[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Stable-8.1.4 05/31] net: Update MemReentrancyGuard for NIC
From: |
Michael Tokarev |
Subject: |
[Stable-8.1.4 05/31] net: Update MemReentrancyGuard for NIC |
Date: |
Tue, 12 Dec 2023 15:17:53 +0300 |
From: Akihiko Odaki <akihiko.odaki@daynix.com>
Recently MemReentrancyGuard was added to DeviceState to record that the
device is engaging in I/O. The network device backend needs to update it
when delivering a packet to a device.
This implementation follows what bottom half does, but it does not add
a tracepoint for the case that the network device backend started
delivering a packet to a device which is already engaging in I/O. This
is because such reentrancy frequently happens for
qemu_flush_queued_packets() and is insignificant.
Fixes: CVE-2023-3019
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Acked-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 9050f976e447444ea6ee2ba12c9f77e4b0dc54bc)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
diff --git a/include/net/net.h b/include/net/net.h
index a7d8deaccb..685ec58318 100644
--- a/include/net/net.h
+++ b/include/net/net.h
@@ -124,6 +124,7 @@ typedef QTAILQ_HEAD(NetClientStateList, NetClientState)
NetClientStateList;
typedef struct NICState {
NetClientState *ncs;
NICConf *conf;
+ MemReentrancyGuard *reentrancy_guard;
void *opaque;
bool peer_deleted;
} NICState;
diff --git a/net/net.c b/net/net.c
index 982df2479f..3523cceafc 100644
--- a/net/net.c
+++ b/net/net.c
@@ -332,6 +332,7 @@ NICState *qemu_new_nic(NetClientInfo *info,
nic = g_malloc0(info->size + sizeof(NetClientState) * queues);
nic->ncs = (void *)nic + info->size;
nic->conf = conf;
+ nic->reentrancy_guard = reentrancy_guard,
nic->opaque = opaque;
for (i = 0; i < queues; i++) {
@@ -805,6 +806,7 @@ static ssize_t qemu_deliver_packet_iov(NetClientState
*sender,
int iovcnt,
void *opaque)
{
+ MemReentrancyGuard *owned_reentrancy_guard;
NetClientState *nc = opaque;
int ret;
@@ -817,12 +819,24 @@ static ssize_t qemu_deliver_packet_iov(NetClientState
*sender,
return 0;
}
+ if (nc->info->type != NET_CLIENT_DRIVER_NIC ||
+ qemu_get_nic(nc)->reentrancy_guard->engaged_in_io) {
+ owned_reentrancy_guard = NULL;
+ } else {
+ owned_reentrancy_guard = qemu_get_nic(nc)->reentrancy_guard;
+ owned_reentrancy_guard->engaged_in_io = true;
+ }
+
if (nc->info->receive_iov && !(flags & QEMU_NET_PACKET_FLAG_RAW)) {
ret = nc->info->receive_iov(nc, iov, iovcnt);
} else {
ret = nc_sendv_compat(nc, iov, iovcnt, flags);
}
+ if (owned_reentrancy_guard) {
+ owned_reentrancy_guard->engaged_in_io = false;
+ }
+
if (ret == 0) {
nc->receive_disabled = 1;
}
--
2.39.2
- [Stable-8.1.4 00/31] Patch Round-up for stable 8.1.4, freeze on 2023-12-20, Michael Tokarev, 2023/12/12
- [Stable-8.1.4 01/31] linux-user: xtensa: fix signal delivery in FDPIC, Michael Tokarev, 2023/12/12
- [Stable-8.1.4 02/31] target/arm: Fix SME FMOPA (16-bit), BFMOPA, Michael Tokarev, 2023/12/12
- [Stable-8.1.4 03/31] hw/ide/ahci: fix legacy software reset, Michael Tokarev, 2023/12/12
- [Stable-8.1.4 04/31] net: Provide MemReentrancyGuard * to qemu_new_nic(), Michael Tokarev, 2023/12/12
- [Stable-8.1.4 06/31] linux-user: Fix loaddr computation for some elf files, Michael Tokarev, 2023/12/12
- [Stable-8.1.4 07/31] tests/avocado: Replace assertEquals() for Python 3.12 compatibility, Michael Tokarev, 2023/12/12
- [Stable-8.1.4 08/31] tests/avocado: Replace assertRegexpMatches() for Python 3.12 compatibility, Michael Tokarev, 2023/12/12
- [Stable-8.1.4 05/31] net: Update MemReentrancyGuard for NIC,
Michael Tokarev <=
- [Stable-8.1.4 09/31] linux-user/riscv: Add Zicboz block size to hwprobe, Michael Tokarev, 2023/12/12
- [Stable-8.1.4 10/31] hw/riscv/virt.c: do create_fdt() earlier, add finalize_fdt(), Michael Tokarev, 2023/12/12
- [Stable-8.1.4 11/31] riscv: Fix SiFive E CLINT clock frequency, Michael Tokarev, 2023/12/12
- [Stable-8.1.4 12/31] target/riscv/cpu_helper.c: Invalid exception on MMU translation stage, Michael Tokarev, 2023/12/12
- [Stable-8.1.4 13/31] target/riscv/cpu_helper.c: Fix mxr bit behavior, Michael Tokarev, 2023/12/12
- [Stable-8.1.4 14/31] vmdk: Don't corrupt desc file in vmdk_write_cid, Michael Tokarev, 2023/12/12
- [Stable-8.1.4 15/31] target/arm: Set IL bit for pauth, SVE access, BTI trap syndromes, Michael Tokarev, 2023/12/12
- [Stable-8.1.4 16/31] target/arm: Handle overflow in calculation of next timer tick, Michael Tokarev, 2023/12/12
- [Stable-8.1.4 17/31] hw/virtio: Free VirtIOIOMMUPCI::vdev.reserved_regions[] on finalize(), Michael Tokarev, 2023/12/12
- [Stable-8.1.4 18/31] hw/misc/mps2-scc: Free MPS2SCC::oscclk[] array on finalize(), Michael Tokarev, 2023/12/12