Commit 7e0e736e authored Mar 20, 2015 by Jason Wang Committed by Michael S. Tsirkin Mar 25, 2015

virtio-net: validate backend queue numbers against bus limitation



We don't validate the backend queue numbers against bus limitation,
this will easily crash qemu if it exceeds the limitation which will
hit the abort() in virtio_del_queue(). An example is trying to
starting a virtio-net device with 256 queues. E.g:

./qemu-system-x86_64 -netdev tap,id=hn0,queues=256 -device
virtio-net-pci,netdev=hn0

Fixing this by doing the validation and fail early.

Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: qemu-stable <qemu-stable@nongnu.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>

parent 7976a6d2

hw/net/virtio-net.c

+7 −0

Original line number	Diff line number	Diff line
		@@ -1588,6 +1588,13 @@ static void virtio_net_device_realize(DeviceState dev, Error *errp)
		virtio_init(vdev, "virtio-net", VIRTIO_ID_NET, n->config_size);

		n->max_queues = MAX(n->nic_conf.peers.queues, 1);
		if (n->max_queues * 2 + 1 > VIRTIO_PCI_QUEUE_MAX) {
		error_setg(errp, "Invalid number of queues (= %" PRIu32 "), "
		"must be a postive integer less than %d.",
		n->max_queues, (VIRTIO_PCI_QUEUE_MAX - 1) / 2);
		virtio_cleanup(vdev);
		return;
		}
		n->vqs = g_malloc0(sizeof(VirtIONetQueue) * n->max_queues);
		n->vqs[0].rx_vq = virtio_add_queue(vdev, 256, virtio_net_handle_rx);
		n->curr_queues = 1;