* [PATCH v2 0/2] net: Update MemReentrancyGuard for NIC
@ 2023-06-01 3:18 Akihiko Odaki
2023-06-01 3:18 ` [PATCH v2 1/2] net: Provide MemReentrancyGuard * to qemu_new_nic() Akihiko Odaki
` (3 more replies)
0 siblings, 4 replies; 17+ messages in thread
From: Akihiko Odaki @ 2023-06-01 3:18 UTC (permalink / raw)
Cc: Mauro Matteo Cascella, P J P, Alexander Bulekov, Dmitry Fleytman,
Beniamino Galvani, Peter Maydell, Strahinja Jankovic, Jason Wang,
Edgar E. Iglesias, Alistair Francis, Stefan Weil,
Cédric Le Goater, Andrew Jeffery, Joel Stanley,
Richard Henderson, Helge Deller, Sriram Yagnaraman, Thomas Huth,
Aleksandar Rikalo, Subbaraya Sundeep, Jan Kiszka, Tyrone Ting,
Hao Wu, Max Filippov, Jiri Pirko, Daniel Henrique Barboza,
David Gibson, Greg Kurz, Harsh Prateek Bora, Sven Schnelle,
Michael S. Tsirkin, Stefano Stabellini, Anthony Perard,
Paul Durrant, Rob Herring, Gerd Hoffmann, qemu-arm, qemu-devel,
qemu-ppc, xen-devel, Akihiko Odaki
Recently MemReentrancyGuard was added to DeviceState to record that the
device is engaging in I/O. The network device backend needs to update it
when delivering a packet to a device.
This implementation follows what bottom half does, but it does not add
a tracepoint for the case that the network device backend started
delivering a packet to a device which is already engaging in I/O. This
is because such reentrancy frequently happens for
qemu_flush_queued_packets() and is insignificant.
This series consists of two patches. The first patch makes a bulk change to
add a new parameter to qemu_new_nic() and does not contain behavioral changes.
The second patch actually implements MemReentrancyGuard update.
V1 -> V2: Added the 'Fixes: CVE-2023-3019' tag
Akihiko Odaki (2):
net: Provide MemReentrancyGuard * to qemu_new_nic()
net: Update MemReentrancyGuard for NIC
include/net/net.h | 2 ++
hw/net/allwinner-sun8i-emac.c | 3 ++-
hw/net/allwinner_emac.c | 3 ++-
hw/net/cadence_gem.c | 3 ++-
hw/net/dp8393x.c | 3 ++-
hw/net/e1000.c | 3 ++-
hw/net/e1000e.c | 2 +-
hw/net/eepro100.c | 4 +++-
hw/net/etraxfs_eth.c | 3 ++-
hw/net/fsl_etsec/etsec.c | 3 ++-
hw/net/ftgmac100.c | 3 ++-
hw/net/i82596.c | 2 +-
hw/net/igb.c | 2 +-
hw/net/imx_fec.c | 2 +-
hw/net/lan9118.c | 3 ++-
hw/net/mcf_fec.c | 3 ++-
hw/net/mipsnet.c | 3 ++-
hw/net/msf2-emac.c | 3 ++-
hw/net/mv88w8618_eth.c | 3 ++-
hw/net/ne2000-isa.c | 3 ++-
hw/net/ne2000-pci.c | 3 ++-
hw/net/npcm7xx_emc.c | 3 ++-
hw/net/opencores_eth.c | 3 ++-
hw/net/pcnet.c | 3 ++-
hw/net/rocker/rocker_fp.c | 4 ++--
hw/net/rtl8139.c | 3 ++-
hw/net/smc91c111.c | 3 ++-
hw/net/spapr_llan.c | 3 ++-
hw/net/stellaris_enet.c | 3 ++-
hw/net/sungem.c | 2 +-
hw/net/sunhme.c | 3 ++-
hw/net/tulip.c | 3 ++-
hw/net/virtio-net.c | 6 ++++--
hw/net/vmxnet3.c | 2 +-
hw/net/xen_nic.c | 4 ++--
hw/net/xgmac.c | 3 ++-
hw/net/xilinx_axienet.c | 3 ++-
hw/net/xilinx_ethlite.c | 3 ++-
hw/usb/dev-network.c | 3 ++-
net/net.c | 15 +++++++++++++++
40 files changed, 90 insertions(+), 41 deletions(-)
--
2.40.1
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH v2 1/2] net: Provide MemReentrancyGuard * to qemu_new_nic()
2023-06-01 3:18 [PATCH v2 0/2] net: Update MemReentrancyGuard for NIC Akihiko Odaki
@ 2023-06-01 3:18 ` Akihiko Odaki
2023-06-05 8:06 ` Alexander Bulekov
2024-04-24 10:05 ` Philippe Mathieu-Daudé
2023-06-01 3:18 ` [PATCH v2 2/2] net: Update MemReentrancyGuard for NIC Akihiko Odaki
` (2 subsequent siblings)
3 siblings, 2 replies; 17+ messages in thread
From: Akihiko Odaki @ 2023-06-01 3:18 UTC (permalink / raw)
Cc: Mauro Matteo Cascella, P J P, Alexander Bulekov, Dmitry Fleytman,
Beniamino Galvani, Peter Maydell, Strahinja Jankovic, Jason Wang,
Edgar E. Iglesias, Alistair Francis, Stefan Weil,
Cédric Le Goater, Andrew Jeffery, Joel Stanley,
Richard Henderson, Helge Deller, Sriram Yagnaraman, Thomas Huth,
Aleksandar Rikalo, Subbaraya Sundeep, Jan Kiszka, Tyrone Ting,
Hao Wu, Max Filippov, Jiri Pirko, Daniel Henrique Barboza,
David Gibson, Greg Kurz, Harsh Prateek Bora, Sven Schnelle,
Michael S. Tsirkin, Stefano Stabellini, Anthony Perard,
Paul Durrant, Rob Herring, Gerd Hoffmann, qemu-arm, qemu-devel,
qemu-ppc, xen-devel, Akihiko Odaki
Recently MemReentrancyGuard was added to DeviceState to record that the
device is engaging in I/O. The network device backend needs to update it
when delivering a packet to a device.
In preparation for such a change, add MemReentrancyGuard * as a
parameter of qemu_new_nic().
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
---
include/net/net.h | 1 +
hw/net/allwinner-sun8i-emac.c | 3 ++-
hw/net/allwinner_emac.c | 3 ++-
hw/net/cadence_gem.c | 3 ++-
hw/net/dp8393x.c | 3 ++-
hw/net/e1000.c | 3 ++-
hw/net/e1000e.c | 2 +-
hw/net/eepro100.c | 4 +++-
hw/net/etraxfs_eth.c | 3 ++-
hw/net/fsl_etsec/etsec.c | 3 ++-
hw/net/ftgmac100.c | 3 ++-
hw/net/i82596.c | 2 +-
hw/net/igb.c | 2 +-
hw/net/imx_fec.c | 2 +-
hw/net/lan9118.c | 3 ++-
hw/net/mcf_fec.c | 3 ++-
hw/net/mipsnet.c | 3 ++-
hw/net/msf2-emac.c | 3 ++-
hw/net/mv88w8618_eth.c | 3 ++-
hw/net/ne2000-isa.c | 3 ++-
hw/net/ne2000-pci.c | 3 ++-
hw/net/npcm7xx_emc.c | 3 ++-
hw/net/opencores_eth.c | 3 ++-
hw/net/pcnet.c | 3 ++-
hw/net/rocker/rocker_fp.c | 4 ++--
hw/net/rtl8139.c | 3 ++-
hw/net/smc91c111.c | 3 ++-
hw/net/spapr_llan.c | 3 ++-
hw/net/stellaris_enet.c | 3 ++-
hw/net/sungem.c | 2 +-
hw/net/sunhme.c | 3 ++-
hw/net/tulip.c | 3 ++-
hw/net/virtio-net.c | 6 ++++--
hw/net/vmxnet3.c | 2 +-
hw/net/xen_nic.c | 4 ++--
hw/net/xgmac.c | 3 ++-
hw/net/xilinx_axienet.c | 3 ++-
hw/net/xilinx_ethlite.c | 3 ++-
hw/usb/dev-network.c | 3 ++-
net/net.c | 1 +
40 files changed, 75 insertions(+), 41 deletions(-)
diff --git a/include/net/net.h b/include/net/net.h
index 1448d00afb..a7d8deaccb 100644
--- a/include/net/net.h
+++ b/include/net/net.h
@@ -157,6 +157,7 @@ NICState *qemu_new_nic(NetClientInfo *info,
NICConf *conf,
const char *model,
const char *name,
+ MemReentrancyGuard *reentrancy_guard,
void *opaque);
void qemu_del_nic(NICState *nic);
NetClientState *qemu_get_subqueue(NICState *nic, int queue_index);
diff --git a/hw/net/allwinner-sun8i-emac.c b/hw/net/allwinner-sun8i-emac.c
index fac4405f45..cc350d40e5 100644
--- a/hw/net/allwinner-sun8i-emac.c
+++ b/hw/net/allwinner-sun8i-emac.c
@@ -824,7 +824,8 @@ static void allwinner_sun8i_emac_realize(DeviceState *dev, Error **errp)
qemu_macaddr_default_if_unset(&s->conf.macaddr);
s->nic = qemu_new_nic(&net_allwinner_sun8i_emac_info, &s->conf,
- object_get_typename(OBJECT(dev)), dev->id, s);
+ object_get_typename(OBJECT(dev)), dev->id,
+ &dev->mem_reentrancy_guard, s);
qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
}
diff --git a/hw/net/allwinner_emac.c b/hw/net/allwinner_emac.c
index 372e5b66da..e10965de14 100644
--- a/hw/net/allwinner_emac.c
+++ b/hw/net/allwinner_emac.c
@@ -453,7 +453,8 @@ static void aw_emac_realize(DeviceState *dev, Error **errp)
qemu_macaddr_default_if_unset(&s->conf.macaddr);
s->nic = qemu_new_nic(&net_aw_emac_info, &s->conf,
- object_get_typename(OBJECT(dev)), dev->id, s);
+ object_get_typename(OBJECT(dev)), dev->id,
+ &dev->mem_reentrancy_guard, s);
qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
fifo8_create(&s->rx_fifo, RX_FIFO_SIZE);
diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
index 42ea2411a2..a7bce1c120 100644
--- a/hw/net/cadence_gem.c
+++ b/hw/net/cadence_gem.c
@@ -1633,7 +1633,8 @@ static void gem_realize(DeviceState *dev, Error **errp)
qemu_macaddr_default_if_unset(&s->conf.macaddr);
s->nic = qemu_new_nic(&net_gem_info, &s->conf,
- object_get_typename(OBJECT(dev)), dev->id, s);
