* [PATCH] vhost: Fix bad return of descriptors to SVQ
@ 2022-03-31 18:14 Eugenio Pérez
2022-04-01 2:29 ` Jason Wang
0 siblings, 1 reply; 4+ messages in thread
From: Eugenio Pérez @ 2022-03-31 18:14 UTC (permalink / raw)
To: qemu-devel; +Cc: Jason Wang, Michael S. Tsirkin
Only the first one of them were properly enqueued back.
Fixes: 100890f7ca ("vhost: Shadow virtqueue buffers forwarding")
Signed-off-by: Eugenio Pérez <eperezma@redhat.com>
---
hw/virtio/vhost-shadow-virtqueue.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/hw/virtio/vhost-shadow-virtqueue.c b/hw/virtio/vhost-shadow-virtqueue.c
index b232803d1b..c17506df20 100644
--- a/hw/virtio/vhost-shadow-virtqueue.c
+++ b/hw/virtio/vhost-shadow-virtqueue.c
@@ -333,13 +333,25 @@ static void vhost_svq_disable_notification(VhostShadowVirtqueue *svq)
svq->vring.avail->flags |= cpu_to_le16(VRING_AVAIL_F_NO_INTERRUPT);
}
+static uint16_t vhost_svq_last_desc_of_chain(VhostShadowVirtqueue *svq,
+ uint16_t i)
+{
+ vring_desc_t *descs = svq->vring.desc;
+
+ while (le16_to_cpu(descs[i].flags) & VRING_DESC_F_NEXT) {
+ i = le16_to_cpu(descs[i].next);
+ }
+
+ return i;
+}
+
static VirtQueueElement *vhost_svq_get_buf(VhostShadowVirtqueue *svq,
uint32_t *len)
{
vring_desc_t *descs = svq->vring.desc;
const vring_used_t *used = svq->vring.used;
vring_used_elem_t used_elem;
- uint16_t last_used;
+ uint16_t last_used, last_used_chain;
if (!vhost_svq_more_used(svq)) {
return NULL;
@@ -365,7 +377,8 @@ static VirtQueueElement *vhost_svq_get_buf(VhostShadowVirtqueue *svq,
return NULL;
}
- descs[used_elem.id].next = svq->free_head;
+ last_used_chain = vhost_svq_last_desc_of_chain(svq, used_elem.id);
+ descs[last_used_chain].next = svq->free_head;
svq->free_head = used_elem.id;
*len = used_elem.len;
--
2.27.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] vhost: Fix bad return of descriptors to SVQ
2022-03-31 18:14 [PATCH] vhost: Fix bad return of descriptors to SVQ Eugenio Pérez
@ 2022-04-01 2:29 ` Jason Wang
2022-04-01 7:30 ` Eugenio Perez Martin
0 siblings, 1 reply; 4+ messages in thread
From: Jason Wang @ 2022-04-01 2:29 UTC (permalink / raw)
To: Eugenio Pérez; +Cc: qemu-devel, Michael S. Tsirkin
On Fri, Apr 1, 2022 at 2:14 AM Eugenio Pérez <eperezma@redhat.com> wrote:
>
> Only the first one of them were properly enqueued back.
>
> Fixes: 100890f7ca ("vhost: Shadow virtqueue buffers forwarding")
> Signed-off-by: Eugenio Pérez <eperezma@redhat.com>
> ---
> hw/virtio/vhost-shadow-virtqueue.c | 17 +++++++++++++++--
> 1 file changed, 15 insertions(+), 2 deletions(-)
>
> diff --git a/hw/virtio/vhost-shadow-virtqueue.c b/hw/virtio/vhost-shadow-virtqueue.c
> index b232803d1b..c17506df20 100644
> --- a/hw/virtio/vhost-shadow-virtqueue.c
> +++ b/hw/virtio/vhost-shadow-virtqueue.c
> @@ -333,13 +333,25 @@ static void vhost_svq_disable_notification(VhostShadowVirtqueue *svq)
> svq->vring.avail->flags |= cpu_to_le16(VRING_AVAIL_F_NO_INTERRUPT);
> }
>
> +static uint16_t vhost_svq_last_desc_of_chain(VhostShadowVirtqueue *svq,
> + uint16_t i)
> +{
> + vring_desc_t *descs = svq->vring.desc;
> +
> + while (le16_to_cpu(descs[i].flags) & VRING_DESC_F_NEXT) {
> + i = le16_to_cpu(descs[i].next);
This seems to be a guest trigger-able infinite loop?
