From patchwork Thu May 3 08:53:41 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gerd Hoffmann X-Patchwork-Id: 156643 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id E00F2B6FBD for ; Thu, 3 May 2012 19:39:39 +1000 (EST) Received: from localhost ([::1]:53503 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SPrnz-0000Y4-Rw for incoming@patchwork.ozlabs.org; Thu, 03 May 2012 04:54:31 -0400 Received: from eggs.gnu.org ([208.118.235.92]:51528) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SPrnS-0007nV-FC for qemu-devel@nongnu.org; Thu, 03 May 2012 04:54:00 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SPrnK-0005EM-W8 for qemu-devel@nongnu.org; Thu, 03 May 2012 04:53:58 -0400 Received: from mx1.redhat.com ([209.132.183.28]:9327) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SPrnK-0005At-ON for qemu-devel@nongnu.org; Thu, 03 May 2012 04:53:50 -0400 Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q438rn3X020918 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Thu, 3 May 2012 04:53:49 -0400 Received: from rincewind.home.kraxel.org (ovpn-116-68.ams2.redhat.com [10.36.116.68]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q438rmXB001875; Thu, 3 May 2012 04:53:48 -0400 Received: by rincewind.home.kraxel.org (Postfix, from userid 500) id CD45442940; Thu, 3 May 2012 10:53:46 +0200 (CEST) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Thu, 3 May 2012 10:53:41 +0200 Message-Id: <1336035226-9174-8-git-send-email-kraxel@redhat.com> In-Reply-To: <1336035226-9174-1-git-send-email-kraxel@redhat.com> References: <1336035226-9174-1-git-send-email-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 209.132.183.28 Cc: Alon Levy , Gerd Hoffmann Subject: [Qemu-devel] [PATCH 07/12] qxl: don't abort on guest trigerrable ring indices mismatch X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org From: Alon Levy Signed-off-by: Alon Levy Signed-off-by: Gerd Hoffmann --- hw/qxl.c | 51 +++++++++++++++++++++++++++++++++++++++------------ 1 files changed, 39 insertions(+), 12 deletions(-) diff --git a/hw/qxl.c b/hw/qxl.c index b22f86e..44a4c9b 100644 --- a/hw/qxl.c +++ b/hw/qxl.c @@ -27,28 +27,42 @@ #include "qxl.h" +/* + * NOTE: SPICE_RING_PROD_ITEM accesses memory on the pci bar and as + * such can be changed by the guest, so to avoid a guest trigerrable + * abort we just set qxl_guest_bug and set the return to NULL. Still + * it may happen as a result of emulator bug as well. + */ #undef SPICE_RING_PROD_ITEM -#define SPICE_RING_PROD_ITEM(r, ret) { \ +#define SPICE_RING_PROD_ITEM(qxl, r, ret) { \ typeof(r) start = r; \ typeof(r) end = r + 1; \ uint32_t prod = (r)->prod & SPICE_RING_INDEX_MASK(r); \ typeof(&(r)->items[prod]) m_item = &(r)->items[prod]; \ if (!((uint8_t*)m_item >= (uint8_t*)(start) && (uint8_t*)(m_item + 1) <= (uint8_t*)(end))) { \ - abort(); \ + qxl_guest_bug(qxl, "SPICE_RING_PROD_ITEM indices mismatch " \ + "! %p <= %p < %p", (uint8_t *)start, \ + (uint8_t *)m_item, (uint8_t *)end); \ + ret = NULL; \ + } else { \ + ret = &m_item->el; \ } \ - ret = &m_item->el; \ } #undef SPICE_RING_CONS_ITEM -#define SPICE_RING_CONS_ITEM(r, ret) { \ +#define SPICE_RING_CONS_ITEM(qxl, r, ret) { \ typeof(r) start = r; \ typeof(r) end = r + 1; \ uint32_t cons = (r)->cons & SPICE_RING_INDEX_MASK(r); \ typeof(&(r)->items[cons]) m_item = &(r)->items[cons]; \ if (!((uint8_t*)m_item >= (uint8_t*)(start) && (uint8_t*)(m_item + 1) <= (uint8_t*)(end))) { \ - abort(); \ + qxl_guest_bug(qxl, "SPICE_RING_CONS_ITEM indices mismatch " \ + "! %p <= %p < %p", (uint8_t *)start, \ + (uint8_t *)m_item, (uint8_t *)end); \ + ret = NULL; \ + } else { \ + ret = &m_item->el; \ } \ - ret = &m_item->el; \ } #undef ALIGN @@ -343,7 +357,8 @@ static void init_qxl_ram(PCIQXLDevice *d) SPICE_RING_INIT(&d->ram->cmd_ring); SPICE_RING_INIT(&d->ram->cursor_ring); SPICE_RING_INIT(&d->ram->release_ring); - SPICE_RING_PROD_ITEM(&d->ram->release_ring, item); + SPICE_RING_PROD_ITEM(d, &d->ram->release_ring, item); + assert(item); *item = 0; qxl_ring_set_dirty(d); } @@ -559,8 +574,10 @@ static int interface_get_command(QXLInstance *sin, struct QXLCommandExt *ext) if (SPICE_RING_IS_EMPTY(ring)) { return false; } - trace_qxl_ring_command_get(qxl->id, qxl_mode_to_string(qxl->mode)); - SPICE_RING_CONS_ITEM(ring, cmd); + SPICE_RING_CONS_ITEM(qxl, ring, cmd); + if (!cmd) { + return false; + } ext->cmd = *cmd; ext->group_id = MEMSLOT_GROUP_GUEST; ext->flags = qxl->cmdflags; @@ -572,6 +589,7 @@ static int interface_get_command(QXLInstance *sin, struct QXLCommandExt *ext) qxl->guest_primary.commands++; qxl_track_command(qxl, ext); qxl_log_command(qxl, "cmd", ext); + trace_qxl_ring_command_get(qxl->id, qxl_mode_to_string(qxl->mode)); return true; default: return false; @@ -630,7 +648,10 @@ static inline void qxl_push_free_res(PCIQXLDevice *d, int flush) if (notify) { qxl_send_events(d, QXL_INTERRUPT_DISPLAY); } - SPICE_RING_PROD_ITEM(ring, item); + SPICE_RING_PROD_ITEM(d, ring, item); + if (!item) { + return; + } *item = 0; d->num_free_res = 0; d->last_release = NULL; @@ -656,7 +677,10 @@ static void interface_release_resource(QXLInstance *sin, * pci bar 0, $command.release_info */ ring = &qxl->ram->release_ring; - SPICE_RING_PROD_ITEM(ring, item); + SPICE_RING_PROD_ITEM(qxl, ring, item); + if (!item) { + return; + } if (*item == 0) { /* stick head into the ring */ id = ext.info->id; @@ -695,7 +719,10 @@ static int interface_get_cursor_command(QXLInstance *sin, struct QXLCommandExt * if (SPICE_RING_IS_EMPTY(ring)) { return false; } - SPICE_RING_CONS_ITEM(ring, cmd); + SPICE_RING_CONS_ITEM(qxl, ring, cmd); + if (!cmd) { + return false; + } ext->cmd = *cmd; ext->group_id = MEMSLOT_GROUP_GUEST; ext->flags = qxl->cmdflags;