+ object_get_typename(OBJECT(dev)), dev->id,
+ &dev->mem_reentrancy_guard, s);
if (s->jumbo_max_len > MAX_FRAME_SIZE) {
error_setg(errp, "jumbo-max-len is greater than %d",
diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
index 45b954e46c..abfcc6f69f 100644
--- a/hw/net/dp8393x.c
+++ b/hw/net/dp8393x.c
@@ -943,7 +943,8 @@ static void dp8393x_realize(DeviceState *dev, Error **errp)
"dp8393x-regs", SONIC_REG_COUNT << s->it_shift);
s->nic = qemu_new_nic(&net_dp83932_info, &s->conf,
- object_get_typename(OBJECT(dev)), dev->id, s);
+ object_get_typename(OBJECT(dev)), dev->id,
+ &dev->mem_reentrancy_guard, s);
qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
s->watchdog = timer_new_ns(QEMU_CLOCK_VIRTUAL, dp8393x_watchdog, s);
diff --git a/hw/net/e1000.c b/hw/net/e1000.c
index 4dc4dd7704..7581378226 100644
--- a/hw/net/e1000.c
+++ b/hw/net/e1000.c
@@ -1696,7 +1696,8 @@ static void pci_e1000_realize(PCIDevice *pci_dev, Error **errp)
macaddr);
d->nic = qemu_new_nic(&net_e1000_info, &d->conf,
- object_get_typename(OBJECT(d)), dev->id, d);
+ object_get_typename(OBJECT(d)), dev->id,
+ &dev->mem_reentrancy_guard, d);
qemu_format_nic_info_str(qemu_get_queue(d->nic), macaddr);
diff --git a/hw/net/e1000e.c b/hw/net/e1000e.c
index c3848797b8..e41a6c1038 100644
--- a/hw/net/e1000e.c
+++ b/hw/net/e1000e.c
@@ -320,7 +320,7 @@ e1000e_init_net_peer(E1000EState *s, PCIDevice *pci_dev, uint8_t *macaddr)
int i;
s->nic = qemu_new_nic(&net_e1000e_info, &s->conf,
- object_get_typename(OBJECT(s)), dev->id, s);
+ object_get_typename(OBJECT(s)), dev->id, &dev->mem_reentrancy_guard, s);
s->core.max_queue_num = s->conf.peers.queues ? s->conf.peers.queues - 1 : 0;
diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
index dc07984ae9..e2b03b787d 100644
--- a/hw/net/eepro100.c
+++ b/hw/net/eepro100.c
@@ -1874,7 +1874,9 @@ static void e100_nic_realize(PCIDevice *pci_dev, Error **errp)
nic_reset(s);
s->nic = qemu_new_nic(&net_eepro100_info, &s->conf,
- object_get_typename(OBJECT(pci_dev)), pci_dev->qdev.id, s);
+ object_get_typename(OBJECT(pci_dev)),
+ pci_dev->qdev.id,
+ &pci_dev->qdev.mem_reentrancy_guard, s);
qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
TRACE(OTHER, logout("%s\n", qemu_get_queue(s->nic)->info_str));
diff --git a/hw/net/etraxfs_eth.c b/hw/net/etraxfs_eth.c
index 1b82aec794..ba57a978d1 100644
--- a/hw/net/etraxfs_eth.c
+++ b/hw/net/etraxfs_eth.c
@@ -618,7 +618,8 @@ static void etraxfs_eth_realize(DeviceState *dev, Error **errp)
qemu_macaddr_default_if_unset(&s->conf.macaddr);
s->nic = qemu_new_nic(&net_etraxfs_info, &s->conf,
- object_get_typename(OBJECT(s)), dev->id, s);
+ object_get_typename(OBJECT(s)), dev->id,
+ &dev->mem_reentrancy_guard, s);
qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
s->phy.read = tdk_read;
diff --git a/hw/net/fsl_etsec/etsec.c b/hw/net/fsl_etsec/etsec.c
index 798ea33d08..00315f305d 100644
--- a/hw/net/fsl_etsec/etsec.c
+++ b/hw/net/fsl_etsec/etsec.c
@@ -391,7 +391,8 @@ static void etsec_realize(DeviceState *dev, Error **errp)
eTSEC *etsec = ETSEC_COMMON(dev);
etsec->nic = qemu_new_nic(&net_etsec_info, &etsec->conf,
- object_get_typename(OBJECT(dev)), dev->id, etsec);
+ object_get_typename(OBJECT(dev)), dev->id,
+ &dev->mem_reentrancy_guard, etsec);
qemu_format_nic_info_str(qemu_get_queue(etsec->nic), etsec->conf.macaddr.a);
etsec->ptimer = ptimer_init(etsec_timer_hit, etsec, PTIMER_POLICY_LEGACY);
diff --git a/hw/net/ftgmac100.c b/hw/net/ftgmac100.c
index d3bf14be53..be2cf63c08 100644
--- a/hw/net/ftgmac100.c
+++ b/hw/net/ftgmac100.c
@@ -1118,7 +1118,8 @@ static void ftgmac100_realize(DeviceState *dev, Error **errp)
qemu_macaddr_default_if_unset(&s->conf.macaddr);
s->nic = qemu_new_nic(&net_ftgmac100_info, &s->conf,
- object_get_typename(OBJECT(dev)), dev->id, s);
+ object_get_typename(OBJECT(dev)), dev->id,
+ &dev->mem_reentrancy_guard, s);
qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
}
diff --git a/hw/net/i82596.c b/hw/net/i82596.c
index ec21e2699a..dc64246f75 100644
--- a/hw/net/i82596.c
+++ b/hw/net/i82596.c
@@ -743,7 +743,7 @@ void i82596_common_init(DeviceState *dev, I82596State *s, NetClientInfo *info)
qemu_macaddr_default_if_unset(&s->conf.macaddr);
}
s->nic = qemu_new_nic(info, &s->conf, object_get_typename(OBJECT(dev)),
- dev->id, s);
+ dev->id, &dev->mem_reentrancy_guard, s);
qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
if (USE_TIMER) {
diff --git a/hw/net/igb.c b/hw/net/igb.c
index 1c989d7677..141bc56d79 100644
--- a/hw/net/igb.c
+++ b/hw/net/igb.c
@@ -315,7 +315,7 @@ igb_init_net_peer(IGBState *s, PCIDevice *pci_dev, uint8_t *macaddr)
int i;
s->nic = qemu_new_nic(&net_igb_info, &s->conf,
- object_get_typename(OBJECT(s)), dev->id, s);
+ object_get_typename(OBJECT(s)), dev->id, &dev->mem_reentrancy_guard, s);
s->core.max_queue_num = s->conf.peers.queues ? s->conf.peers.queues - 1 : 0;
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
index 5d1f1f104c..6881e3e4f0 100644
--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
@@ -1334,7 +1334,7 @@ static void imx_eth_realize(DeviceState *dev, Error **errp)
s->nic = qemu_new_nic(&imx_eth_net_info, &s->conf,
object_get_typename(OBJECT(dev)),
- dev->id, s);
+ dev->id, &dev->mem_reentrancy_guard, s);
qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
}
diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c
index e5c4af182d..cf7b8c897a 100644
--- a/hw/net/lan9118.c
+++ b/hw/net/lan9118.c
@@ -1361,7 +1361,8 @@ static void lan9118_realize(DeviceState *dev, Error **errp)
qemu_macaddr_default_if_unset(&s->conf.macaddr);
s->nic = qemu_new_nic(&net_lan9118_info, &s->conf,
- object_get_typename(OBJECT(dev)), dev->id, s);
+ object_get_typename(OBJECT(dev)), dev->id,
+ &dev->mem_reentrancy_guard, s);
qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
s->eeprom[0] = 0xa5;
for (i = 0; i < 6; i++) {
diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
index 8aa27bd322..57dd49abea 100644
--- a/hw/net/mcf_fec.c
+++ b/hw/net/mcf_fec.c
@@ -643,7 +643,8 @@ static void mcf_fec_realize(DeviceState *dev, Error **errp)
mcf_fec_state *s = MCF_FEC_NET(dev);
s->nic = qemu_new_nic(&net_mcf_fec_info, &s->conf,
- object_get_typename(OBJECT(dev)), dev->id, s);
+ object_get_typename(OBJECT(dev)), dev->id,
+ &dev->mem_reentrancy_guard, s);
qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
}
diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c
index 2ade72dea0..8e925de867 100644
--- a/hw/net/mipsnet.c
+++ b/hw/net/mipsnet.c
@@ -255,7 +255,8 @@ static void mipsnet_realize(DeviceState *dev, Error **errp)
sysbus_init_irq(sbd, &s->irq);
s->nic = qemu_new_nic(&net_mipsnet_info, &s->conf,
- object_get_typename(OBJECT(dev)), dev->id, s);
+ object_get_typename(OBJECT(dev)), dev->id,
+ &dev->mem_reentrancy_guard, s);
qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
}
diff --git a/hw/net/msf2-emac.c b/hw/net/msf2-emac.c
index db3a04deb1..145a5e46ab 100644
--- a/hw/net/msf2-emac.c
+++ b/hw/net/msf2-emac.c
@@ -530,7 +530,8 @@ static void msf2_emac_realize(DeviceState *dev, Error **errp)
qemu_macaddr_default_if_unset(&s->conf.macaddr);
s->nic = qemu_new_nic(&net_msf2_emac_info, &s->conf,
- object_get_typename(OBJECT(dev)), dev->id, s);
+ object_get_typename(OBJECT(dev)), dev->id,
+ &dev->mem_reentrancy_guard, s);
qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
}
diff --git a/hw/net/mv88w8618_eth.c b/hw/net/mv88w8618_eth.c
index ef30b0d4a6..2185f1131a 100644
--- a/hw/net/mv88w8618_eth.c
+++ b/hw/net/mv88w8618_eth.c
@@ -350,7 +350,8 @@ static void mv88w8618_eth_realize(DeviceState *dev, Error **errp)
