuozzo.com> > Cc: "Michael S. Tsirkin" <mst@redhat.com> > Cc: Ladi Prosek <lprosek@redhat.com> > Cc: Stefan Hajnoczi <stefanha@redhat.com> > --- > hw/virtio/virtio.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
On Tue, Aug 23, 2016 at 05:03:32PM -0400, Stefan Hajnoczi wrote: > On Fri, Aug 19, 2016 at 04:39:20PM +0300, Roman Kagan wrote: > > Make sure that ->inuse counter on virtqueue never goes negative. > > > > This complements commit afd9096eb1882f23929f5b5c177898ed231bac66, > > "virtio: error out if guest exceeds virtqueue size", which, due to > > signed ->inuse comparison against unsigned ->vring.num, manifested a bug > > in virtio-balloon where virtqueue_push() was called before the matching > > virtqueu_pop(). [That problem will be addressed in followup patches]. > > > > Signed-off-by: Roman Kagan <rkagan@virtuozzo.com> > > Cc: "Michael S. Tsirkin" <mst@redhat.com> > > Cc: Ladi Prosek <lprosek@redhat.com> > > Cc: Stefan Hajnoczi <stefanha@redhat.com> > > --- > > hw/virtio/virtio.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> I'm not merging any asserts before 2.7. Please resubmit when 2.7 is out.
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index 15ee3a7..7a57857 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -92,7 +92,7 @@ struct VirtQueue uint16_t queue_index; - int inuse; + unsigned int inuse; uint16_t vector; VirtIOHandleOutput handle_output; @@ -290,6 +290,7 @@ void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, void virtqueue_flush(VirtQueue *vq, unsigned int count) { uint16_t old, new; + assert(vq->inuse >= count); /* Make sure buffer is written before we update index. */ smp_wmb(); trace_virtqueue_flush(vq, count);
Make sure that ->inuse counter on virtqueue never goes negative. This complements commit afd9096eb1882f23929f5b5c177898ed231bac66, "virtio: error out if guest exceeds virtqueue size", which, due to signed ->inuse comparison against unsigned ->vring.num, manifested a bug in virtio-balloon where virtqueue_push() was called before the matching virtqueu_pop(). [That problem will be addressed in followup patches]. Signed-off-by: Roman Kagan <rkagan@virtuozzo.com> Cc: "Michael S. Tsirkin" <mst@redhat.com> Cc: Ladi Prosek <lprosek@redhat.com> Cc: Stefan Hajnoczi <stefanha@redhat.com> --- hw/virtio/virtio.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)