Re: [Qemu-block] [Qemu-devel] [PATCH for-3.1] nvme: fix out-of-bounds access to the CMB
For CVE-2018-16847, I just noticed Kevin pulled in Li's previous fix (as
opposed to this one). Was this done in error?
Thanks,
-Mark
On 11/16/2018 3:31 AM, Paolo Bonzini wrote:
Because the CMB BAR has a min_access_size of 2, if you read the last
byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one
error. This is CVE-2018-16847.
Another way to fix this might be to register the CMB as a RAM memory
region, which would also be more efficient. However, that might be a
change for big-endian machines; I didn't think this through and I don't
know how real hardware works. Add a basic testcase for the CMB in case
somebody does this change later on.
Cc: Keith Busch
Cc: qemu-block@nongnu.org
Cc: Li Qiang
Signed-off-by: Paolo Bonzini
---
hw/block/nvme.c| 2 +-
tests/Makefile.include | 2 +-
tests/nvme-test.c | 58 +++---
3 files changed, 57 insertions(+), 5 deletions(-)
diff --git a/hw/block/nvme.c b/hw/block/nvme.c
index 09d7c90259..5d92794ef7 100644
--- a/hw/block/nvme.c
+++ b/hw/block/nvme.c
@@ -1192,7 +1192,7 @@ static const MemoryRegionOps nvme_cmb_ops = {
.write = nvme_cmb_write,
.endianness = DEVICE_LITTLE_ENDIAN,
.impl = {
-.min_access_size = 2,
+.min_access_size = 1,
.max_access_size = 8,
},
};
diff --git a/tests/Makefile.include b/tests/Makefile.include
index 613242bc6e..fb0b449c02 100644
--- a/tests/Makefile.include
+++ b/tests/Makefile.include
@@ -730,7 +730,7 @@ tests/test-hmp$(EXESUF): tests/test-hmp.o
tests/machine-none-test$(EXESUF): tests/machine-none-test.o
tests/drive_del-test$(EXESUF): tests/drive_del-test.o $(libqos-virtio-obj-y)
tests/qdev-monitor-test$(EXESUF): tests/qdev-monitor-test.o $(libqos-pc-obj-y)
-tests/nvme-test$(EXESUF): tests/nvme-test.o
+tests/nvme-test$(EXESUF): tests/nvme-test.o $(libqos-pc-obj-y)
tests/pvpanic-test$(EXESUF): tests/pvpanic-test.o
tests/i82801b11-test$(EXESUF): tests/i82801b11-test.o
tests/ac97-test$(EXESUF): tests/ac97-test.o
diff --git a/tests/nvme-test.c b/tests/nvme-test.c
index 7674a446e4..2abb3b6d19 100644
--- a/tests/nvme-test.c
+++ b/tests/nvme-test.c
@@ -8,11 +8,64 @@
*/
#include "qemu/osdep.h"
+#include "qemu/units.h"
#include "libqtest.h"
+#include "libqos/libqos-pc.h"
+
+static QOSState *qnvme_start(const char *extra_opts)
+{
+QOSState *qs;
+const char *arch = qtest_get_arch();
+const char *cmd = "-drive id=drv0,if=none,file=null-co://,format=raw "
+ "-device nvme,addr=0x4.0,serial=foo,drive=drv0 %s";
+
+if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
+qs = qtest_pc_boot(cmd, extra_opts ? : "");
+global_qtest = qs->qts;
+return qs;
+}
+
+g_printerr("nvme tests are only available on x86\n");
+exit(EXIT_FAILURE);
+}
+
+static void qnvme_stop(QOSState *qs)
+{
+qtest_shutdown(qs);
+}
-/* Tests only initialization so far. TODO: Replace with functional tests */
static void nop(void)
{
+QOSState *qs;
+
+qs = qnvme_start(NULL);
+qnvme_stop(qs);
+}
+
+static void nvmetest_cmb_test(void)
+{
+const int cmb_bar_size = 2 * MiB;
+QOSState *qs;
+QPCIDevice *pdev;
+QPCIBar bar;
+
+qs = qnvme_start("-global nvme.cmb_size_mb=2");
+pdev = qpci_device_find(qs->pcibus, QPCI_DEVFN(4,0));
+g_assert(pdev != NULL);
+