address_space_init(&s->dma_as, s->dma_mr, "emac-dma");
s->nic = qemu_new_nic(&net_mv88w8618_info, &s->conf,
- object_get_typename(OBJECT(dev)), dev->id, s);
+ object_get_typename(OBJECT(dev)), dev->id,
+ &dev->mem_reentrancy_guard, s);
}
static const VMStateDescription mv88w8618_eth_vmsd = {
diff --git a/hw/net/ne2000-isa.c b/hw/net/ne2000-isa.c
index 6ced6775ff..a79f7fad1f 100644
--- a/hw/net/ne2000-isa.c
+++ b/hw/net/ne2000-isa.c
@@ -74,7 +74,8 @@ static void isa_ne2000_realizefn(DeviceState *dev, Error **errp)
ne2000_reset(s);
s->nic = qemu_new_nic(&net_ne2000_isa_info, &s->c,
- object_get_typename(OBJECT(dev)), dev->id, s);
+ object_get_typename(OBJECT(dev)), dev->id,
+ &dev->mem_reentrancy_guard, s);
qemu_format_nic_info_str(qemu_get_queue(s->nic), s->c.macaddr.a);
}
diff --git a/hw/net/ne2000-pci.c b/hw/net/ne2000-pci.c
index edc6689d33..fee93c6ec0 100644
--- a/hw/net/ne2000-pci.c
+++ b/hw/net/ne2000-pci.c
@@ -71,7 +71,8 @@ static void pci_ne2000_realize(PCIDevice *pci_dev, Error **errp)
s->nic = qemu_new_nic(&net_ne2000_info, &s->c,
object_get_typename(OBJECT(pci_dev)),
- pci_dev->qdev.id, s);
+ pci_dev->qdev.id,
+ &pci_dev->qdev.mem_reentrancy_guard, s);
qemu_format_nic_info_str(qemu_get_queue(s->nic), s->c.macaddr.a);
}
diff --git a/hw/net/npcm7xx_emc.c b/hw/net/npcm7xx_emc.c
index 8156f701b0..1d4e8f59f3 100644
--- a/hw/net/npcm7xx_emc.c
+++ b/hw/net/npcm7xx_emc.c
@@ -821,7 +821,8 @@ static void npcm7xx_emc_realize(DeviceState *dev, Error **errp)
qemu_macaddr_default_if_unset(&emc->conf.macaddr);
emc->nic = qemu_new_nic(&net_npcm7xx_emc_info, &emc->conf,
- object_get_typename(OBJECT(dev)), dev->id, emc);
+ object_get_typename(OBJECT(dev)), dev->id,
+ &dev->mem_reentrancy_guard, emc);
qemu_format_nic_info_str(qemu_get_queue(emc->nic), emc->conf.macaddr.a);
}
diff --git a/hw/net/opencores_eth.c b/hw/net/opencores_eth.c
index 0b3dc3146e..f96d6ea2cc 100644
--- a/hw/net/opencores_eth.c
+++ b/hw/net/opencores_eth.c
@@ -732,7 +732,8 @@ static void sysbus_open_eth_realize(DeviceState *dev, Error **errp)
sysbus_init_irq(sbd, &s->irq);
s->nic = qemu_new_nic(&net_open_eth_info, &s->conf,
- object_get_typename(OBJECT(s)), dev->id, s);
+ object_get_typename(OBJECT(s)), dev->id,
+ &dev->mem_reentrancy_guard, s);
}
static void qdev_open_eth_reset(DeviceState *dev)
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
index d456094575..1627f6939c 100644
--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
@@ -1718,7 +1718,8 @@ void pcnet_common_init(DeviceState *dev, PCNetState *s, NetClientInfo *info)
s->poll_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, pcnet_poll_timer, s);
qemu_macaddr_default_if_unset(&s->conf.macaddr);
- s->nic = qemu_new_nic(info, &s->conf, object_get_typename(OBJECT(dev)), dev->id, s);
+ s->nic = qemu_new_nic(info, &s->conf, object_get_typename(OBJECT(dev)),
+ dev->id, &dev->mem_reentrancy_guard, s);
qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
/* Initialize the PROM */
diff --git a/hw/net/rocker/rocker_fp.c b/hw/net/rocker/rocker_fp.c
index cbeed65bd5..0d21948ada 100644
--- a/hw/net/rocker/rocker_fp.c
+++ b/hw/net/rocker/rocker_fp.c
@@ -241,8 +241,8 @@ FpPort *fp_port_alloc(Rocker *r, char *sw_name,
port->conf.bootindex = -1;
port->conf.peers = *peers;
- port->nic = qemu_new_nic(&fp_port_info, &port->conf,
- sw_name, NULL, port);
+ port->nic = qemu_new_nic(&fp_port_info, &port->conf, sw_name, NULL,
+ &DEVICE(r)->mem_reentrancy_guard, port);
qemu_format_nic_info_str(qemu_get_queue(port->nic),
port->conf.macaddr.a);
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index 5a5aaf868d..f4df03af71 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -3397,7 +3397,8 @@ static void pci_rtl8139_realize(PCIDevice *dev, Error **errp)
s->eeprom.contents[9] = s->conf.macaddr.a[4] | s->conf.macaddr.a[5] << 8;
s->nic = qemu_new_nic(&net_rtl8139_info, &s->conf,
- object_get_typename(OBJECT(dev)), d->id, s);
+ object_get_typename(OBJECT(dev)), d->id,
+ &d->mem_reentrancy_guard, s);
qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
s->cplus_txbuffer = NULL;
diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c
index ad778cd8fc..4eda971ef3 100644
--- a/hw/net/smc91c111.c
+++ b/hw/net/smc91c111.c
@@ -783,7 +783,8 @@ static void smc91c111_realize(DeviceState *dev, Error **errp)
sysbus_init_irq(sbd, &s->irq);
qemu_macaddr_default_if_unset(&s->conf.macaddr);
s->nic = qemu_new_nic(&net_smc91c111_info, &s->conf,
- object_get_typename(OBJECT(dev)), dev->id, s);
+ object_get_typename(OBJECT(dev)), dev->id,
+ &dev->mem_reentrancy_guard, s);
qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
/* ??? Save/restore. */
}
diff --git a/hw/net/spapr_llan.c b/hw/net/spapr_llan.c
index a6876a936d..475d5f3a34 100644
--- a/hw/net/spapr_llan.c
+++ b/hw/net/spapr_llan.c
@@ -325,7 +325,8 @@ static void spapr_vlan_realize(SpaprVioDevice *sdev, Error **errp)
memcpy(&dev->perm_mac.a, &dev->nicconf.macaddr.a, sizeof(dev->perm_mac.a));
dev->nic = qemu_new_nic(&net_spapr_vlan_info, &dev->nicconf,
- object_get_typename(OBJECT(sdev)), sdev->qdev.id, dev);
+ object_get_typename(OBJECT(sdev)), sdev->qdev.id,
+ &sdev->qdev.mem_reentrancy_guard, dev);
qemu_format_nic_info_str(qemu_get_queue(dev->nic), dev->nicconf.macaddr.a);
dev->rxp_timer = timer_new_us(QEMU_CLOCK_VIRTUAL, spapr_vlan_flush_rx_queue,
diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
index 8dd60783d8..6768a6912f 100644
--- a/hw/net/stellaris_enet.c
+++ b/hw/net/stellaris_enet.c
@@ -492,7 +492,8 @@ static void stellaris_enet_realize(DeviceState *dev, Error **errp)
qemu_macaddr_default_if_unset(&s->conf.macaddr);
s->nic = qemu_new_nic(&net_stellaris_enet_info, &s->conf,
- object_get_typename(OBJECT(dev)), dev->id, s);
+ object_get_typename(OBJECT(dev)), dev->id,
+ &dev->mem_reentrancy_guard, s);
qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
}
diff --git a/hw/net/sungem.c b/hw/net/sungem.c
index eb01520790..347ccdd19d 100644
--- a/hw/net/sungem.c
+++ b/hw/net/sungem.c
@@ -1361,7 +1361,7 @@ static void sungem_realize(PCIDevice *pci_dev, Error **errp)
qemu_macaddr_default_if_unset(&s->conf.macaddr);
s->nic = qemu_new_nic(&net_sungem_info, &s->conf,
object_get_typename(OBJECT(dev)),
- dev->id, s);
+ dev->id, &dev->mem_reentrancy_guard, s);
qemu_format_nic_info_str(qemu_get_queue(s->nic),
s->conf.macaddr.a);
}
diff --git a/hw/net/sunhme.c b/hw/net/sunhme.c
index 1f3d8011ae..82e38a428a 100644
--- a/hw/net/sunhme.c
+++ b/hw/net/sunhme.c
@@ -892,7 +892,8 @@ static void sunhme_realize(PCIDevice *pci_dev, Error **errp)
qemu_macaddr_default_if_unset(&s->conf.macaddr);
s->nic = qemu_new_nic(&net_sunhme_info, &s->conf,
- object_get_typename(OBJECT(d)), d->id, s);
+ object_get_typename(OBJECT(d)), d->id,
+ &d->mem_reentrancy_guard, s);
qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
}
diff --git a/hw/net/tulip.c b/hw/net/tulip.c
index 915e5fb595..1f8e45de5e 100644
--- a/hw/net/tulip.c
+++ b/hw/net/tulip.c
@@ -983,7 +983,8 @@ static void pci_tulip_realize(PCIDevice *pci_dev, Error **errp)
s->nic = qemu_new_nic(&net_tulip_info, &s->c,
object_get_typename(OBJECT(pci_dev)),
- pci_dev->qdev.id, s);
+ pci_dev->qdev.id,
+ &pci_dev->qdev.mem_reentrancy_guard, s);
qemu_format_nic_info_str(qemu_get_queue(s->nic), s->c.macaddr.a);
}
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index ed9f240bfd..9728158b72 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -3696,10 +3696,12 @@ static void virtio_net_device_realize(DeviceState *dev, Error **errp)
* Happen when virtio_net_set_netclient_name has been called.
