From nobody Mon Apr 29 15:59:53 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 15445350918696.751984377587291; Tue, 11 Dec 2018 05:31:31 -0800 (PST) Received: from localhost ([::1]:38159 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gWi88-0003MU-BG for importer@patchew.org; Tue, 11 Dec 2018 08:31:20 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47923) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gWi5p-0002FF-2D for qemu-devel@nongnu.org; Tue, 11 Dec 2018 08:28:57 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gWi5n-0000au-VD for qemu-devel@nongnu.org; Tue, 11 Dec 2018 08:28:56 -0500 Received: from mx1.redhat.com ([209.132.183.28]:33756) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gWi5n-0000a8-Ow for qemu-devel@nongnu.org; Tue, 11 Dec 2018 08:28:55 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 10DCBA4034; Tue, 11 Dec 2018 13:28:55 +0000 (UTC) Received: from localhost.localdomain (ovpn-116-11.phx2.redhat.com [10.3.116.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E45FC60C62; Tue, 11 Dec 2018 13:28:51 +0000 (UTC) From: P J P To: Qemu Developers Date: Tue, 11 Dec 2018 18:56:38 +0530 Message-Id: <20181211132642.3027-2-ppandit@redhat.com> In-Reply-To: <20181211132642.3027-1-ppandit@redhat.com> References: <20181211132642.3027-1-ppandit@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Tue, 11 Dec 2018 13:28:55 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 1/5] rdma: check that num_sge does not exceed MAX_SGE X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Prasad J Pandit , Li Qiang , Yuval Shaia , Saar Amar Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" From: Prasad J Pandit rdma back-end has scatter/gather array ibv_sge[MAX_SGE=3D4] set to have 4 elements. A guest could send a 'PvrdmaSqWqe' ring element with 'num_sge' set to > MAX_SGE, which may lead to OOB access issue. Add check to avoid it. Reported-by: Saar Amar Signed-off-by: Prasad J Pandit --- hw/rdma/rdma_backend.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c index d7a4bbd91f..0b3b98a94c 100644 --- a/hw/rdma/rdma_backend.c +++ b/hw/rdma/rdma_backend.c @@ -311,8 +311,8 @@ void rdma_backend_post_send(RdmaBackendDev *backend_dev, } =20 pr_dbg("num_sge=3D%d\n", num_sge); - if (!num_sge) { - pr_dbg("num_sge=3D0\n"); + if (!num_sge || num_sge > MAX_SGE) { + pr_dbg("invalid num_sge=3D%d\n", num_sge); comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx); return; } @@ -390,8 +390,8 @@ void rdma_backend_post_recv(RdmaBackendDev *backend_dev, } =20 pr_dbg("num_sge=3D%d\n", num_sge); - if (!num_sge) { - pr_dbg("num_sge=3D0\n"); + if (!num_sge || num_sge > MAX_SGE) { + pr_dbg("invalid num_sge=3D%d\n", num_sge); comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx); return; } --=20 2.19.2 From nobody Mon Apr 29 15:59:53 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1544535091853926.968621836633; Tue, 11 Dec 2018 05:31:31 -0800 (PST) Received: from localhost ([::1]:38160 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gWi8E-0003Rb-GI for importer@patchew.org; Tue, 11 Dec 2018 08:31:26 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47952) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gWi5s-0002GF-Jc for qemu-devel@nongnu.org; Tue, 11 Dec 2018 08:29:01 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gWi5r-0000dn-Qh for qemu-devel@nongnu.org; Tue, 11 Dec 2018 08:29:00 -0500 Received: from mx1.redhat.com ([209.132.183.28]:33798) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gWi5r-0000dP-Ji for qemu-devel@nongnu.org; Tue, 11 Dec 2018 08:28:59 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E2188A4026; Tue, 11 Dec 2018 13:28:58 +0000 (UTC) Received: from localhost.localdomain (ovpn-116-11.phx2.redhat.com [10.3.116.