+qpci_device_enable(pdev);
+bar = qpci_iomap(pdev, 2, NULL);
+
+qpci_io_writel(pdev, bar, 0, 0xccbbaa99);
+g_assert_cmpint(qpci_io_readb(pdev, bar, 0), ==, 0x99);
+g_assert_cmpint(qpci_io_readw(pdev, bar, 0), ==, 0xaa99);
+
+/* Test partially out-of-bounds accesses. */
+qpci_io_writel(pdev, bar, cmb_bar_size - 1, 0x44332211);
+g_assert_cmpint(qpci_io_readb(pdev, bar, cmb_bar_size - 1), ==, 0x11);
+g_assert_cmpint(qpci_io_readw(pdev, bar, cmb_bar_size - 1), !=, 0x2211);
+g_assert_cmpint(qpci_io_readl(pdev, bar, cmb_bar_size - 1), !=,
0x44332211);
+qnvme_stop(qs);
}
int main(int argc, char **argv)
@@ -21,9 +74,8 @@ int main(int argc, char **argv)
g_test_init(, , NULL);
qtest_add_func("/nvme/nop", nop);
+qtest_add_func("/nvme/cmb_test", nvmetest_cmb_test);
-qtest_start("-drive id=drv0,if=none,file=null-co://,format=raw "
-"-device nvme,drive=drv0,serial=foo");
ret = g_test_run();
qtest_end();
Re: [Qemu-block] [PATCH] virtio-blk: check for NULL BlockDriverState
On 1/29/2018 9:41 AM, Kevin Wolf wrote:
Am 24.01.2018 um 12:31 hat Stefan Hajnoczi geschrieben:
On Mon, Jan 22, 2018 at 09:01:49AM -0600, Mark Kanda wrote:
Add a BlockDriverState NULL check to virtio_blk_handle_request()
to prevent a segfault if the drive is forcibly removed using HMP
'drive_del' (without performing a hotplug 'device_del' first).
Signed-off-by: Mark Kanda <mark.ka...@oracle.com>
Reviewed-by: Karl Heubaum <karl.heub...@oracle.com>
Reviewed-by: Ameya More <ameya.m...@oracle.com>
---
hw/block/virtio-blk.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index b1532e4..76ddbbf 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -507,6 +507,13 @@ static int virtio_blk_handle_request(VirtIOBlockReq *req,
MultiReqBuffer *mrb)
return -1;
}
+/* If the drive was forcibly removed (e.g. HMP 'drive_del'), the block
+ * driver state may be NULL and there is nothing left to do. */
+if (!blk_bs(req->dev->blk)) {
Adding Markus Armbruster to check my understanding of drive_del:
1. If id is a node name (e.g. created via blockdev-add) then attempting
to remove the root node produces the "Node %s is in use" error. In
that case this patch isn't needed.
2. If id is a BlockBackend (e.g. created via -drive) then removing the
root node is allowed. The BlockBackend stays in place but blk->root
becomes NULL, hence this patch is needed.
Markus: What are the valid use cases for #2? If blk->bs becomes NULL I
would think a lot more code beyond virtio-blk can segfault.
blk->root = NULL is completely normal, it is what happens with removable
media when the drive is empty.
The problem, which was first reported during the 2.10 RC phase and was
worked around in IDE code then, is that Paolo's commit 99723548561 added
unconditional bdrv_inc/dec_in_flight() calls. I am pretty sure that any
segfaults that Mark is seeing have the same cause.
That's correct. The segfault I encountered was the bdrv_inc_in_flight()
call in blk_aio_prwv().
Thanks,
-Mark
We do need an in-flight counter even for those requests so that
blk_drain() works correctly, so just making the calls condition wouldn't
be right. However, this needs to become a separate counter in
BlockBackend, and the drain functions must be changed to make use of it.
