A queue with a capacity of zero is clearly not a valid virtio queue.
Some emulators report zero queue size if queried with an invalid queue
index. Instead of crashing in this case let us just return -EINVAL. To
make that work properly, let us fix the notifier cleanup logic as well.
Signed-off-by: Halil Pasic <pasic@xxxxxxxxxxxxx>
---
This patch is motivated by commit 86a5597 "virtio-balloon:
VIRTIO_BALLOON_F_FREE_PAGE_HINT" (Wei Wang, 2018-08-27) which triggered
the described scenario. The emulator in question is the current QEMU.
The problem we run into is the underflow in the following loop
in __vring_new_virtqueue():
for (i = 0; i < vring.num-1; i++)
vq->vring.desc[i].next = cpu_to_virtio16(vdev, i + 1)
Namely vring.num is an unsigned int.
RFC because I'm not sure about -EINVAL being a good choice, and about
us caring about what happens if a virtio driver misbehaves like described.
---
drivers/s390/virtio/virtio_ccw.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/s390/virtio/virtio_ccw.c b/drivers/s390/virtio/virtio_ccw.c
index fc9dbad476c0..147927ed4fca 100644
--- a/drivers/s390/virtio/virtio_ccw.c
+++ b/drivers/s390/virtio/virtio_ccw.c
@@ -272,6 +272,8 @@ static void virtio_ccw_drop_indicators(struct virtio_ccw_device *vcdev)
{
struct virtio_ccw_vq_info *info;
+ if (!vcdev->airq_info)
+ return;
list_for_each_entry(info, &vcdev->virtqueues, node)
drop_airq_indicator(info->vq, vcdev->airq_info);
}
@@ -514,6 +516,10 @@ static struct virtqueue *virtio_ccw_setup_vq(struct virtio_device *vdev,
err = info->num;
goto out_err;
}
+ if (info->num == 0) {
+ err = -EINVAL;
+ goto out_err;
+ }
size = PAGE_ALIGN(vring_size(info->num, KVM_VIRTIO_CCW_RING_ALIGN));
info->queue = alloc_pages_exact(size, GFP_KERNEL | __GFP_ZERO);
if (info->queue == NULL) {
--
2.16.4
