aboutsummaryrefslogtreecommitdiff
path: root/hw
diff options
context:
space:
mode:
authorCornelia Huck <cornelia.huck@de.ibm.com>2017-03-01 18:58:52 +0100
committerMichael S. Tsirkin <mst@redhat.com>2017-03-02 07:14:27 +0200
commit34c6bf22a8d9b60c513df151aa0a791ef53bf81d (patch)
tree588879f9c2d168f06dfa14f5c08741a3e0a584bd /hw
parentdd3dd4ba7b949662d2c67a4c041549b3d79c4b0e (diff)
downloadqemu-34c6bf22a8d9b60c513df151aa0a791ef53bf81d.zip
qemu-34c6bf22a8d9b60c513df151aa0a791ef53bf81d.tar.gz
qemu-34c6bf22a8d9b60c513df151aa0a791ef53bf81d.tar.bz2
virtio: guard vring access when setting notification
Switching to vring caches exposed an existing bug in virtio_queue_set_notification(): We can't access vring structures if they have not been set up yet. This may happen, for example, for virtio-blk devices with multiple queues: The code will try to switch notifiers for every queue, but the guest may have only set up a subset of them. Fix this by guarding access to the vring memory by checking for vring.desc. The first aio poll will iron out any remaining inconsistencies for later-configured queues (buggy legacy drivers). Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Diffstat (limited to 'hw')
-rw-r--r--hw/virtio/virtio.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index e487e36..bf8a644 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -288,6 +288,10 @@ void virtio_queue_set_notification(VirtQueue *vq, int enable)
{
vq->notification = enable;
+ if (!vq->vring.desc) {
+ return;
+ }
+
rcu_read_lock();
if (virtio_vdev_has_feature(vq->vdev, VIRTIO_RING_F_EVENT_IDX)) {
vring_set_avail_event(vq, vring_avail_idx(vq));