I did post rough patches back then, but they weren't quite ready, and
since then they have fallen through the cracks.
Kevin
[Qemu-block] [PATCH] virtio-blk: check for NULL BlockDriverState
Add a BlockDriverState NULL check to virtio_blk_handle_request()
to prevent a segfault if the drive is forcibly removed using HMP
'drive_del' (without performing a hotplug 'device_del' first).
Signed-off-by: Mark Kanda <mark.ka...@oracle.com>
Reviewed-by: Karl Heubaum <karl.heub...@oracle.com>
Reviewed-by: Ameya More <ameya.m...@oracle.com>
---
hw/block/virtio-blk.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index b1532e4..76ddbbf 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -507,6 +507,13 @@ static int virtio_blk_handle_request(VirtIOBlockReq *req,
MultiReqBuffer *mrb)
return -1;
}
+/* If the drive was forcibly removed (e.g. HMP 'drive_del'), the block
+ * driver state may be NULL and there is nothing left to do. */
+if (!blk_bs(req->dev->blk)) {
+virtio_error(vdev, "virtio-blk BlockDriverState is NULL");
+return -1;
+}
+
/* We always touch the last byte, so just see how big in_iov is. */
req->in_len = iov_size(in_iov, in_num);
req->in = (void *)in_iov[in_num - 1].iov_base
--
1.8.3.1
[Qemu-block] [PATCH v2 0/2] virtio-blk: miscellaneous changes
v2: add check for maximum queue size [Stefan] This series is for two minor virtio-blk changes. The first patch makes the virtio-blk queue size user configurable. The second patch rejects logical block size > physical block configurations (similar to a recent change in virtio-scsi). Mark Kanda (2): virtio-blk: make queue size configurable virtio-blk: reject configs with logical block size > physical block size hw/block/virtio-blk.c | 17 - include/hw/virtio/virtio-blk.h | 1 + 2 files changed, 17 insertions(+), 1 deletion(-) -- 1.8.3.1
Re: [Qemu-block] [PATCH v2 0/2] virtio-blk: miscellaneous changes
On 12/11/2017 4:30 AM, Stefan Hajnoczi wrote: Hi Mark, Please resend as a top level email thread so the continuous integration and patch management tools will detect your patch series. Apologies. I've just resent the series. Thanks, -Mark
[Qemu-block] [PATCH v2 1/2] virtio-blk: make queue size configurable
Depending on the configuration, it can be beneficial to adjust the virtio-blk
queue size to something other than the current default of 128. Add a new
property to make the queue size configurable.
Signed-off-by: Mark Kanda <mark.ka...@oracle.com>
Reviewed-by: Karl Heubaum <karl.heub...@oracle.com>
Reviewed-by: Martin K. Petersen <martin.peter...@oracle.com>
Reviewed-by: Ameya More <ameya.m...@oracle.com>
---
hw/block/virtio-blk.c | 10 +-
include/hw/virtio/virtio-blk.h | 1 +
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index 05d1440..fb59f57 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -928,6 +928,13 @@ static void virtio_blk_device_realize(DeviceState *dev,
Error **errp)
error_setg(errp, "num-queues property must be larger than 0");
return;
}
+if (!is_power_of_2(conf->queue_size) ||
+conf->queue_size > VIRTQUEUE_MAX_SIZE) {
