diff options
| author | Cornelia Huck | 2017-03-01 18:58:52 +0100 |
|---|---|---|
| committer | Michael S. Tsirkin | 2017-03-02 06:14:27 +0100 |
| commit | 34c6bf22a8d9b60c513df151aa0a791ef53bf81d (patch) | |
| tree | 588879f9c2d168f06dfa14f5c08741a3e0a584bd /hw/virtio | |
| parent | virtio: check for vring setup in virtio_queue_empty (diff) | |
| download | qemu-34c6bf22a8d9b60c513df151aa0a791ef53bf81d.tar.gz qemu-34c6bf22a8d9b60c513df151aa0a791ef53bf81d.tar.xz qemu-34c6bf22a8d9b60c513df151aa0a791ef53bf81d.zip | |
virtio: guard vring access when setting notification
Switching to vring caches exposed an existing bug in
virtio_queue_set_notification(): We can't access vring structures
if they have not been set up yet. This may happen, for example,
for virtio-blk devices with multiple queues: The code will try to
switch notifiers for every queue, but the guest may have only set up
a subset of them.
Fix this by guarding access to the vring memory by checking for
vring.desc. The first aio poll will iron out any remaining
inconsistencies for later-configured queues (buggy legacy drivers).
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Diffstat (limited to 'hw/virtio')
| -rw-r--r-- | hw/virtio/virtio.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index e487e36cda..bf8a644677 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -288,6 +288,10 @@ void virtio_queue_set_notification(VirtQueue *vq, int enable) { vq->notification = enable; + if (!vq->vring.desc) { + return; + } + rcu_read_lock(); if (virtio_vdev_has_feature(vq->vdev, VIRTIO_RING_F_EVENT_IDX)) { vring_set_avail_event(vq, vring_avail_idx(vq)); |