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C00BE60C62; Tue, 11 Dec 2018 13:28:55 +0000 (UTC) From: P J P To: Qemu Developers Date: Tue, 11 Dec 2018 18:56:39 +0530 Message-Id: <20181211132642.3027-3-ppandit@redhat.com> In-Reply-To: <20181211132642.3027-1-ppandit@redhat.com> References: <20181211132642.3027-1-ppandit@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Tue, 11 Dec 2018 13:28:59 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 2/5] pvrdma: add uar_read routine X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Prasad J Pandit , Li Qiang , Yuval Shaia , Saar Amar Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" From: Prasad J Pandit Define skeleton 'uar_read' routine. Avoid NULL dereference. Reported-by: Li Qiang Signed-off-by: Prasad J Pandit --- hw/rdma/vmw/pvrdma_main.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c index ca5fa8d981..a6211d416d 100644 --- a/hw/rdma/vmw/pvrdma_main.c +++ b/hw/rdma/vmw/pvrdma_main.c @@ -455,6 +455,11 @@ static const MemoryRegionOps regs_ops =3D { }, }; =20 +static uint64_t uar_read(void *opaque, hwaddr addr, unsigned size) +{ + return 0; +} + static void uar_write(void *opaque, hwaddr addr, uint64_t val, unsigned si= ze) { PVRDMADev *dev =3D opaque; @@ -496,6 +501,7 @@ static void uar_write(void *opaque, hwaddr addr, uint64= _t val, unsigned size) } =20 static const MemoryRegionOps uar_ops =3D { + .read =3D uar_read, .write =3D uar_write, .endianness =3D DEVICE_LITTLE_ENDIAN, .impl =3D { --=20 2.19.2 From nobody Mon Apr 29 15:59:53 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1544535104090253.00653270628538; Tue, 11 Dec 2018 05:31:44 -0800 (PST) Received: from localhost ([::1]:38161 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gWi8U-0003fX-UY for importer@patchew.org; Tue, 11 Dec 2018 08:31:43 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47975) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gWi61-0002Nc-07 for qemu-devel@nongnu.org; Tue, 11 Dec 2018 08:29:09 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gWi5v-0000gA-IK for qemu-devel@nongnu.org; Tue, 11 Dec 2018 08:29:08 -0500 Received: from mx1.redhat.com ([209.132.183.28]:45780) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gWi5v-0000fm-Ae for qemu-devel@nongnu.org; Tue, 11 Dec 2018 08:29:03 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 9D70E3082135; Tue, 11 Dec 2018 13:29:02 +0000 (UTC) Received: from localhost.localdomain (ovpn-116-11.phx2.redhat.com [10.3.116.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7CB7E60C62; Tue, 11 Dec 2018 13:28:59 +0000 (UTC) From: P J P To: Qemu Developers Date: Tue, 11 Dec 2018 18:56:40 +0530 Message-Id: <20181211132642.3027-4-ppandit@redhat.com> In-Reply-To: <20181211132642.3027-1-ppandit@redhat.com> References: <20181211132642.3027-1-ppandit@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.42]); Tue, 11 Dec 2018 13:29:02 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 3/5] pvrdma: check number of pages when creating rings X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Prasad J Pandit , Li Qiang , Yuval Shaia , Saar Amar Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" From: Prasad J Pandit When creating CQ/QP rings, an object can have up to PVRDMA_MAX_FAST_REG_PAGES=3D128 pages. Check 'npages' parameter to avoid excessive memory allocation or a null dereference. Reported-by: Li Qiang Signed-off-by: Prasad J Pandit Reviewed-by: Yuval Shaia --- hw/rdma/vmw/pvrdma_cmd.