qemu-s390x
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PULL 01/31] virtio: refresh vring region cache after updating a vir

From: Michael Tokarev
Subject: Re: [PULL 01/31] virtio: refresh vring region cache after updating a virtqueue size
Date: Wed, 26 Apr 2023 19:32:38 +0300
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.0 
25.04.2023 10:44, Michael S. Tsirkin wrote:

From: Carlos López <clopez@suse.de>

When a virtqueue size is changed by the guest via
virtio_queue_set_num(), its region cache is not automatically updated.
If the size was increased, this could lead to accessing the cache out
of bounds. For example, in vring_get_used_event():

     static inline uint16_t vring_get_used_event(VirtQueue *vq)
     {
         return vring_avail_ring(vq, vq->vring.num);
     }

     static inline uint16_t vring_avail_ring(VirtQueue *vq, int i)
     {
         VRingMemoryRegionCaches *caches = vring_get_region_caches(vq);
         hwaddr pa = offsetof(VRingAvail, ring[i]);

         if (!caches) {
             return 0;
         }

         return virtio_lduw_phys_cached(vq->vdev, &caches->avail, pa);
     }

vq->vring.num will be greater than caches->avail.len, which will
trigger a failed assertion down the call path of
virtio_lduw_phys_cached().


Is it not a stable-8.0 material?
Michael, you dropped this patch from your previous pullreq
for v8.0 already before..

/mjt
reply via email to
[Prev in Thread] Current Thread [Next in Thread]