*/
n->nic = qemu_new_nic(&net_virtio_info, &n->nic_conf,
- n->netclient_type, n->netclient_name, n);
+ n->netclient_type, n->netclient_name,
+ &dev->mem_reentrancy_guard, n);
} else {
n->nic = qemu_new_nic(&net_virtio_info, &n->nic_conf,
- object_get_typename(OBJECT(dev)), dev->id, n);
+ object_get_typename(OBJECT(dev)), dev->id,
+ &dev->mem_reentrancy_guard, n);
}
for (i = 0; i < n->max_queue_pairs; i++) {
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index 18b9edfdb2..5051818fe4 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -2083,7 +2083,7 @@ static void vmxnet3_net_init(VMXNET3State *s)
s->nic = qemu_new_nic(&net_vmxnet3_info, &s->conf,
object_get_typename(OBJECT(s)),
- d->id, s);
+ d->id, &d->mem_reentrancy_guard, s);
s->peer_has_vhdr = vmxnet3_peer_has_vnet_hdr(s);
s->tx_sop = true;
diff --git a/hw/net/xen_nic.c b/hw/net/xen_nic.c
index 9bbf6599fc..e735f79c5b 100644
--- a/hw/net/xen_nic.c
+++ b/hw/net/xen_nic.c
@@ -293,8 +293,8 @@ static int net_init(struct XenLegacyDevice *xendev)
return -1;
}
- netdev->nic = qemu_new_nic(&net_xen_info, &netdev->conf,
- "xen", NULL, netdev);
+ netdev->nic = qemu_new_nic(&net_xen_info, &netdev->conf, "xen", NULL,
+ &xendev->qdev.mem_reentrancy_guard, netdev);
qemu_set_info_str(qemu_get_queue(netdev->nic),
"nic: xenbus vif macaddr=%s", netdev->mac);
diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c
index 0ab6ae91aa..1f4f277d84 100644
--- a/hw/net/xgmac.c
+++ b/hw/net/xgmac.c
@@ -402,7 +402,8 @@ static void xgmac_enet_realize(DeviceState *dev, Error **errp)
qemu_macaddr_default_if_unset(&s->conf.macaddr);
s->nic = qemu_new_nic(&net_xgmac_enet_info, &s->conf,
- object_get_typename(OBJECT(dev)), dev->id, s);
+ object_get_typename(OBJECT(dev)), dev->id,
+ &dev->mem_reentrancy_guard, s);
qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
s->regs[XGMAC_ADDR_HIGH(0)] = (s->conf.macaddr.a[5] << 8) |
diff --git a/hw/net/xilinx_axienet.c b/hw/net/xilinx_axienet.c
index 5b19a01eaa..7d1fd37b4a 100644
--- a/hw/net/xilinx_axienet.c
+++ b/hw/net/xilinx_axienet.c
@@ -967,7 +967,8 @@ static void xilinx_enet_realize(DeviceState *dev, Error **errp)
qemu_macaddr_default_if_unset(&s->conf.macaddr);
s->nic = qemu_new_nic(&net_xilinx_enet_info, &s->conf,
- object_get_typename(OBJECT(dev)), dev->id, s);
+ object_get_typename(OBJECT(dev)), dev->id,
+ &dev->mem_reentrancy_guard, s);
qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
tdk_init(&s->TEMAC.phy);
diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
index 89f4f3b254..989afaf037 100644
--- a/hw/net/xilinx_ethlite.c
+++ b/hw/net/xilinx_ethlite.c
@@ -235,7 +235,8 @@ static void xilinx_ethlite_realize(DeviceState *dev, Error **errp)
qemu_macaddr_default_if_unset(&s->conf.macaddr);
s->nic = qemu_new_nic(&net_xilinx_ethlite_info, &s->conf,
- object_get_typename(OBJECT(dev)), dev->id, s);
+ object_get_typename(OBJECT(dev)), dev->id,
+ &dev->mem_reentrancy_guard, s);
qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
}
diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
index 5fff487ee5..2c33e36cad 100644
--- a/hw/usb/dev-network.c
+++ b/hw/usb/dev-network.c
@@ -1386,7 +1386,8 @@ static void usb_net_realize(USBDevice *dev, Error **errp)
qemu_macaddr_default_if_unset(&s->conf.macaddr);
s->nic = qemu_new_nic(&net_usbnet_info, &s->conf,
- object_get_typename(OBJECT(s)), s->dev.qdev.id, s);
+ object_get_typename(OBJECT(s)), s->dev.qdev.id,
+ &s->dev.qdev.mem_reentrancy_guard, s);
qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
snprintf(s->usbstring_mac, sizeof(s->usbstring_mac),
"%02x%02x%02x%02x%02x%02x",
diff --git a/net/net.c b/net/net.c
index 6492ad530e..982df2479f 100644
--- a/net/net.c
+++ b/net/net.c
@@ -319,6 +319,7 @@ NICState *qemu_new_nic(NetClientInfo *info,
NICConf *conf,
const char *model,
const char *name,
+ MemReentrancyGuard *reentrancy_guard,
void *opaque)
{
NetClientState **peers = conf->peers.ncs;
--
2.40.1
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH v2 2/2] net: Update MemReentrancyGuard for NIC
2023-06-01 3:18 [PATCH v2 0/2] net: Update MemReentrancyGuard for NIC Akihiko Odaki
2023-06-01 3:18 ` [PATCH v2 1/2] net: Provide MemReentrancyGuard * to qemu_new_nic() Akihiko Odaki
@ 2023-06-01 3:18 ` Akihiko Odaki
2023-06-05 8:04 ` Alexander Bulekov
2023-06-01 7:16 ` [PATCH v2 0/2] " Philippe Mathieu-Daudé
2023-09-21 7:16 ` Akihiko Odaki
3 siblings, 1 reply; 17+ messages in thread
From: Akihiko Odaki @ 2023-06-01 3:18 UTC (permalink / raw)
Cc: Mauro Matteo Cascella, P J P, Alexander Bulekov, Dmitry Fleytman,
Beniamino Galvani, Peter Maydell, Strahinja Jankovic, Jason Wang,
Edgar E. Iglesias, Alistair Francis, Stefan Weil,
Cédric Le Goater, Andrew Jeffery, Joel Stanley,
Richard Henderson, Helge Deller, Sriram Yagnaraman, Thomas Huth,
Aleksandar Rikalo, Subbaraya Sundeep, Jan Kiszka, Tyrone Ting,
Hao Wu, Max Filippov, Jiri Pirko, Daniel Henrique Barboza,
David Gibson, Greg Kurz, Harsh Prateek Bora, Sven Schnelle,
Michael S. Tsirkin, Stefano Stabellini, Anthony Perard,
Paul Durrant, Rob Herring, Gerd Hoffmann, qemu-arm, qemu-devel,
qemu-ppc, xen-devel, Akihiko Odaki
Recently MemReentrancyGuard was added to DeviceState to record that the
device is engaging in I/O. The network device backend needs to update it
when delivering a packet to a device.
This implementation follows what bottom half does, but it does not add
a tracepoint for the case that the network device backend started
delivering a packet to a device which is already engaging in I/O. This
is because such reentrancy frequently happens for
qemu_flush_queued_packets() and is insignificant.
Fixes: CVE-2023-3019
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
---
include/net/net.h | 1 +
net/net.c | 14 ++++++++++++++
2 files changed, 15 insertions(+)
diff --git a/include/net/net.h b/include/net/net.h
index a7d8deaccb..685ec58318 100644
--- a/include/net/net.h
+++ b/include/net/net.h
@@ -124,6 +124,7 @@ typedef QTAILQ_HEAD(NetClientStateList, NetClientState) NetClientStateList;
typedef struct NICState {
NetClientState *ncs;
NICConf *conf;
+ MemReentrancyGuard *reentrancy_guard;
void *opaque;
bool peer_deleted;
} NICState;
diff --git a/net/net.c b/net/net.c
index 982df2479f..3523cceafc 100644
--- a/net/net.c
+++ b/net/net.c
@@ -332,6 +332,7 @@ NICState *qemu_new_nic(NetClientInfo *info,
nic = g_malloc0(info->size + sizeof(NetClientState) * queues);
nic->ncs = (void *)nic + info->size;
nic->conf = conf;
+ nic->reentrancy_guard = reentrancy_guard,
nic->opaque = opaque;
for (i = 0; i < queues; i++) {
@@ -805,6 +806,7 @@ static ssize_t qemu_deliver_packet_iov(NetClientState *sender,
int iovcnt,
void *opaque)
{
+ MemReentrancyGuard *owned_reentrancy_guard;
NetClientState *nc = opaque;
int ret;
@@ -817,12 +819,24 @@ static ssize_t qemu_deliver_packet_iov(NetClientState *sender,
return 0;
}
+ if (nc->info->type != NET_CLIENT_DRIVER_NIC ||
+ qemu_get_nic(nc)->reentrancy_guard->engaged_in_io) {
+ owned_reentrancy_guard = NULL;
+ } else {
+ owned_reentrancy_guard = qemu_get_nic(nc)->reentrancy_guard;
+ owned_reentrancy_guard->engaged_in_io = true;
+ }
+
if (nc->info->receive_iov && !(flags & QEMU_NET_PACKET_FLAG_RAW)) {
ret = nc->info->receive_iov(nc, iov, iovcnt);
} else {
ret = nc_sendv_compat(nc, iov, iovcnt, flags);
}
+ if (owned_reentrancy_guard) {
+ owned_reentrancy_guard->engaged_in_io = false;
+ }
+
if (ret == 0) {
nc->receive_disabled = 1;
}
--
2.40.1
^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH v2 0/2] net: Update MemReentrancyGuard for NIC
2023-06-01 3:18 [PATCH v2 0/2] net: Update MemReentrancyGuard for NIC Akihiko Odaki
2023-06-01 3:18 ` [PATCH v2 1/2] net: Provide MemReentrancyGuard * to qemu_new_nic() Akihiko Odaki
2023-06-01 3:18 ` [PATCH v2 2/2] net: Update MemReentrancyGuard for NIC Akihiko Odaki
@ 2023-06-01 7:16 ` Philippe Mathieu-Daudé
2023-06-01 7:41 ` Akihiko Odaki
2023-09-21 7:16 ` Akihiko Odaki
3 siblings, 1 reply; 17+ messages in thread
From: Philippe Mathieu-Daudé @ 2023-06-01 7:16 UTC (permalink / raw)
To: Akihiko Odaki
Cc: Mauro Matteo Cascella, P J P, Alexander Bulekov, Dmitry Fleytman,
Beniamino Galvani, Peter Maydell, Strahinja Jankovic, Jason Wang,
Edgar E. Iglesias, Alistair Francis, Stefan Weil,
Cédric Le Goater, Andrew Jeffery, Joel Stanley,
Richard Henderson, Helge Deller, Sriram Yagnaraman, Thomas Huth,
Aleksandar Rikalo, Subbaraya Sundeep, Jan Kiszka, Tyrone Ting,
Hao Wu, Max Filippov, Jiri Pirko, Daniel Henrique Barboza,
David Gibson, Greg Kurz, Harsh Prateek Bora, Sven Schnelle,
Michael S. Tsirkin, Stefano Stabellini, Anthony Perard,
Paul Durrant, Rob Herring, Gerd Hoffmann, qemu-arm, qemu-devel,
qemu-ppc, xen-devel
On 1/6/23 05:18, Akihiko Odaki wrote:
> Recently MemReentrancyGuard was added to DeviceState to record that the
> device is engaging in I/O. The network device backend needs to update it
> when delivering a packet to a device.
>
> This implementation follows what bottom half does, but it does not add
> a tracepoint for the case that the network device backend started
> delivering a packet to a device which is already engaging in I/O. This
> is because such reentrancy frequently happens for
> qemu_flush_queued_packets() and is insignificant.
>
> This series consists of two patches. The first patch makes a bulk change to
> add a new parameter to qemu_new_nic() and does not contain behavioral changes.
> The second patch actually implements MemReentrancyGuard update.
/me look at the 'net' API.
So the NetReceive* handlers from NetClientInfo process the HW NIC
data flow, independently from the CPUs.
IIUC MemReentrancyGuard is supposed to protect reentrancy abuse from
CPUs.
NetReceive* handlers aren't restricted to any particular API, they
just consume blob of data. Looking at e1000_receive_iov(), this data
is filled into memory using the pci_dma_rw() API. pci_dma_rw() gets
the AddressSpace to use calling pci_get_address_space(), which returns
PCIDevice::bus_master_as. Then we use the dma_memory_rw(), followed
by address_space_rw(). Beh, I fail to see why there is reentrancy
checks from this NIC DMA HW path.
Maybe the MemoryRegion API isn't the correct place to check for
reentrancy abuse and we should do that at the AddressSpace level,
keeping DMA ASes clear and only protecting CPU ASes?
