Module Name: src Committed By: jym Date: Wed Aug 24 20:49:34 UTC 2011
Modified Files: src/sys/arch/xen/xen: xbdback_xenbus.c Log Message: Protect xbdback(4) ring indexes from overflowing; leave the continuation prematurely in case they do, to avoid looping "endlessly" (or at least a very long time) at IPL_BIO while trying to handle requests. This should not happen in a nominal scenario, but the ring can get corrupted for whatever reason (memory errors, domU failures or exploitation). To generate a diff of this commit: cvs rdiff -u -r1.45 -r1.46 src/sys/arch/xen/xen/xbdback_xenbus.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/arch/xen/xen/xbdback_xenbus.c diff -u src/sys/arch/xen/xen/xbdback_xenbus.c:1.45 src/sys/arch/xen/xen/xbdback_xenbus.c:1.46 --- src/sys/arch/xen/xen/xbdback_xenbus.c:1.45 Sun Aug 7 17:39:34 2011 +++ src/sys/arch/xen/xen/xbdback_xenbus.c Wed Aug 24 20:49:34 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: xbdback_xenbus.c,v 1.45 2011/08/07 17:39:34 bouyer Exp $ */ +/* $NetBSD: xbdback_xenbus.c,v 1.46 2011/08/24 20:49:34 jym Exp $ */ /* * Copyright (c) 2006 Manuel Bouyer. @@ -26,7 +26,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: xbdback_xenbus.c,v 1.45 2011/08/07 17:39:34 bouyer Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xbdback_xenbus.c,v 1.46 2011/08/24 20:49:34 jym Exp $"); #include <sys/types.h> #include <sys/param.h> @@ -954,14 +954,21 @@ } /* - * Increment consumer index and move on to the next request. + * Increment consumer index and move on to the next request. In case index + * leads to ring overflow, bail out. */ static void * xbdback_co_main_incr(struct xbdback_instance *xbdi, void *obj) { (void)obj; - xbdi->xbdi_ring.ring_n.req_cons++; - xbdi->xbdi_cont = xbdback_co_main_loop; + blkif_back_ring_t *ring = &xbdi->xbdi_ring.ring_n; + + ring->req_cons++; + if (RING_REQUEST_CONS_OVERFLOW(ring, ring->req_cons)) + xbdi->xbdi_cont = NULL; + else + xbdi->xbdi_cont = xbdback_co_main_loop; + return xbdi; }