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c index 4faeb21631..ee2888259c 100644 --- a/hw/rdma/vmw/pvrdma_cmd.c +++ b/hw/rdma/vmw/pvrdma_cmd.c @@ -273,6 +273,10 @@ static int create_cq_ring(PCIDevice *pci_dev , PvrdmaR= ing **ring, pr_dbg("Failed to map to CQ page table\n"); goto out; } + if (!nchunks || nchunks > PVRDMA_MAX_FAST_REG_PAGES) { + pr_dbg("invalid nchunks: %d\n", nchunks); + goto out; + } =20 r =3D g_malloc(sizeof(*r)); *ring =3D r; @@ -389,6 +393,11 @@ static int create_qp_rings(PCIDevice *pci_dev, uint64_= t pdir_dma, pr_dbg("Failed to map to CQ page table\n"); goto out; } + if (!spages || spages > PVRDMA_MAX_FAST_REG_PAGES + || !rpages || rpages > PVRDMA_MAX_FAST_REG_PAGES) { + pr_dbg("invalid pages: %d, %d\n", spages, rpages); + goto out; + } =20 sr =3D g_malloc(2 * sizeof(*rr)); rr =3D &sr[1]; --=20 2.19.2 From nobody Mon Apr 29 15:59:53 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1544535245957835.7657018740017; Tue, 11 Dec 2018 05:34:05 -0800 (PST) Received: from localhost ([::1]:38172 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gWiAm-0005XQ-Qe for importer@patchew.org; Tue, 11 Dec 2018 08:34:04 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47978) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gWi61-0002Ne-0a for qemu-devel@nongnu.org; Tue, 11 Dec 2018 08:29:09 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gWi60-0000iU-3q for qemu-devel@nongnu.org; Tue, 11 Dec 2018 08:29:08 -0500 Received: from mx1.redhat.com ([209.132.183.28]:45816) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gWi5z-0000hy-UK for qemu-devel@nongnu.org; Tue, 11 Dec 2018 08:29:08 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 364B5308212D; Tue, 11 Dec 2018 13:29:07 +0000 (UTC) Received: from localhost.localdomain (ovpn-116-11.phx2.redhat.com [10.3.116.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4916D60C62; Tue, 11 Dec 2018 13:29:02 +0000 (UTC) From: P J P To: Qemu Developers Date: Tue, 11 Dec 2018 18:56:41 +0530 Message-Id: <20181211132642.3027-5-ppandit@redhat.com> In-Reply-To: <20181211132642.3027-1-ppandit@redhat.com> References: <20181211132642.3027-1-ppandit@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.42]); Tue, 11 Dec 2018 13:29:07 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 4/5] pvrdma: release ring object in case of an error X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Prasad J Pandit , Li Qiang , Yuval Shaia , Saar Amar Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" From: Prasad J Pandit create_cq and create_qp routines allocate ring object, but it's not released in case of an error, leading to memory leakage. Reported-by: Li Qiang Signed-off-by: Prasad J Pandit --- hw/rdma/vmw/pvrdma_cmd.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c index ee2888259c..e8d99f29fa 100644 --- a/hw/rdma/vmw/pvrdma_cmd.c +++ b/hw/rdma/vmw/pvrdma_cmd.c @@ -337,7 +337,9 @@ static int create_cq(PVRDMADev *dev, union pvrdma_cmd_r= eq *req, =20 resp->hdr.err =3D rdma_rm_alloc_cq(&dev->rdma_dev_res, &dev->backend_d= ev, cmd->cqe, &resp->cq_handle, ring); - resp->cqe =3D cmd->cqe; + if (resp->hdr.err) { + g_free(ring); + } =20 out: pr_dbg("ret=3D%d\n", resp->hdr.err); @@ -490,6 +492,10 @@ static int create_qp(PVRDMADev *dev, union pvrdma_cmd_= req *req, cmd->max_send_sge, cmd->send_cq_handl= e, cmd->max_recv_wr, cmd->max_recv_sge, cmd->recv_cq_handle, rings, &resp->qp= n); + if (resp->hdr.err) { + g_free(rings); + goto out; + } =20 resp->max_send_wr =3D cmd->max_send_wr; resp->max_recv_wr =3D cmd->max_recv_wr; --=20 2.19.2 From nobody Mon Apr 29 15:59:53 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1544535251416757.3379560797124; Tue, 11 Dec 2018 05:34:11 -0800 (PST) Received: from localhost ([::1]:38173 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gWiAs-0005b6-A1 for importer@patchew.org; Tue, 11 Dec 2018 08:34:10 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48010) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gWi65-0002SD-Nk for qemu-devel@nongnu.org; Tue, 11 Dec 2018 08:29:14 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gWi64-0000lT-Df for qemu-devel@nongnu.org; Tue, 11 Dec 2018 08:29:13 -0500 Received: from mx1.redhat.com ([209.132.183.28]:56118) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gWi63-0000kT-Ok for qemu-devel@nongnu.org; Tue, 11 Dec 2018 08:29:12 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C8BF781DE1; Tue, 11 Dec 2018 13:29:10 +0000 (UTC) Received: from localhost.localdomain (ovpn-116-11.phx2.redhat.com [10.3.116.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D90FF60C62; Tue, 11 Dec 2018 13:29:07 +0000 (UTC) From: P J P To: Qemu Developers Date: Tue, 11 Dec 2018 18:56:42 +0530 Message-Id: <20181211132642.3027-6-ppandit@redhat.com> In-Reply-To: <20181211132642.3027-1-ppandit@redhat.com> References: <20181211132642.3027-1-ppandit@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Tue, 11 Dec 2018 13:29:11 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 5/5] pvrdma: check return value from pvrdma_idx_ring_has_ routines X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Prasad J Pandit , Li Qiang , Yuval Shaia , Saar Amar Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" From: Prasad J Pandit pvrdma_idx_ring_has_[data/space] routines also return invalid index PVRDMA_INVALID_IDX[=3D-1], if ring has no data/space. Check return value from these routines to avoid plausible infinite loops. Reported-by: Li Qiang Signed-off-by: Prasad J Pandit Reviewed-by: Yuval Shaia --- hw/rdma/vmw/pvrdma_dev_ring.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c index 01247fc041..61b6a0a869 100644 --- a/hw/rdma/vmw/pvrdma_dev_ring.c +++ b/hw/rdma/vmw/pvrdma_dev_ring.c @@ -73,6 +73,7 @@ out: =20 void *pvrdma_ring_next_elem_read(PvrdmaRing *ring) { + int e; unsigned int idx =3D 0, offset; =20 /* @@ -80,7 +81,8 @@ void *pvrdma_ring_next_elem_read(PvrdmaRing *ring) ring->ring_state->cons_head); */ =20 - if (!pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx)= ) { + e =3D pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx= ); + if (e <=3D 0) { pr_dbg("No more data in ring\n"); return NULL; } @@ -105,20 +107,24 @@ void pvrdma_ring_read_inc(PvrdmaRing *ring) =20 void *pvrdma_ring_next_elem_write(PvrdmaRing *ring) { - unsigned int idx, offset, tail; + int idx; + unsigned int offset, tail; =20 /* pr_dbg("%s: t=3D%d, h=3D%d\n", ring->name, ring->ring_state->prod_tail, ring->ring_state->cons_head); */ - - if (!pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tai= l)) { + idx =3D pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &= tail); + if (idx <=3D 0) { pr_dbg("CQ is full\n"); return NULL; } =20 idx =3D pvrdma_idx(&ring->ring_state->prod_tail, ring->max_elems); - /* TODO: tail =3D=3D idx */ + if (idx < 0 || tail =3D=3D idx) { + pr_dbg("invalid idx\n"); + return NULL; + } =20 offset =3D idx * ring->elem_sz; return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_= SIZE); --=20 2.19.2