+error_setg(errp, "invalid queue-size property (%" PRIu16 "), "
+ "must be a power of 2 (max %d)",
+ conf->queue_size, VIRTQUEUE_MAX_SIZE);
+return;
+}
blkconf_serial(>conf, >serial);
blkconf_apply_backend_options(>conf,
@@ -953,7 +960,7 @@ static void virtio_blk_device_realize(DeviceState *dev,
Error **errp)
s->sector_mask = (s->conf.conf.logical_block_size / BDRV_SECTOR_SIZE) - 1;
for (i = 0; i < conf->num_queues; i++) {
-virtio_add_queue(vdev, 128, virtio_blk_handle_output);
+virtio_add_queue(vdev, conf->queue_size, virtio_blk_handle_output);
}
virtio_blk_data_plane_create(vdev, conf, >dataplane, );
if (err != NULL) {
@@ -1012,6 +1019,7 @@ static Property virtio_blk_properties[] = {
DEFINE_PROP_BIT("request-merging", VirtIOBlock, conf.request_merging, 0,
true),
DEFINE_PROP_UINT16("num-queues", VirtIOBlock, conf.num_queues, 1),
+DEFINE_PROP_UINT16("queue-size", VirtIOBlock, conf.queue_size, 128),
DEFINE_PROP_LINK("iothread", VirtIOBlock, conf.iothread, TYPE_IOTHREAD,
IOThread *),
DEFINE_PROP_END_OF_LIST(),
diff --git a/include/hw/virtio/virtio-blk.h b/include/hw/virtio/virtio-blk.h
index d3c8a6f..5117431 100644
--- a/include/hw/virtio/virtio-blk.h
+++ b/include/hw/virtio/virtio-blk.h
@@ -39,6 +39,7 @@ struct VirtIOBlkConf
uint32_t config_wce;
uint32_t request_merging;
uint16_t num_queues;
+uint16_t queue_size;
};
struct VirtIOBlockDataPlane;
--
1.8.3.1
[Qemu-block] [PATCH v2 2/2] virtio-blk: reject configs with logical block size > physical block size
virtio-blk logical block size should never be larger than physical block
size because it doesn't make sense to have such configurations. QEMU doesn't
have a way to effectively express this condition; the best it can do is
report the physical block exponent as 0 - indicating the logical block size
equals the physical block size.
This is identical to commit 3da023b5827543ee4c022986ea2ad9d1274410b2
but applied to virtio-blk (instead of virtio-scsi).
Signed-off-by: Mark Kanda <mark.ka...@oracle.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.w...@oracle.com>
Reviewed-by: Ameya More <ameya.m...@oracle.com>
Reviewed-by: Martin K. Petersen <martin.peter...@oracle.com>
Reviewed-by: Stefan Hajnoczi <stefa...@redhat.com>
---
hw/block/virtio-blk.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index fb59f57..36c7608 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -952,6 +952,13 @@ static void virtio_blk_device_realize(DeviceState *dev,
Error **errp)
}
blkconf_blocksizes(>conf);
+if (conf->conf.logical_block_size >
+conf->conf.physical_block_size) {
+error_setg(errp,
+ "logical_block_size > physical_block_size not supported");
+return;
+}
+
virtio_init(vdev, "virtio-blk", VIRTIO_ID_BLOCK,
sizeof(struct virtio_blk_config));
--
1.8.3.1
[Qemu-block] [PATCH v2 1/2] virtio-blk: make queue size configurable
Depending on the configuration, it can be beneficial to adjust the virtio-blk
queue size to something other than the current default of 128. Add a new
property to make the queue size configurable.