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v2 0/2] net: Update MemReentrancyGuard for NIC
2023-06-01 7:16 ` [PATCH v2 0/2] " Philippe Mathieu-Daudé
@ 2023-06-01 7:41 ` Akihiko Odaki
2023-06-01 8:56 ` Philippe Mathieu-Daudé
0 siblings, 1 reply; 17+ messages in thread
From: Akihiko Odaki @ 2023-06-01 7:41 UTC (permalink / raw)
To: Philippe Mathieu-Daudé
Cc: Mauro Matteo Cascella, P J P, Alexander Bulekov, Dmitry Fleytman,
Beniamino Galvani, Peter Maydell, Strahinja Jankovic, Jason Wang,
Edgar E. Iglesias, Alistair Francis, Stefan Weil,
Cédric Le Goater, Andrew Jeffery, Joel Stanley,
Richard Henderson, Helge Deller, Sriram Yagnaraman, Thomas Huth,
Aleksandar Rikalo, Subbaraya Sundeep, Jan Kiszka, Tyrone Ting,
Hao Wu, Max Filippov, Jiri Pirko, Daniel Henrique Barboza,
David Gibson, Greg Kurz, Harsh Prateek Bora, Sven Schnelle,
Michael S. Tsirkin, Stefano Stabellini, Anthony Perard,
Paul Durrant, Rob Herring, Gerd Hoffmann, qemu-arm, qemu-devel,
qemu-ppc, xen-devel
On 2023/06/01 16:16, Philippe Mathieu-Daudé wrote:
> On 1/6/23 05:18, Akihiko Odaki wrote:
>> Recently MemReentrancyGuard was added to DeviceState to record that the
>> device is engaging in I/O. The network device backend needs to update it
>> when delivering a packet to a device.
>>
>> This implementation follows what bottom half does, but it does not add
>> a tracepoint for the case that the network device backend started
>> delivering a packet to a device which is already engaging in I/O. This
>> is because such reentrancy frequently happens for
>> qemu_flush_queued_packets() and is insignificant.
>>
>> This series consists of two patches. The first patch makes a bulk
>> change to
>> add a new parameter to qemu_new_nic() and does not contain behavioral
>> changes.
>> The second patch actually implements MemReentrancyGuard update.
>
> /me look at the 'net' API.
>
> So the NetReceive* handlers from NetClientInfo process the HW NIC
> data flow, independently from the CPUs.
>
> IIUC MemReentrancyGuard is supposed to protect reentrancy abuse from
> CPUs.
>
> NetReceive* handlers aren't restricted to any particular API, they
> just consume blob of data. Looking at e1000_receive_iov(), this data
> is filled into memory using the pci_dma_rw() API. pci_dma_rw() gets
> the AddressSpace to use calling pci_get_address_space(), which returns
> PCIDevice::bus_master_as. Then we use the dma_memory_rw(), followed
> by address_space_rw(). Beh, I fail to see why there is reentrancy
> checks from this NIC DMA HW path.
>
> Maybe the MemoryRegion API isn't the correct place to check for
> reentrancy abuse and we should do that at the AddressSpace level,
> keeping DMA ASes clear and only protecting CPU ASes?
The involvement of CPU is not essential in my understanding. A typical
scenario of DMA reentrancy is like the following:
1) The guest configures the DMA destination address register the device
has to the address of another device register.
2) The DMA gets triggered.
3) The device performs the DMA, writing its own register.
4) The write causes reentrancy.
5) The re-entered device code corrupts the device state.
I guess 2) is done by CPU in most cases, but sometimes it happen with
another cause. In fact, the current reentrancy protection code covers
the case that bottom half handlers triggers DMA. The intention of this
series is to extend the coverage and handles the case that incoming
network traffic triggers DMA.
The essence of DMA reentrancy is in 3). This happens when the DMA
address space contains the MMIO region of the device and there is no
involvement of CPU here.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v2 0/2] net: Update MemReentrancyGuard for NIC
2023-06-01 7:41 ` Akihiko Odaki
@ 2023-06-01 8:56 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 17+ messages in thread
From: Philippe Mathieu-Daudé @ 2023-06-01 8:56 UTC (permalink / raw)
To: Akihiko Odaki
Cc: Mauro Matteo Cascella, P J P, Alexander Bulekov, Dmitry Fleytman,
Beniamino Galvani, Peter Maydell, Strahinja Jankovic, Jason Wang,
Edgar E. Iglesias, Alistair Francis, Stefan Weil,
Cédric Le Goater, Andrew Jeffery, Joel Stanley,
Richard Henderson, Helge Deller, Sriram Yagnaraman, Thomas Huth,
Aleksandar Rikalo, Subbaraya Sundeep, Jan Kiszka, Tyrone Ting,
Hao Wu, Max Filippov, Jiri Pirko, Daniel Henrique Barboza,
David Gibson, Greg Kurz, Harsh Prateek Bora, Sven Schnelle,
Michael S. Tsirkin, Stefano Stabellini, Anthony Perard,
Paul Durrant, Rob Herring, Gerd Hoffmann, qemu-arm, qemu-devel,
qemu-ppc, xen-devel
On 1/6/23 09:41, Akihiko Odaki wrote:
> On 2023/06/01 16:16, Philippe Mathieu-Daudé wrote:
>> On 1/6/23 05:18, Akihiko Odaki wrote:
>>> Recently MemReentrancyGuard was added to DeviceState to record that the
>>> device is engaging in I/O. The network device backend needs to update it
>>> when delivering a packet to a device.
>>>
>>> This implementation follows what bottom half does, but it does not add
>>> a tracepoint for the case that the network device backend started
>>> delivering a packet to a device which is already engaging in I/O. This
>>> is because such reentrancy frequently happens for
>>> qemu_flush_queued_packets() and is insignificant.
>>>
>>> This series consists of two patches. The first patch makes a bulk
>>> change to
>>> add a new parameter to qemu_new_nic() and does not contain behavioral
>>> changes.
>>> The second patch actually implements MemReentrancyGuard update.
>>
>> /me look at the 'net' API.
>>
>> So the NetReceive* handlers from NetClientInfo process the HW NIC
>> data flow, independently from the CPUs.
>>
>> IIUC MemReentrancyGuard is supposed to protect reentrancy abuse from
>> CPUs.
>>
>> NetReceive* handlers aren't restricted to any particular API, they
>> just consume blob of data. Looking at e1000_receive_iov(), this data
>> is filled into memory using the pci_dma_rw() API. pci_dma_rw() gets
>> the AddressSpace to use calling pci_get_address_space(), which returns
>> PCIDevice::bus_master_as. Then we use the dma_memory_rw(), followed
>> by address_space_rw(). Beh, I fail to see why there is reentrancy
>> checks from this NIC DMA HW path.
>>
>> Maybe the MemoryRegion API isn't the correct place to check for
>> reentrancy abuse and we should do that at the AddressSpace level,
>> keeping DMA ASes clear and only protecting CPU ASes?
>
> The involvement of CPU is not essential in my understanding. A typical
> scenario of DMA reentrancy is like the following:
> 1) The guest configures the DMA destination address register the device
> has to the address of another device register.
> 2) The DMA gets triggered.
> 3) The device performs the DMA, writing its own register.
> 4) The write causes reentrancy.
> 5) The re-entered device code corrupts the device state.
>
> I guess 2) is done by CPU in most cases, but sometimes it happen with
> another cause. In fact, the current reentrancy protection code covers
> the case that bottom half handlers triggers DMA. The intention of this
> series is to extend the coverage and handles the case that incoming
> network traffic triggers DMA.
>
> The essence of DMA reentrancy is in 3). This happens when the DMA
> address space contains the MMIO region of the device and there is no
> involvement of CPU here.
OK, thanks for the explanation.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v2 2/2] net: Update MemReentrancyGuard for NIC
2023-06-01 3:18 ` [PATCH v2 2/2] net: Update MemReentrancyGuard for NIC Akihiko Odaki
@ 2023-06-05 8:04 ` Alexander Bulekov
0 siblings, 0 replies; 17+ messages in thread
From: Alexander Bulekov @ 2023-06-05 8:04 UTC (permalink / raw)
To: Akihiko Odaki
Cc: Mauro Matteo Cascella, P J P, Dmitry Fleytman, Beniamino Galvani,
Peter Maydell, Strahinja Jankovic, Jason Wang, Edgar E. Iglesias,
Alistair Francis, Stefan Weil, Cédric Le Goater,
Andrew Jeffery, Joel Stanley, Richard Henderson, Helge Deller,
Sriram Yagnaraman, Thomas Huth, Aleksandar Rikalo,
Subbaraya Sundeep, Jan Kiszka, Tyrone Ting, Hao Wu, Max Filippov,
Jiri Pirko, Daniel Henrique Barboza, David Gibson, Greg Kurz,
Harsh Prateek Bora, Sven Schnelle, Michael S. Tsirkin,
Stefano Stabellini, Anthony Perard, Paul Durrant, Rob Herring,
Gerd Hoffmann, qemu-arm, qemu-devel, qemu-ppc, xen-devel
On 230601 1218, Akihiko Odaki wrote:
> Recently MemReentrancyGuard was added to DeviceState to record that the
> device is engaging in I/O. The network device backend needs to update it
> when delivering a packet to a device.
>
> This implementation follows what bottom half does, but it does not add
> a tracepoint for the case that the network device backend started
> delivering a packet to a device which is already engaging in I/O. This
> is because such reentrancy frequently happens for
> qemu_flush_queued_packets() and is insignificant.
