Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/arch/xen/xen Protect xbdback(4) ring indexes from overfl...

details:   https://anonhg.NetBSD.org/src/rev/e51a9cba672c
branches:  trunk
changeset: 768688:e51a9cba672c
user:      jym <jym%NetBSD.org@localhost>
date:      Wed Aug 24 20:49:34 2011 +0000

description:
Protect xbdback(4) ring indexes from overflowing; leave the continuation
prematurely in case they do, to avoid looping "endlessly" (or at least
a very long time) at IPL_BIO while trying to handle requests.

This should not happen in a nominal scenario, but the ring can get
corrupted for whatever reason (memory errors, domU failures or
exploitation).

diffstat:

 sys/arch/xen/xen/xbdback_xenbus.c |  17 ++++++++++++-----
 1 files changed, 12 insertions(+), 5 deletions(-)

diffs (43 lines):

diff -r 8b6dc7c2326c -r e51a9cba672c sys/arch/xen/xen/xbdback_xenbus.c
--- a/sys/arch/xen/xen/xbdback_xenbus.c Wed Aug 24 20:27:35 2011 +0000
+++ b/sys/arch/xen/xen/xbdback_xenbus.c Wed Aug 24 20:49:34 2011 +0000
@@ -1,4 +1,4 @@
-/*      $NetBSD: xbdback_xenbus.c,v 1.45 2011/08/07 17:39:34 bouyer Exp $      */
+/*      $NetBSD: xbdback_xenbus.c,v 1.46 2011/08/24 20:49:34 jym Exp $      */
 
 /*
  * Copyright (c) 2006 Manuel Bouyer.
@@ -26,7 +26,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xbdback_xenbus.c,v 1.45 2011/08/07 17:39:34 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xbdback_xenbus.c,v 1.46 2011/08/24 20:49:34 jym Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -954,14 +954,21 @@
 }
 
 /*
- * Increment consumer index and move on to the next request.
+ * Increment consumer index and move on to the next request. In case index
+ * leads to ring overflow, bail out.
  */
 static void *
 xbdback_co_main_incr(struct xbdback_instance *xbdi, void *obj)
 {
        (void)obj;
-       xbdi->xbdi_ring.ring_n.req_cons++;
-       xbdi->xbdi_cont = xbdback_co_main_loop;
+       blkif_back_ring_t *ring = &xbdi->xbdi_ring.ring_n;
+
+       ring->req_cons++;
+       if (RING_REQUEST_CONS_OVERFLOW(ring, ring->req_cons))
+               xbdi->xbdi_cont = NULL;
+       else
+               xbdi->xbdi_cont = xbdback_co_main_loop;
+
        return xbdi;
 }
Home | Main Index | Thread Index | Old Index