Re: [PATCH] vhost: Fix bad return of descriptors to SVQ

[Jason Wang]

On Fri, Apr 1, 2022 at 2:14 AM Eugenio Pérez <eperezma@redhat.com> wrote:
>
> Only the first one of them were properly enqueued back.
>
> Fixes: 100890f7ca ("vhost: Shadow virtqueue buffers forwarding")
> Signed-off-by: Eugenio Pérez <eperezma@redhat.com>
> ---
>  hw/virtio/vhost-shadow-virtqueue.c | 17 +++++++++++++++--
>  1 file changed, 15 insertions(+), 2 deletions(-)
>
> diff --git a/hw/virtio/vhost-shadow-virtqueue.c 
> b/hw/virtio/vhost-shadow-virtqueue.c
> index b232803d1b..c17506df20 100644
> --- a/hw/virtio/vhost-shadow-virtqueue.c
> +++ b/hw/virtio/vhost-shadow-virtqueue.c
> @@ -333,13 +333,25 @@ static void 
> vhost_svq_disable_notification(VhostShadowVirtqueue *svq)
>      svq->vring.avail->flags |= cpu_to_le16(VRING_AVAIL_F_NO_INTERRUPT);
>  }
>
> +static uint16_t vhost_svq_last_desc_of_chain(VhostShadowVirtqueue *svq,
> +                                             uint16_t i)
> +{
> +    vring_desc_t *descs = svq->vring.desc;
> +
> +    while (le16_to_cpu(descs[i].flags) & VRING_DESC_F_NEXT) {
> +        i = le16_to_cpu(descs[i].next);


This seems to be a guest trigger-able infinite loop?

Thanks


> +    }
> +
> +    return i;
> +}
> +
>  static VirtQueueElement *vhost_svq_get_buf(VhostShadowVirtqueue *svq,
>                                             uint32_t *len)
>  {
>      vring_desc_t *descs = svq->vring.desc;
>      const vring_used_t *used = svq->vring.used;
>      vring_used_elem_t used_elem;
> -    uint16_t last_used;
> +    uint16_t last_used, last_used_chain;
>
>      if (!vhost_svq_more_used(svq)) {
>          return NULL;
> @@ -365,7 +377,8 @@ static VirtQueueElement 
> *vhost_svq_get_buf(VhostShadowVirtqueue *svq,
>          return NULL;
>      }
>
> -    descs[used_elem.id].next = svq->free_head;
> +    last_used_chain = vhost_svq_last_desc_of_chain(svq, used_elem.id);
> +    descs[last_used_chain].next = svq->free_head;
>      svq->free_head = used_elem.id;
>
>      *len = used_elem.len;
> --
> 2.27.0
>