virtio-net: validate backend queue numbers against bus limitation

We don't validate the backend queue numbers against bus limitation, this will easily crash qemu if it exceeds the limitation which will hit the abort() in virtio_del_queue(). An example is trying to starting a virtio-net device with 256 queues. E.g: ./qemu-system-x86_64 -netdev tap,id=hn0,queues=256 -device virtio-net-pci,netdev=hn0 Fixing this by doing the validation and fail early. Cc: Michael S. Tsirkin <mst@redhat.com> Cc: qemu-stable <qemu-stable@nongnu.org> Signed-off-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
qemu · Mar 25, 2015 · 7e0e736 · 7e0e736
1 parent 7976a6d
commit 7e0e736
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
@@ -1588,6 +1588,13 @@ static void virtio_net_device_realize(DeviceState *dev, Error **errp)
     virtio_init(vdev, "virtio-net", VIRTIO_ID_NET, n->config_size);
 
     n->max_queues = MAX(n->nic_conf.peers.queues, 1);
+    if (n->max_queues * 2 + 1 > VIRTIO_PCI_QUEUE_MAX) {
+        error_setg(errp, "Invalid number of queues (= %" PRIu32 "), "
+                   "must be a postive integer less than %d.",
+                   n->max_queues, (VIRTIO_PCI_QUEUE_MAX - 1) / 2);
+        virtio_cleanup(vdev);
+        return;
+    }
     n->vqs = g_malloc0(sizeof(VirtIONetQueue) * n->max_queues);
     n->vqs[0].rx_vq = virtio_add_queue(vdev, 256, virtio_net_handle_rx);
     n->curr_queues = 1;