Thanks
> + }
> +
> + return i;
> +}
> +
> static VirtQueueElement *vhost_svq_get_buf(VhostShadowVirtqueue *svq,
> uint32_t *len)
> {
> vring_desc_t *descs = svq->vring.desc;
> const vring_used_t *used = svq->vring.used;
> vring_used_elem_t used_elem;
> - uint16_t last_used;
> + uint16_t last_used, last_used_chain;
>
> if (!vhost_svq_more_used(svq)) {
> return NULL;
> @@ -365,7 +377,8 @@ static VirtQueueElement *vhost_svq_get_buf(VhostShadowVirtqueue *svq,
> return NULL;
> }
>
> - descs[used_elem.id].next = svq->free_head;
> + last_used_chain = vhost_svq_last_desc_of_chain(svq, used_elem.id);
> + descs[last_used_chain].next = svq->free_head;
> svq->free_head = used_elem.id;
>
> *len = used_elem.len;
> --
> 2.27.0
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] vhost: Fix bad return of descriptors to SVQ
2022-04-01 2:29 ` Jason Wang
@ 2022-04-01 7:30 ` Eugenio Perez Martin
2022-04-02 1:32 ` Jason Wang
0 siblings, 1 reply; 4+ messages in thread
From: Eugenio Perez Martin @ 2022-04-01 7:30 UTC (permalink / raw)
To: Jason Wang; +Cc: qemu-devel, Michael S. Tsirkin
On Fri, Apr 1, 2022 at 4:30 AM Jason Wang <jasowang@redhat.com> wrote:
>
> On Fri, Apr 1, 2022 at 2:14 AM Eugenio Pérez <eperezma@redhat.com> wrote:
> >
> > Only the first one of them were properly enqueued back.
> >
> > Fixes: 100890f7ca ("vhost: Shadow virtqueue buffers forwarding")
> > Signed-off-by: Eugenio Pérez <eperezma@redhat.com>
> > ---
> > hw/virtio/vhost-shadow-virtqueue.c | 17 +++++++++++++++--
> > 1 file changed, 15 insertions(+), 2 deletions(-)
> >
> > diff --git a/hw/virtio/vhost-shadow-virtqueue.c b/hw/virtio/vhost-shadow-virtqueue.c
> > index b232803d1b..c17506df20 100644
> > --- a/hw/virtio/vhost-shadow-virtqueue.c
> > +++ b/hw/virtio/vhost-shadow-virtqueue.c
> > @@ -333,13 +333,25 @@ static void vhost_svq_disable_notification(VhostShadowVirtqueue *svq)
> > svq->vring.avail->flags |= cpu_to_le16(VRING_AVAIL_F_NO_INTERRUPT);
> > }
> >
> > +static uint16_t vhost_svq_last_desc_of_chain(VhostShadowVirtqueue *svq,
> > + uint16_t i)
> > +{
> > + vring_desc_t *descs = svq->vring.desc;
> > +
> > + while (le16_to_cpu(descs[i].flags) & VRING_DESC_F_NEXT) {
> > + i = le16_to_cpu(descs[i].next);
>
>
> This seems to be a guest trigger-able infinite loop?
>
This is the list of the SVQ vring. We could consider an infinite loop
triggable by the device if it can write the vring directly.
I can add a counter in the loop, or to maintain an internal copy of
the vring so it's completely hardened against malicious/bad devices.
It should be done for packed vring anyway.
Thanks!