>
> Fixes: CVE-2023-3019
> Reported-by: Alexander Bulekov <alxndr@bu.edu>
> Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Acked-by: Alexander Bulekov <alxndr@bu.edu>
> ---
> include/net/net.h | 1 +
> net/net.c | 14 ++++++++++++++
> 2 files changed, 15 insertions(+)
>
> diff --git a/include/net/net.h b/include/net/net.h
> index a7d8deaccb..685ec58318 100644
> --- a/include/net/net.h
> +++ b/include/net/net.h
> @@ -124,6 +124,7 @@ typedef QTAILQ_HEAD(NetClientStateList, NetClientState) NetClientStateList;
> typedef struct NICState {
> NetClientState *ncs;
> NICConf *conf;
> + MemReentrancyGuard *reentrancy_guard;
> void *opaque;
> bool peer_deleted;
> } NICState;
> diff --git a/net/net.c b/net/net.c
> index 982df2479f..3523cceafc 100644
> --- a/net/net.c
> +++ b/net/net.c
> @@ -332,6 +332,7 @@ NICState *qemu_new_nic(NetClientInfo *info,
> nic = g_malloc0(info->size + sizeof(NetClientState) * queues);
> nic->ncs = (void *)nic + info->size;
> nic->conf = conf;
> + nic->reentrancy_guard = reentrancy_guard,
> nic->opaque = opaque;
>
> for (i = 0; i < queues; i++) {
> @@ -805,6 +806,7 @@ static ssize_t qemu_deliver_packet_iov(NetClientState *sender,
> int iovcnt,
> void *opaque)
> {
> + MemReentrancyGuard *owned_reentrancy_guard;
> NetClientState *nc = opaque;
> int ret;
>
> @@ -817,12 +819,24 @@ static ssize_t qemu_deliver_packet_iov(NetClientState *sender,
> return 0;
> }
>
> + if (nc->info->type != NET_CLIENT_DRIVER_NIC ||
> + qemu_get_nic(nc)->reentrancy_guard->engaged_in_io) {
> + owned_reentrancy_guard = NULL;
> + } else {
> + owned_reentrancy_guard = qemu_get_nic(nc)->reentrancy_guard;
> + owned_reentrancy_guard->engaged_in_io = true;
> + }
> +
> if (nc->info->receive_iov && !(flags & QEMU_NET_PACKET_FLAG_RAW)) {
> ret = nc->info->receive_iov(nc, iov, iovcnt);
> } else {
> ret = nc_sendv_compat(nc, iov, iovcnt, flags);
> }
>
> + if (owned_reentrancy_guard) {
> + owned_reentrancy_guard->engaged_in_io = false;
> + }
> +
> if (ret == 0) {
> nc->receive_disabled = 1;
> }
> --
> 2.40.1
>
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v2 1/2] net: Provide MemReentrancyGuard * to qemu_new_nic()
2023-06-01 3:18 ` [PATCH v2 1/2] net: Provide MemReentrancyGuard * to qemu_new_nic() Akihiko Odaki
@ 2023-06-05 8:06 ` Alexander Bulekov
2023-06-05 10:50 ` Akihiko Odaki
2024-04-24 10:05 ` Philippe Mathieu-Daudé
1 sibling, 1 reply; 17+ messages in thread
From: Alexander Bulekov @ 2023-06-05 8:06 UTC (permalink / raw)
To: Akihiko Odaki
Cc: Mauro Matteo Cascella, P J P, Dmitry Fleytman, Beniamino Galvani,
Peter Maydell, Strahinja Jankovic, Jason Wang, Edgar E. Iglesias,
Alistair Francis, Stefan Weil, Cédric Le Goater,
Andrew Jeffery, Joel Stanley, Richard Henderson, Helge Deller,
Sriram Yagnaraman, Thomas Huth, Aleksandar Rikalo,
Subbaraya Sundeep, Jan Kiszka, Tyrone Ting, Hao Wu, Max Filippov,
Jiri Pirko, Daniel Henrique Barboza, David Gibson, Greg Kurz,
Harsh Prateek Bora, Sven Schnelle, Michael S. Tsirkin,
Stefano Stabellini, Anthony Perard, Paul Durrant, Rob Herring,
Gerd Hoffmann, qemu-arm, qemu-devel, qemu-ppc, xen-devel
On 230601 1218, Akihiko Odaki wrote:
> Recently MemReentrancyGuard was added to DeviceState to record that the
> device is engaging in I/O. The network device backend needs to update it
> when delivering a packet to a device.
>
> In preparation for such a change, add MemReentrancyGuard * as a
> parameter of qemu_new_nic().
>
> Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
One minor comment below.
> ---
> include/net/net.h | 1 +
> hw/net/allwinner-sun8i-emac.c | 3 ++-
> hw/net/allwinner_emac.c | 3 ++-
> hw/net/cadence_gem.c | 3 ++-
> hw/net/dp8393x.c | 3 ++-
> hw/net/e1000.c | 3 ++-
> hw/net/e1000e.c | 2 +-
> hw/net/eepro100.c | 4 +++-
> hw/net/etraxfs_eth.c | 3 ++-
> hw/net/fsl_etsec/etsec.c | 3 ++-
> hw/net/ftgmac100.c | 3 ++-
> hw/net/i82596.c | 2 +-
> hw/net/igb.c | 2 +-
> hw/net/imx_fec.c | 2 +-
> hw/net/lan9118.c | 3 ++-
> hw/net/mcf_fec.c | 3 ++-
> hw/net/mipsnet.c | 3 ++-
> hw/net/msf2-emac.c | 3 ++-
> hw/net/mv88w8618_eth.c | 3 ++-
> hw/net/ne2000-isa.c | 3 ++-
> hw/net/ne2000-pci.c | 3 ++-
> hw/net/npcm7xx_emc.c | 3 ++-
> hw/net/opencores_eth.c | 3 ++-
> hw/net/pcnet.c | 3 ++-
> hw/net/rocker/rocker_fp.c | 4 ++--
> hw/net/rtl8139.c | 3 ++-
> hw/net/smc91c111.c | 3 ++-
> hw/net/spapr_llan.c | 3 ++-
> hw/net/stellaris_enet.c | 3 ++-
> hw/net/sungem.c | 2 +-
> hw/net/sunhme.c | 3 ++-
> hw/net/tulip.c | 3 ++-
> hw/net/virtio-net.c | 6 ++++--
> hw/net/vmxnet3.c | 2 +-
> hw/net/xen_nic.c | 4 ++--
> hw/net/xgmac.c | 3 ++-
> hw/net/xilinx_axienet.c | 3 ++-
> hw/net/xilinx_ethlite.c | 3 ++-
> hw/usb/dev-network.c | 3 ++-
> net/net.c | 1 +
> 40 files changed, 75 insertions(+), 41 deletions(-)
>
> diff --git a/include/net/net.h b/include/net/net.h
> index 1448d00afb..a7d8deaccb 100644
> --- a/include/net/net.h
> +++ b/include/net/net.h
> @@ -157,6 +157,7 @@ NICState *qemu_new_nic(NetClientInfo *info,
> NICConf *conf,
> const char *model,
> const char *name,
> + MemReentrancyGuard *reentrancy_guard,
> void *opaque);
Does it make sense to roll *reentrancy_guard into NICConf here?
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v2 1/2] net: Provide MemReentrancyGuard * to qemu_new_nic()
2023-06-05 8:06 ` Alexander Bulekov
@ 2023-06-05 10:50 ` Akihiko Odaki
0 siblings, 0 replies; 17+ messages in thread
From: Akihiko Odaki @ 2023-06-05 10:50 UTC (permalink / raw)
To: Alexander Bulekov
Cc: Mauro Matteo Cascella, P J P, Dmitry Fleytman, Beniamino Galvani,
Peter Maydell, Strahinja Jankovic, Jason Wang, Edgar E. Iglesias,
Alistair Francis, Stefan Weil, Cédric Le Goater,
Andrew Jeffery, Joel Stanley, Richard Henderson, Helge Deller,
Sriram Yagnaraman, Thomas Huth, Aleksandar Rikalo,
Subbaraya Sundeep, Jan Kiszka, Tyrone Ting, Hao Wu, Max Filippov,
Jiri Pirko, Daniel Henrique Barboza, David Gibson, Greg Kurz,
Harsh Prateek Bora, Sven Schnelle, Michael S. Tsirkin,
Stefano Stabellini, Anthony Perard, Paul Durrant, Rob Herring,
Gerd Hoffmann, qemu-arm, qemu-devel, qemu-ppc, xen-devel
On 2023/06/05 17:06, Alexander Bulekov wrote:
> On 230601 1218, Akihiko Odaki wrote:
>> Recently MemReentrancyGuard was added to DeviceState to record that the
>> device is engaging in I/O. The network device backend needs to update it
>> when delivering a packet to a device.
>>
>> In preparation for such a change, add MemReentrancyGuard * as a
>> parameter of qemu_new_nic().
>>
>> Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
>
>
> Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
>
> One minor comment below.
>
>> ---
>> include/net/net.h | 1 +
>> hw/net/allwinner-sun8i-emac.c | 3 ++-
>> hw/net/allwinner_emac.c | 3 ++-
>> hw/net/cadence_gem.c | 3 ++-
>> hw/net/dp8393x.c | 3 ++-
>> hw/net/e1000.c | 3 ++-
>> hw/net/e1000e.c | 2 +-
>> hw/net/eepro100.c | 4 +++-
>> hw/net/etraxfs_eth.c | 3 ++-
>> hw/net/fsl_etsec/etsec.c | 3 ++-
>> hw/net/ftgmac100.c | 3 ++-
>> hw/net/i82596.c | 2 +-
>> hw/net/igb.c | 2 +-
>> hw/net/imx_fec.c | 2 +-
>> hw/net/lan9118.c | 3 ++-
>> hw/net/mcf_fec.c | 3 ++-
>> hw/net/mipsnet.c | 3 ++-
>> hw/net/msf2-emac.c | 3 ++-
>> hw/net/mv88w8618_eth.c | 3 ++-
>> hw/net/ne2000-isa.c | 3 ++-
>> hw/net/ne2000-pci.c | 3 ++-
>> hw/net/npcm7xx_emc.c | 3 ++-
>> hw/net/opencores_eth.c | 3 ++-
>> hw/net/pcnet.c | 3 ++-
>> hw/net/rocker/rocker_fp.c | 4 ++--
>> hw/net/rtl8139.c | 3 ++-
>> hw/net/smc91c111.c | 3 ++-
>> hw/net/spapr_llan.c | 3 ++-
>> hw/net/stellaris_enet.c | 3 ++-
>> hw/net/sungem.c | 2 +-
>> hw/net/sunhme.c | 3 ++-
>> hw/net/tulip.c | 3 ++-
>> hw/net/virtio-net.c | 6 ++++--
>> hw/net/vmxnet3.c | 2 +-
>> hw/net/xen_nic.c | 4 ++--
>> hw/net/xgmac.c | 3 ++-
>> hw/net/xilinx_axienet.c | 3 ++-
>> hw/net/xilinx_ethlite.c | 3 ++-
>> hw/usb/dev-network.c | 3 ++-
>> net/net.c | 1 +
>> 40 files changed, 75 insertions(+), 41 deletions(-)
>>
>> diff --git a/include/net/net.h b/include/net/net.h
>> index 1448d00afb..a7d8deaccb 100644
>> --- a/include/net/net.h
>> +++ b/include/net/net.h
>> @@ -157,6 +157,7 @@ NICState *qemu_new_nic(NetClientInfo *info,
>> NICConf *conf,
>> const char *model,
>> const char *name,
>> + MemReentrancyGuard *reentrancy_guard,
>> void *opaque);
>
> Does it make sense to roll *reentrancy_guard into NICConf here?
Probably no. All members of NICConf are device properties the user
configure, but reentrancy_guard is an internal state. Similarly, the
opaque parameter is an internal state and not included in NICConf.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v2 0/2] net: Update MemReentrancyGuard for NIC
2023-06-01 3:18 [PATCH v2 0/2] net: Update MemReentrancyGuard for NIC Akihiko Odaki
` (2 preceding siblings ...)