Signed-off-by: Mark Kanda <mark.ka...@oracle.com>
Reviewed-by: Karl Heubaum <karl.heub...@oracle.com>
Reviewed-by: Martin K. Petersen <martin.peter...@oracle.com>
Reviewed-by: Ameya More <ameya.m...@oracle.com>
---
hw/block/virtio-blk.c | 10 +-
include/hw/virtio/virtio-blk.h | 1 +
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index 05d1440..fb59f57 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -928,6 +928,13 @@ static void virtio_blk_device_realize(DeviceState *dev,
Error **errp)
error_setg(errp, "num-queues property must be larger than 0");
return;
}
+if (!is_power_of_2(conf->queue_size) ||
+conf->queue_size > VIRTQUEUE_MAX_SIZE) {
+error_setg(errp, "invalid queue-size property (%" PRIu16 "), "
+ "must be a power of 2 (max %d)",
+ conf->queue_size, VIRTQUEUE_MAX_SIZE);
+return;
+}
blkconf_serial(>conf, >serial);
blkconf_apply_backend_options(>conf,
@@ -953,7 +960,7 @@ static void virtio_blk_device_realize(DeviceState *dev,
Error **errp)
s->sector_mask = (s->conf.conf.logical_block_size / BDRV_SECTOR_SIZE) - 1;
for (i = 0; i < conf->num_queues; i++) {
-virtio_add_queue(vdev, 128, virtio_blk_handle_output);
+virtio_add_queue(vdev, conf->queue_size, virtio_blk_handle_output);
}
virtio_blk_data_plane_create(vdev, conf, >dataplane, );
if (err != NULL) {
@@ -1012,6 +1019,7 @@ static Property virtio_blk_properties[] = {
DEFINE_PROP_BIT("request-merging", VirtIOBlock, conf.request_merging, 0,
true),
DEFINE_PROP_UINT16("num-queues", VirtIOBlock, conf.num_queues, 1),
+DEFINE_PROP_UINT16("queue-size", VirtIOBlock, conf.queue_size, 128),
DEFINE_PROP_LINK("iothread", VirtIOBlock, conf.iothread, TYPE_IOTHREAD,
IOThread *),
DEFINE_PROP_END_OF_LIST(),
diff --git a/include/hw/virtio/virtio-blk.h b/include/hw/virtio/virtio-blk.h
index d3c8a6f..5117431 100644
--- a/include/hw/virtio/virtio-blk.h
+++ b/include/hw/virtio/virtio-blk.h
@@ -39,6 +39,7 @@ struct VirtIOBlkConf
uint32_t config_wce;
uint32_t request_merging;
uint16_t num_queues;
+uint16_t queue_size;
};
struct VirtIOBlockDataPlane;
--
1.8.3.1
[Qemu-block] [PATCH v2 2/2] virtio-blk: reject configs with logical block size > physical block size
virtio-blk logical block size should never be larger than physical block
size because it doesn't make sense to have such configurations. QEMU doesn't
have a way to effectively express this condition; the best it can do is
report the physical block exponent as 0 - indicating the logical block size
equals the physical block size.
This is identical to commit 3da023b5827543ee4c022986ea2ad9d1274410b2
but applied to virtio-blk (instead of virtio-scsi).
Signed-off-by: Mark Kanda <mark.ka...@oracle.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.w...@oracle.com>
Reviewed-by: Ameya More <ameya.m...@oracle.com>
Reviewed-by: Stefan Hajnoczi <stefa...@redhat.com>
---
hw/block/virtio-blk.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index fb59f57..36c7608 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -952,6 +952,13 @@ static void virtio_blk_device_realize(DeviceState *dev,
Error **errp)
}
blkconf_blocksizes(>conf);
+if (conf->conf.logical_block_size >
+conf->conf.physical_block_size) {
+error_setg(errp,
+ "logical_block_size > physical_block_size not supported");
+return;
+}
+
virtio_init(vdev, "virtio-blk", VIRTIO_ID_BLOCK,
sizeof(struct virtio_blk_config));
--
1.8.3.1
[Qemu-block] [PATCH v2 0/2] virtio-blk: miscellaneous changes
v2: add check for maximum queue size [Stefan] This series is for two minor virtio-blk changes. The first patch makes the virtio-blk queue size user configurable. The second patch rejects logical block size > physical block configurations (similar to a recent change in virtio-scsi). Mark Kanda (2): virtio-blk: make queue size configurable virtio-blk: reject configs with logical block size > physical block size hw/block/virtio-blk.c | 17 - include/hw/virtio/virtio-blk.h | 1 + 2 files changed, 17 insertions(+), 1 deletion(-) -- 1.8.3.1
[Qemu-block] [PATCH 0/2] virtio-blk: miscellaneous changes
This series is for two minor virtio-blk changes. The first patch makes the virtio-blk queue size user configurable. The second patch rejects logical block size > physical block configurations (similar to a recent change in virtio-scsi). Mark Kanda (2): virtio-blk: make queue size configurable virtio-blk: reject configs with logical block size > physical block size hw/block/virtio-blk.c | 14 +- include/hw/virtio/virtio-blk.h | 1 + 2 files changed, 14 insertions(+), 1 deletion(-) -- 1.8.3.1
[Qemu-block] [PATCH 2/2] virtio-blk: reject configs with logical block size > physical block size
virtio-blk logical block size should never be larger than physical block
size because it doesn't make sense to have such configurations. QEMU doesn't
have a way to effectively express this condition; the best it can do is
report the physical block exponent as 0 - indicating the logical block size
equals the physical block size.
