Module Name: src
Committed By: jym
Date: Wed Aug 24 20:49:34 UTC 2011
Modified Files:
src/sys/arch/xen/xen: xbdback_xenbus.c
Log Message:
Protect xbdback(4) ring indexes from overflowing; leave the continuation
prematurely in case they do, to avoid looping "endlessly" (or at least
a very long time) at IPL_BIO while trying to handle requests.
This should not happen in a nominal scenario, but the ring can get
corrupted for whatever reason (memory errors, domU failures or
exploitation).
To generate a diff of this commit:
cvs rdiff -u -r1.45 -r1.46 src/sys/arch/xen/xen/xbdback_xenbus.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/arch/xen/xen/xbdback_xenbus.c
diff -u src/sys/arch/xen/xen/xbdback_xenbus.c:1.45 src/sys/arch/xen/xen/xbdback_xenbus.c:1.46
--- src/sys/arch/xen/xen/xbdback_xenbus.c:1.45 Sun Aug 7 17:39:34 2011
+++ src/sys/arch/xen/xen/xbdback_xenbus.c Wed Aug 24 20:49:34 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: xbdback_xenbus.c,v 1.45 2011/08/07 17:39:34 bouyer Exp $ */
+/* $NetBSD: xbdback_xenbus.c,v 1.46 2011/08/24 20:49:34 jym Exp $ */
/*
* Copyright (c) 2006 Manuel Bouyer.
@@ -26,7 +26,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xbdback_xenbus.c,v 1.45 2011/08/07 17:39:34 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xbdback_xenbus.c,v 1.46 2011/08/24 20:49:34 jym Exp $");
#include <sys/types.h>
#include <sys/param.h>
@@ -954,14 +954,21 @@
}
/*
- * Increment consumer index and move on to the next request.
+ * Increment consumer index and move on to the next request. In case index
+ * leads to ring overflow, bail out.
*/
static void *
xbdback_co_main_incr(struct xbdback_instance *xbdi, void *obj)
{
(void)obj;
- xbdi->xbdi_ring.ring_n.req_cons++;
- xbdi->xbdi_cont = xbdback_co_main_loop;
+ blkif_back_ring_t *ring = &xbdi->xbdi_ring.ring_n;
+
+ ring->req_cons++;
+ if (RING_REQUEST_CONS_OVERFLOW(ring, ring->req_cons))
+ xbdi->xbdi_cont = NULL;
+ else
+ xbdi->xbdi_cont = xbdback_co_main_loop;
+
return xbdi;
}