> Thanks
>
>
> > + }
> > +
> > + return i;
> > +}
> > +
> > static VirtQueueElement *vhost_svq_get_buf(VhostShadowVirtqueue *svq,
> > uint32_t *len)
> > {
> > vring_desc_t *descs = svq->vring.desc;
> > const vring_used_t *used = svq->vring.used;
> > vring_used_elem_t used_elem;
> > - uint16_t last_used;
> > + uint16_t last_used, last_used_chain;
> >
> > if (!vhost_svq_more_used(svq)) {
> > return NULL;
> > @@ -365,7 +377,8 @@ static VirtQueueElement *vhost_svq_get_buf(VhostShadowVirtqueue *svq,
> > return NULL;
> > }
> >
> > - descs[used_elem.id].next = svq->free_head;
> > + last_used_chain = vhost_svq_last_desc_of_chain(svq, used_elem.id);
> > + descs[last_used_chain].next = svq->free_head;
> > svq->free_head = used_elem.id;
> >
> > *len = used_elem.len;
> > --
> > 2.27.0
> >
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] vhost: Fix bad return of descriptors to SVQ
2022-04-01 7:30 ` Eugenio Perez Martin
@ 2022-04-02 1:32 ` Jason Wang
0 siblings, 0 replies; 4+ messages in thread
From: Jason Wang @ 2022-04-02 1:32 UTC (permalink / raw)
To: Eugenio Perez Martin; +Cc: qemu-devel, Michael S. Tsirkin
On Fri, Apr 1, 2022 at 3:31 PM Eugenio Perez Martin <eperezma@redhat.com> wrote:
>
> On Fri, Apr 1, 2022 at 4:30 AM Jason Wang <jasowang@redhat.com> wrote:
> >
> > On Fri, Apr 1, 2022 at 2:14 AM Eugenio Pérez <eperezma@redhat.com> wrote:
> > >
> > > Only the first one of them were properly enqueued back.
> > >
> > > Fixes: 100890f7ca ("vhost: Shadow virtqueue buffers forwarding")
> > > Signed-off-by: Eugenio Pérez <eperezma@redhat.com>
> > > ---
> > > hw/virtio/vhost-shadow-virtqueue.c | 17 +++++++++++++++--
> > > 1 file changed, 15 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/hw/virtio/vhost-shadow-virtqueue.c b/hw/virtio/vhost-shadow-virtqueue.c
> > > index b232803d1b..c17506df20 100644
> > > --- a/hw/virtio/vhost-shadow-virtqueue.c
> > > +++ b/hw/virtio/vhost-shadow-virtqueue.c
> > > @@ -333,13 +333,25 @@ static void vhost_svq_disable_notification(VhostShadowVirtqueue *svq)
> > > svq->vring.avail->flags |= cpu_to_le16(VRING_AVAIL_F_NO_INTERRUPT);
> > > }
> > >
> > > +static uint16_t vhost_svq_last_desc_of_chain(VhostShadowVirtqueue *svq,
> > > + uint16_t i)
> > > +{
> > > + vring_desc_t *descs = svq->vring.desc;
> > > +
> > > + while (le16_to_cpu(descs[i].flags) & VRING_DESC_F_NEXT) {
> > > + i = le16_to_cpu(descs[i].next);
> >
> >
> > This seems to be a guest trigger-able infinite loop?
> >
>
> This is the list of the SVQ vring. We could consider an infinite loop
> triggable by the device if it can write the vring directly.
>
Ok.
> I can add a counter in the loop, or to maintain an internal copy of
> the vring so it's completely hardened against malicious/bad devices.
> It should be done for packed vring anyway.
Yes, let's do that. It would be better if we don't trust the device.
Thanks
>
> Thanks!
>
> > Thanks
> >
> >
> > > + }
> > > +
> > > + return i;
> > > +}
> > > +
> > > static VirtQueueElement *vhost_svq_get_buf(VhostShadowVirtqueue *svq,
> > > uint32_t *len)
> > > {
> > > vring_desc_t *descs = svq->vring.desc;
> > > const vring_used_t *used = svq->vring.used;
> > > vring_used_elem_t used_elem;
> > > - uint16_t last_used;
> > > + uint16_t last_used, last_used_chain;
> > >
> > > if (!vhost_svq_more_used(svq)) {
> > > return NULL;
> > > @@ -365,7 +377,8 @@ static VirtQueueElement *vhost_svq_get_buf(VhostShadowVirtqueue *svq,
> > > return NULL;
> > > }
> > >
> > > - descs[used_elem.id].next = svq->free_head;
> > > + last_used_chain = vhost_svq_last_desc_of_chain(svq, used_elem.id);
> > > + descs[last_used_chain].next = svq->free_head;
> > > svq->free_head = used_elem.id;
> > >
> > > *len = used_elem.len;
> > > --
> > > 2.27.0
> > >
> >
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-04-02 1:33 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-31 18:14 [PATCH] vhost: Fix bad return of descriptors to SVQ Eugenio Pérez
2022-04-01 2:29 ` Jason Wang
2022-04-01 7:30 ` Eugenio Perez Martin
2022-04-02 1:32 ` Jason Wang
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.