This is identical to commit 3da023b5827543ee4c022986ea2ad9d1274410b2
but applied to virtio-blk (instead of virtio-scsi).
Signed-off-by: Mark Kanda <mark.ka...@oracle.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.w...@oracle.com>
Reviewed-by: Ameya More <ameya.m...@oracle.com>
---
hw/block/virtio-blk.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index 002c56f..acfca78 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -949,6 +949,13 @@ static void virtio_blk_device_realize(DeviceState *dev,
Error **errp)
}
blkconf_blocksizes(>conf);
+if (conf->conf.logical_block_size >
+conf->conf.physical_block_size) {
+error_setg(errp,
+ "logical_block_size > physical_block_size not supported");
+return;
+}
+
virtio_init(vdev, "virtio-blk", VIRTIO_ID_BLOCK,
sizeof(struct virtio_blk_config));
--
1.8.3.1
[Qemu-block] [PATCH 1/2] virtio-blk: make queue size configurable
Depending on the configuration, it can be beneficial to adjust the virtio-blk
queue size to something other than the current default of 128. Add a new
property to make the queue size configurable.
Signed-off-by: Mark Kanda <mark.ka...@oracle.com>
Reviewed-by: Karl Heubaum <karl.heub...@oracle.com>
Reviewed-by: Martin K. Petersen <martin.peter...@oracle.com>
Reviewed-by: Ameya More <ameya.m...@oracle.com>
---
hw/block/virtio-blk.c | 7 ++-
include/hw/virtio/virtio-blk.h | 1 +
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index 05d1440..002c56f 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -928,6 +928,10 @@ static void virtio_blk_device_realize(DeviceState *dev,
Error **errp)
error_setg(errp, "num-queues property must be larger than 0");
return;
}
+if (!is_power_of_2(conf->queue_size)) {
+error_setg(errp, "queue-size property must be a power of 2");
+return;
+}
blkconf_serial(>conf, >serial);
blkconf_apply_backend_options(>conf,
@@ -953,7 +957,7 @@ static void virtio_blk_device_realize(DeviceState *dev,
Error **errp)
s->sector_mask = (s->conf.conf.logical_block_size / BDRV_SECTOR_SIZE) - 1;
for (i = 0; i < conf->num_queues; i++) {
-virtio_add_queue(vdev, 128, virtio_blk_handle_output);
+virtio_add_queue(vdev, conf->queue_size, virtio_blk_handle_output);
}
virtio_blk_data_plane_create(vdev, conf, >dataplane, );
if (err != NULL) {
@@ -1012,6 +1016,7 @@ static Property virtio_blk_properties[] = {
DEFINE_PROP_BIT("request-merging", VirtIOBlock, conf.request_merging, 0,
true),
DEFINE_PROP_UINT16("num-queues", VirtIOBlock, conf.num_queues, 1),
+DEFINE_PROP_UINT16("queue-size", VirtIOBlock, conf.queue_size, 128),
DEFINE_PROP_LINK("iothread", VirtIOBlock, conf.iothread, TYPE_IOTHREAD,
IOThread *),
DEFINE_PROP_END_OF_LIST(),
diff --git a/include/hw/virtio/virtio-blk.h b/include/hw/virtio/virtio-blk.h
index d3c8a6f..5117431 100644
--- a/include/hw/virtio/virtio-blk.h
+++ b/include/hw/virtio/virtio-blk.h
@@ -39,6 +39,7 @@ struct VirtIOBlkConf
uint32_t config_wce;
uint32_t request_merging;
uint16_t num_queues;
+uint16_t queue_size;
};
struct VirtIOBlockDataPlane;
--
1.8.3.1
