* [XTF] xenbus: fix xenbus_write() ring overflow
@ 2020-06-03 8:21 Pawel Wieczorkiewicz
2020-06-03 20:46 ` Andrew Cooper
0 siblings, 1 reply; 2+ messages in thread
From: Pawel Wieczorkiewicz @ 2020-06-03 8:21 UTC (permalink / raw)
To: xen-devel; +Cc: Pawel Wieczorkiewicz, julien, wipawel, andrew.cooper3
Currently the xenbus_write() does not handle ring wrapping around
correctly. When ring buffer is almost full and there is not enough
space for next packet (e.g. there is 12 bytes of space left, but the
packet header needs to transmit 16 bytes) the memcpy() goes out of the
ring buffer boundry.
Instead, the part variable should be limited to the space available in
the ring buffer, so the memcpy() can fill up the buffer, update len
variable (to indicate that there is still some data to be copied) and
thereby the xenbus_write() loop can iterate again to finish copying
the remainder of data to the beginning of the ring buffer.
Signed-off-by: Pawel Wieczorkiewicz <wipawel@amazon.de>
---
common/xenbus.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/common/xenbus.c b/common/xenbus.c
index 59159f2..24fff48 100644
--- a/common/xenbus.c
+++ b/common/xenbus.c
@@ -31,9 +31,7 @@ static void xenbus_write(const void *data, size_t len)
uint32_t prod = ACCESS_ONCE(xb_ring->req_prod);
uint32_t cons = ACCESS_ONCE(xb_ring->req_cons);
- uint32_t used = mask_xenbus_idx(prod - cons);
-
- part = (XENBUS_RING_SIZE - 1) - used;
+ part = (XENBUS_RING_SIZE - 1) - mask_xenbus_idx(prod - cons);
/* No space? Kick xenstored and wait for it to consume some data. */
if ( !part )
@@ -47,7 +45,7 @@ static void xenbus_write(const void *data, size_t len)
}
/* Don't overrun the ring. */
- part = min(part, XENBUS_RING_SIZE - used);
+ part = min(part, XENBUS_RING_SIZE - mask_xenbus_idx(prod));
/* Don't write more than necessary. */
part = min(part, (unsigned int)len);
--
2.16.6
Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
Sitz: Berlin
Ust-ID: DE 289 237 879
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [XTF] xenbus: fix xenbus_write() ring overflow
2020-06-03 8:21 [XTF] xenbus: fix xenbus_write() ring overflow Pawel Wieczorkiewicz
@ 2020-06-03 20:46 ` Andrew Cooper
0 siblings, 0 replies; 2+ messages in thread
From: Andrew Cooper @ 2020-06-03 20:46 UTC (permalink / raw)
To: Pawel Wieczorkiewicz, xen-devel; +Cc: julien, wipawel
On 03/06/2020 09:21, Pawel Wieczorkiewicz wrote:
> Currently the xenbus_write() does not handle ring wrapping around
> correctly. When ring buffer is almost full and there is not enough
> space for next packet (e.g. there is 12 bytes of space left, but the
> packet header needs to transmit 16 bytes) the memcpy() goes out of the
> ring buffer boundry.
> Instead, the part variable should be limited to the space available in
> the ring buffer, so the memcpy() can fill up the buffer, update len
> variable (to indicate that there is still some data to be copied) and
> thereby the xenbus_write() loop can iterate again to finish copying
> the remainder of data to the beginning of the ring buffer.
>
> Signed-off-by: Pawel Wieczorkiewicz <wipawel@amazon.de>
Oops. Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> and pushed.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-06-03 20:46 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-03 8:21 [XTF] xenbus: fix xenbus_write() ring overflow Pawel Wieczorkiewicz
2020-06-03 20:46 ` Andrew Cooper
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).