From patchwork Wed Apr 25 09:13:21 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alon Levy X-Patchwork-Id: 154860 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id 2DAE1B6EF1 for ; Wed, 25 Apr 2012 20:02:38 +1000 (EST) Received: from localhost ([::1]:58444 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SMyJC-0001Xb-Hu for incoming@patchwork.ozlabs.org; Wed, 25 Apr 2012 05:14:46 -0400 Received: from eggs.gnu.org ([208.118.235.92]:44239) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SMyIv-00018m-6x for qemu-devel@nongnu.org; Wed, 25 Apr 2012 05:14:30 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SMyIs-0001zA-Qn for qemu-devel@nongnu.org; Wed, 25 Apr 2012 05:14:28 -0400 Received: from mx1.redhat.com ([209.132.183.28]:47911) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SMyIs-0001wt-JN for qemu-devel@nongnu.org; Wed, 25 Apr 2012 05:14:26 -0400 Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q3P9EPG5013777 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Wed, 25 Apr 2012 05:14:25 -0400 Received: from garlic.redhat.com (vpn-202-70.tlv.redhat.com [10.35.202.70]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q3P9DVQw024620; Wed, 25 Apr 2012 05:14:17 -0400 From: Alon Levy To: qemu-devel@nongnu.org, kraxel@redhat.com Date: Wed, 25 Apr 2012 12:13:21 +0300 Message-Id: <1335345205-8908-5-git-send-email-alevy@redhat.com> In-Reply-To: <1335345205-8908-1-git-send-email-alevy@redhat.com> References: <4F967EEA.6000302@redhat.com> <1335345205-8908-1-git-send-email-alevy@redhat.com> X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 5/9] qxl: don't abort on guest trigerrable ring indices mismatch X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Signed-off-by: Alon Levy --- hw/qxl.c | 51 +++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 39 insertions(+), 12 deletions(-) diff --git a/hw/qxl.c b/hw/qxl.c index b22f86e..44a4c9b 100644 --- a/hw/qxl.c +++ b/hw/qxl.c @@ -27,28 +27,42 @@ #include "qxl.h" +/* + * NOTE: SPICE_RING_PROD_ITEM accesses memory on the pci bar and as + * such can be changed by the guest, so to avoid a guest trigerrable + * abort we just set qxl_guest_bug and set the return to NULL. Still + * it may happen as a result of emulator bug as well. + */ #undef SPICE_RING_PROD_ITEM -#define SPICE_RING_PROD_ITEM(r, ret) { \ +#define SPICE_RING_PROD_ITEM(qxl, r, ret) { \ typeof(r) start = r; \ typeof(r) end = r + 1; \ uint32_t prod = (r)->prod & SPICE_RING_INDEX_MASK(r); \ typeof(&(r)->items[prod]) m_item = &(r)->items[prod]; \ if (!((uint8_t*)m_item >= (uint8_t*)(start) && (uint8_t*)(m_item + 1) <= (uint8_t*)(end))) { \ - abort(); \ + qxl_guest_bug(qxl, "SPICE_RING_PROD_ITEM indices mismatch " \ + "! %p <= %p < %p", (uint8_t *)start, \ + (uint8_t *)m_item, (uint8_t *)end); \ + ret = NULL; \ + } else { \ + ret = &m_item->el; \ } \ - ret = &m_item->el; \ } #undef SPICE_RING_CONS_ITEM -#define SPICE_RING_CONS_ITEM(r, ret) { \ +#define SPICE_RING_CONS_ITEM(qxl, r, ret) { \ typeof(r) start = r; \ typeof(r) end = r + 1; \ uint32_t cons = (r)->cons & SPICE_RING_INDEX_MASK(r); \ typeof(&(r)->items[cons]) m_item = &(r)->items[cons]; \ if (!((uint8_t*)m_item >= (uint8_t*)(start) && (uint8_t*)(m_item + 1) <= (uint8_t*)(end))) { \ - abort(); \ + qxl_guest_bug(qxl, "SPICE_RING_CONS_ITEM indices mismatch " \ + "! %p <= %p < %p", (uint8_t *)start, \ + (uint8_t *)m_item, (uint8_t *)end); \ + ret = NULL; \ + } else { \ + ret = &m_item->el; \ } \ - ret = &m_item->el; \ } #undef ALIGN @@ -343,7 +357,8 @@ static void init_qxl_ram(PCIQXLDevice *d) SPICE_RING_INIT(&d->ram->cmd_ring); SPICE_RING_INIT(&d->ram->cursor_ring); SPICE_RING_INIT(&d->ram->release_ring); - SPICE_RING_PROD_ITEM(&d->ram->release_ring, item); + SPICE_RING_PROD_ITEM(d, &d->ram->release_ring, item); + assert(item); *item = 0; qxl_ring_set_dirty(d); } @@ -559,8 +574,10 @@ static int interface_get_command(QXLInstance *sin, struct QXLCommandExt *ext) if (SPICE_RING_IS_EMPTY(ring)) { return false; } - trace_qxl_ring_command_get(qxl->id, qxl_mode_to_string(qxl->mode)); - SPICE_RING_CONS_ITEM(ring, cmd); + SPICE_RING_CONS_ITEM(qxl, ring, cmd); + if (!cmd) { + return false; + } ext->cmd = *cmd; ext->group_id = MEMSLOT_GROUP_GUEST; ext->flags = qxl->cmdflags; @@ -572,6 +589,7 @@ static int interface_get_command(QXLInstance *sin, struct QXLCommandExt *ext) qxl->guest_primary.commands++; qxl_track_command(qxl, ext); qxl_log_command(qxl, "cmd", ext); + trace_qxl_ring_command_get(qxl->id, qxl_mode_to_string(qxl->mode)); return true; default: return false; @@ -630,7 +648,10 @@ static inline void qxl_push_free_res(PCIQXLDevice *d, int flush) if (notify) { qxl_send_events(d, QXL_INTERRUPT_DISPLAY); } - SPICE_RING_PROD_ITEM(ring, item); + SPICE_RING_PROD_ITEM(d, ring, item); + if (!item) { + return; + } *item = 0; d->num_free_res = 0; d->last_release = NULL; @@ -656,7 +677,10 @@ static void interface_release_resource(QXLInstance *sin, * pci bar 0, $command.release_info */ ring = &qxl->ram->release_ring; - SPICE_RING_PROD_ITEM(ring, item); + SPICE_RING_PROD_ITEM(qxl, ring, item); + if (!item) { + return; + } if (*item == 0) { /* stick head into the ring */ id = ext.info->id; @@ -695,7 +719,10 @@ static int interface_get_cursor_command(QXLInstance *sin, struct QXLCommandExt * if (SPICE_RING_IS_EMPTY(ring)) { return false; } - SPICE_RING_CONS_ITEM(ring, cmd); + SPICE_RING_CONS_ITEM(qxl, ring, cmd); + if (!cmd) { + return false; + } ext->cmd = *cmd; ext->group_id = MEMSLOT_GROUP_GUEST; ext->flags = qxl->cmdflags;