2023-06-01 7:16 ` [PATCH v2 0/2] " Philippe Mathieu-Daudé
@ 2023-09-21 7:16 ` Akihiko Odaki
2023-11-14 5:29 ` Jason Wang
3 siblings, 1 reply; 17+ messages in thread
From: Akihiko Odaki @ 2023-09-21 7:16 UTC (permalink / raw)
To: Jason Wang
Cc: Mauro Matteo Cascella, P J P, Alexander Bulekov, Dmitry Fleytman,
Beniamino Galvani, Peter Maydell, Strahinja Jankovic,
Edgar E. Iglesias, Alistair Francis, Stefan Weil,
Cédric Le Goater, Andrew Jeffery, Joel Stanley,
Richard Henderson, Helge Deller, Sriram Yagnaraman, Thomas Huth,
Aleksandar Rikalo, Subbaraya Sundeep, Jan Kiszka, Tyrone Ting,
Hao Wu, Max Filippov, Jiri Pirko, Daniel Henrique Barboza,
David Gibson, Greg Kurz, Harsh Prateek Bora, Sven Schnelle,
Michael S. Tsirkin, Stefano Stabellini, Anthony Perard,
Paul Durrant, Rob Herring, Gerd Hoffmann, qemu-arm, qemu-devel,
qemu-ppc, xen-devel
On 2023/06/01 12:18, Akihiko Odaki wrote:
> Recently MemReentrancyGuard was added to DeviceState to record that the
> device is engaging in I/O. The network device backend needs to update it
> when delivering a packet to a device.
>
> This implementation follows what bottom half does, but it does not add
> a tracepoint for the case that the network device backend started
> delivering a packet to a device which is already engaging in I/O. This
> is because such reentrancy frequently happens for
> qemu_flush_queued_packets() and is insignificant.
>
> This series consists of two patches. The first patch makes a bulk change to
> add a new parameter to qemu_new_nic() and does not contain behavioral changes.
> The second patch actually implements MemReentrancyGuard update.
>
> V1 -> V2: Added the 'Fixes: CVE-2023-3019' tag
>
> Akihiko Odaki (2):
> net: Provide MemReentrancyGuard * to qemu_new_nic()
> net: Update MemReentrancyGuard for NIC
>
> include/net/net.h | 2 ++
> hw/net/allwinner-sun8i-emac.c | 3 ++-
> hw/net/allwinner_emac.c | 3 ++-
> hw/net/cadence_gem.c | 3 ++-
> hw/net/dp8393x.c | 3 ++-
> hw/net/e1000.c | 3 ++-
> hw/net/e1000e.c | 2 +-
> hw/net/eepro100.c | 4 +++-
> hw/net/etraxfs_eth.c | 3 ++-
> hw/net/fsl_etsec/etsec.c | 3 ++-
> hw/net/ftgmac100.c | 3 ++-
> hw/net/i82596.c | 2 +-
> hw/net/igb.c | 2 +-
> hw/net/imx_fec.c | 2 +-
> hw/net/lan9118.c | 3 ++-
> hw/net/mcf_fec.c | 3 ++-
> hw/net/mipsnet.c | 3 ++-
> hw/net/msf2-emac.c | 3 ++-
> hw/net/mv88w8618_eth.c | 3 ++-
> hw/net/ne2000-isa.c | 3 ++-
> hw/net/ne2000-pci.c | 3 ++-
> hw/net/npcm7xx_emc.c | 3 ++-
> hw/net/opencores_eth.c | 3 ++-
> hw/net/pcnet.c | 3 ++-
> hw/net/rocker/rocker_fp.c | 4 ++--
> hw/net/rtl8139.c | 3 ++-
> hw/net/smc91c111.c | 3 ++-
> hw/net/spapr_llan.c | 3 ++-
> hw/net/stellaris_enet.c | 3 ++-
> hw/net/sungem.c | 2 +-
> hw/net/sunhme.c | 3 ++-
> hw/net/tulip.c | 3 ++-
> hw/net/virtio-net.c | 6 ++++--
> hw/net/vmxnet3.c | 2 +-
> hw/net/xen_nic.c | 4 ++--
> hw/net/xgmac.c | 3 ++-
> hw/net/xilinx_axienet.c | 3 ++-
> hw/net/xilinx_ethlite.c | 3 ++-
> hw/usb/dev-network.c | 3 ++-
> net/net.c | 15 +++++++++++++++
> 40 files changed, 90 insertions(+), 41 deletions(-)
>
Hi Jason,
Can you review this series?
Regards,
Akihiko Odaki
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v2 0/2] net: Update MemReentrancyGuard for NIC
2023-09-21 7:16 ` Akihiko Odaki
@ 2023-11-14 5:29 ` Jason Wang
0 siblings, 0 replies; 17+ messages in thread
From: Jason Wang @ 2023-11-14 5:29 UTC (permalink / raw)
To: Akihiko Odaki
Cc: Mauro Matteo Cascella, P J P, Alexander Bulekov, Dmitry Fleytman,
Beniamino Galvani, Peter Maydell, Strahinja Jankovic,
Edgar E. Iglesias, Alistair Francis, Stefan Weil,
Cédric Le Goater, Andrew Jeffery, Joel Stanley,
Richard Henderson, Helge Deller, Sriram Yagnaraman, Thomas Huth,
Aleksandar Rikalo, Subbaraya Sundeep, Jan Kiszka, Tyrone Ting,
Hao Wu, Max Filippov, Jiri Pirko, Daniel Henrique Barboza,
David Gibson, Greg Kurz, Harsh Prateek Bora, Sven Schnelle,
Michael S. Tsirkin, Stefano Stabellini, Anthony Perard,
Paul Durrant, Rob Herring, Gerd Hoffmann, qemu-arm, qemu-devel,
qemu-ppc, xen-devel
On Thu, Sep 21, 2023 at 3:16 PM Akihiko Odaki <akihiko.odaki@daynix.com> wrote:
>
> On 2023/06/01 12:18, Akihiko Odaki wrote:
> > Recently MemReentrancyGuard was added to DeviceState to record that the
> > device is engaging in I/O. The network device backend needs to update it
> > when delivering a packet to a device.
> >
> > This implementation follows what bottom half does, but it does not add
> > a tracepoint for the case that the network device backend started
> > delivering a packet to a device which is already engaging in I/O. This
> > is because such reentrancy frequently happens for
> > qemu_flush_queued_packets() and is insignificant.
> >
> > This series consists of two patches. The first patch makes a bulk change to
> > add a new parameter to qemu_new_nic() and does not contain behavioral changes.
> > The second patch actually implements MemReentrancyGuard update.
> >
> > V1 -> V2: Added the 'Fixes: CVE-2023-3019' tag
> >
> > Akihiko Odaki (2):
> > net: Provide MemReentrancyGuard * to qemu_new_nic()
> > net: Update MemReentrancyGuard for NIC
> >
> > include/net/net.h | 2 ++
> > hw/net/allwinner-sun8i-emac.c | 3 ++-
> > hw/net/allwinner_emac.c | 3 ++-
> > hw/net/cadence_gem.c | 3 ++-
> > hw/net/dp8393x.c | 3 ++-
> > hw/net/e1000.c | 3 ++-
> > hw/net/e1000e.c | 2 +-
> > hw/net/eepro100.c | 4 +++-
> > hw/net/etraxfs_eth.c | 3 ++-
> > hw/net/fsl_etsec/etsec.c | 3 ++-
> > hw/net/ftgmac100.c | 3 ++-
> > hw/net/i82596.c | 2 +-
> > hw/net/igb.c | 2 +-
> > hw/net/imx_fec.c | 2 +-
> > hw/net/lan9118.c | 3 ++-
> > hw/net/mcf_fec.c | 3 ++-
> > hw/net/mipsnet.c | 3 ++-
> > hw/net/msf2-emac.c | 3 ++-
> > hw/net/mv88w8618_eth.c | 3 ++-
> > hw/net/ne2000-isa.c | 3 ++-
> > hw/net/ne2000-pci.c | 3 ++-
> > hw/net/npcm7xx_emc.c | 3 ++-
> > hw/net/opencores_eth.c | 3 ++-
> > hw/net/pcnet.c | 3 ++-
> > hw/net/rocker/rocker_fp.c | 4 ++--
> > hw/net/rtl8139.c | 3 ++-
> > hw/net/smc91c111.c | 3 ++-
> > hw/net/spapr_llan.c | 3 ++-
> > hw/net/stellaris_enet.c | 3 ++-
> > hw/net/sungem.c | 2 +-
> > hw/net/sunhme.c | 3 ++-
> > hw/net/tulip.c | 3 ++-
> > hw/net/virtio-net.c | 6 ++++--
> > hw/net/vmxnet3.c | 2 +-
> > hw/net/xen_nic.c | 4 ++--
> > hw/net/xgmac.c | 3 ++-
> > hw/net/xilinx_axienet.c | 3 ++-
> > hw/net/xilinx_ethlite.c | 3 ++-
> > hw/usb/dev-network.c | 3 ++-
> > net/net.c | 15 +++++++++++++++
> > 40 files changed, 90 insertions(+), 41 deletions(-)
> >
>
> Hi Jason,
>
> Can you review this series?
For some reason it falls through the cracks.
I've queued this for rc1.
Thanks
>
> Regards,
> Akihiko Odaki
>
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v2 1/2] net: Provide MemReentrancyGuard * to qemu_new_nic()
2023-06-01 3:18 ` [PATCH v2 1/2] net: Provide MemReentrancyGuard * to qemu_new_nic() Akihiko Odaki
2023-06-05 8:06 ` Alexander Bulekov
@ 2024-04-24 10:05 ` Philippe Mathieu-Daudé
2024-04-24 10:41 ` Prasad Pandit
1 sibling, 1 reply; 17+ messages in thread
From: Philippe Mathieu-Daudé @ 2024-04-24 10:05 UTC (permalink / raw)
To: P J P, Mauro Matteo Cascella, Akihiko Odaki
Cc: Alexander Bulekov, Dmitry Fleytman, Beniamino Galvani,
Peter Maydell, Strahinja Jankovic, Jason Wang, Edgar E. Iglesias,
Alistair Francis, Stefan Weil, Cédric Le Goater,
Andrew Jeffery, Joel Stanley, Richard Henderson, Helge Deller,
Sriram Yagnaraman, Thomas Huth, Aleksandar Rikalo,
Subbaraya Sundeep, Jan Kiszka, Tyrone Ting, Hao Wu, Max Filippov,
Jiri Pirko, Daniel Henrique Barboza, David Gibson, Greg Kurz,
Harsh Prateek Bora, Sven Schnelle, Michael S. Tsirkin,
Stefano Stabellini, Anthony Perard, Paul Durrant, Rob Herring,
Gerd Hoffmann, qemu-arm, qemu-devel, qemu-ppc, xen-devel
Hi,
On 1/6/23 05:18, Akihiko Odaki wrote:
> Recently MemReentrancyGuard was added to DeviceState to record that the
> device is engaging in I/O. The network device backend needs to update it
> when delivering a packet to a device.
>
> In preparation for such a change, add MemReentrancyGuard * as a
> parameter of qemu_new_nic().
An user on IRC asked if this patch is related/fixing CVE-2021-20255,
any clue?
> Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
> ---
> include/net/net.h | 1 +
> hw/net/allwinner-sun8i-emac.c | 3 ++-
> hw/net/allwinner_emac.c | 3 ++-
> hw/net/cadence_gem.c | 3 ++-
> hw/net/dp8393x.c | 3 ++-
> hw/net/e1000.c | 3 ++-
> hw/net/e1000e.c | 2 +-
> hw/net/eepro100.c | 4 +++-
> hw/net/etraxfs_eth.c | 3 ++-
> hw/net/fsl_etsec/etsec.c | 3 ++-
> hw/net/ftgmac100.c | 3 ++-
> hw/net/i82596.c | 2 +-
> hw/net/igb.c | 2 +-
> hw/net/imx_fec.c | 2 +-
> hw/net/lan9118.c | 3 ++-
> hw/net/mcf_fec.c | 3 ++-
> hw/net/mipsnet.c | 3 ++-
> hw/net/msf2-emac.c | 3 ++-
> hw/net/mv88w8618_eth.c | 3 ++-
> hw/net/ne2000-isa.c | 3 ++-
> hw/net/ne2000-pci.c | 3 ++-
> hw/net/npcm7xx_emc.c | 3 ++-
> hw/net/opencores_eth.c | 3 ++-
> hw/net/pcnet.c | 3 ++-
> hw/net/rocker/rocker_fp.c | 4 ++--
> hw/net/rtl8139.c | 3 ++-
> hw/net/smc91c111.c | 3 ++-
> hw/net/spapr_llan.c | 3 ++-
> hw/net/stellaris_enet.c | 3 ++-
> hw/net/sungem.c | 2 +-
> hw/net/sunhme.c | 3 ++-
> hw/net/tulip.c | 3 ++-
> hw/net/virtio-net.c | 6 ++++--
> hw/net/vmxnet3.c | 2 +-
> hw/net/xen_nic.c | 4 ++--
> hw/net/xgmac.c | 3 ++-
> hw/net/xilinx_axienet.c | 3 ++-
> hw/net/xilinx_ethlite.c | 3 ++-
> hw/usb/dev-network.c | 3 ++-
> net/net.c | 1 +
> 40 files changed, 75 insertions(+), 41 deletions(-)
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v2 1/2] net: Provide MemReentrancyGuard * to qemu_new_nic()
2024-04-24 10:05 ` Philippe Mathieu-Daudé
@ 2024-04-24 10:41 ` Prasad Pandit
2024-04-24 12:32 ` Thomas Huth
0 siblings, 1 reply; 17+ messages in thread
From: Prasad Pandit @ 2024-04-24 10:41 UTC (permalink / raw)
To: Mauro Matteo Cascella, Akihiko Odaki, Philippe Mathieu-Daudé
Cc: Alexander Bulekov, Dmitry Fleytman, Beniamino Galvani,
Peter Maydell, Strahinja Jankovic, Jason Wang, Edgar E. Iglesias,
Alistair Francis, Stefan Weil, Cédric Le Goater,
Andrew Jeffery, Joel Stanley, Richard Henderson, Helge Deller,
Sriram Yagnaraman, Thomas Huth, Aleksandar Rikalo,
Subbaraya Sundeep, Jan Kiszka, Tyrone Ting, Hao Wu, Max Filippov,
Jiri Pirko, Daniel Henrique Barboza, David Gibson, Greg Kurz,
Harsh Prateek Bora, Sven Schnelle, Michael S. Tsirkin,
Stefano Stabellini, Anthony Perard, Paul Durrant, Rob Herring,
Gerd Hoffmann, qemu-arm, qemu-devel, qemu-ppc, xen-devel
On Wednesday, 24 April, 2024 at 03:36:01 pm IST, Philippe Mathieu-Daudé wrote:
>On 1/6/23 05:18, Akihiko Odaki wrote:
>> Recently MemReentrancyGuard was added to DeviceState to record that the
>> device is engaging in I/O. The network device backend needs to update it
>> when delivering a packet to a device.
>>
>> In preparation for such a change, add MemReentrancyGuard * as a
>> parameter of qemu_new_nic().
>
>An user on IRC asked if this patch is related/fixing CVE-2021-20255,
>any clue?
* CVE-2021-20255 bug: infinite recursion is pointing at a different fix patch.
-> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-20255
* And the this patch below has different issue tagged
-> https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08312.html
Fixes: CVE-2023-3019
* They look different, former is an infinite recursion issue and the latter is a use-after-free one.
Thank you.
---
-Prasad
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v2 1/2] net: Provide MemReentrancyGuard * to qemu_new_nic()
2024-04-24 10:41 ` Prasad Pandit
@ 2024-04-24 12:32 ` Thomas Huth
2024-04-26 12:37 ` Akihiko Odaki
0 siblings, 1 reply; 17+ messages in thread
From: Thomas Huth @ 2024-04-24 12:32 UTC (permalink / raw)
To: Prasad Pandit, Mauro Matteo Cascella, Akihiko Odaki,
Philippe Mathieu-Daudé
Cc: Alexander Bulekov, Dmitry Fleytman, Beniamino Galvani,
Peter Maydell, Strahinja Jankovic, Jason Wang, Edgar E. Iglesias,
Alistair Francis, Stefan Weil, Cédric Le Goater,
Andrew Jeffery, Joel Stanley, Richard Henderson, Helge Deller,
Sriram Yagnaraman, Thomas Huth, Aleksandar Rikalo,
Subbaraya Sundeep, Jan Kiszka, Tyrone Ting, Hao Wu, Max Filippov,
Jiri Pirko, Daniel Henrique Barboza, David Gibson, Greg Kurz,
Harsh Prateek Bora, Sven Schnelle, Michael S. Tsirkin,
Stefano Stabellini, Anthony Perard, Paul Durrant, Rob Herring,
Gerd Hoffmann, qemu-arm, qemu-devel, qemu-ppc, xen-devel
On 24/04/2024 12.41, Prasad Pandit wrote:
> On Wednesday, 24 April, 2024 at 03:36:01 pm IST, Philippe Mathieu-Daudé wrote:
>> On 1/6/23 05:18, Akihiko Odaki wrote:
>>> Recently MemReentrancyGuard was added to DeviceState to record that the
>>> device is engaging in I/O. The network device backend needs to update it
>>> when delivering a packet to a device.
>>>
>>> In preparation for such a change, add MemReentrancyGuard * as a
>>> parameter of qemu_new_nic().
>>
>> An user on IRC asked if this patch is related/fixing CVE-2021-20255,
>> any clue?
>
> * CVE-2021-20255 bug: infinite recursion is pointing at a different fix patch.
> -> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-20255
>
> * And the this patch below has different issue tagged
> -> https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08312.html
> Fixes: CVE-2023-3019
>
>
> * They look different, former is an infinite recursion issue and the latter is a use-after-free one.
I assume the eepro reentrancy issue has been fixed with:
https://gitlab.com/qemu-project/qemu/-/issues/556
i.e.:
https://gitlab.com/qemu-project/qemu/-/commit/c40ca2301c7603524eaddb5308a3
HTH,
Thomas
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v2 1/2] net: Provide MemReentrancyGuard * to qemu_new_nic()
2024-04-24 12:32 ` Thomas Huth
@ 2024-04-26 12:37 ` Akihiko Odaki
2024-04-26 13:38 ` Philippe Mathieu-Daudé
0 siblings, 1 reply; 17+ messages in thread
From: Akihiko Odaki @ 2024-04-26 12:37 UTC (permalink / raw)
To: Thomas Huth, Prasad Pandit, Mauro Matteo Cascella,
Philippe Mathieu-Daudé
Cc: Alexander Bulekov, Dmitry Fleytman, Beniamino Galvani,
Peter Maydell, Strahinja Jankovic, Jason Wang, Edgar E. Iglesias,
Alistair Francis, Stefan Weil, Cédric Le Goater,
Andrew Jeffery, Joel Stanley, Richard Henderson, Helge Deller,
Sriram Yagnaraman, Thomas Huth, Aleksandar Rikalo,
Subbaraya Sundeep, Jan Kiszka, Tyrone Ting, Hao Wu, Max Filippov,
Jiri Pirko, Daniel Henrique Barboza, David Gibson, Greg Kurz,
Harsh Prateek Bora, Sven Schnelle, Michael S. Tsirkin,
Stefano Stabellini, Anthony Perard, Paul Durrant, Rob Herring,
Gerd Hoffmann, qemu-arm, qemu-devel, qemu-ppc, xen-devel
On 2024/04/24 21:32, Thomas Huth wrote:
> On 24/04/2024 12.41, Prasad Pandit wrote:
>> On Wednesday, 24 April, 2024 at 03:36:01 pm IST, Philippe
>> Mathieu-Daudé wrote:
>>> On 1/6/23 05:18, Akihiko Odaki wrote:
>>>> Recently MemReentrancyGuard was added to DeviceState to record that the
>>>> device is engaging in I/O. The network device backend needs to
>>>> update it
>>>> when delivering a packet to a device.
>>>> In preparation for such a change, add MemReentrancyGuard * as a
>>>> parameter of qemu_new_nic().
>>>
>>> An user on IRC asked if this patch is related/fixing CVE-2021-20255,
>>> any clue?
>>
>> * CVE-2021-20255 bug: infinite recursion is pointing at a different
>> fix patch.
>> -> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-20255
>>
>> * And the this patch below has different issue tagged
>>
>> -> https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08312.html
>> Fixes: CVE-2023-3019
>>
>>
>> * They look different, former is an infinite recursion issue and the
>> latter is a use-after-free one.
>
> I assume the eepro reentrancy issue has been fixed with:
>
> https://gitlab.com/qemu-project/qemu/-/issues/556
> i.e.:
> https://gitlab.com/qemu-project/qemu/-/commit/c40ca2301c7603524eaddb5308a3
I agree. Commit c40ca2301c7603524eaddb5308a3 should be what fixed
CVE-2021-20255, not this patch.
Regards,
Akihiko Odaki
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v2 1/2] net: Provide MemReentrancyGuard * to qemu_new_nic()
2024-04-26 12:37 ` Akihiko Odaki
@ 2024-04-26 13:38 ` Philippe Mathieu-Daudé
2024-04-26 16:02 ` BALATON Zoltan
0 siblings, 1 reply; 17+ messages in thread
From: Philippe Mathieu-Daudé @ 2024-04-26 13:38 UTC (permalink / raw)
To: Akihiko Odaki, Thomas Huth, Prasad Pandit, Mauro Matteo Cascella
Cc: Alexander Bulekov, Dmitry Fleytman, Beniamino Galvani,
Peter Maydell, Strahinja Jankovic, Jason Wang, Edgar E. Iglesias,
Alistair Francis, Stefan Weil, Cédric Le Goater,
Andrew Jeffery, Joel Stanley, Richard Henderson, Helge Deller,
Sriram Yagnaraman, Thomas Huth, Aleksandar Rikalo,
Subbaraya Sundeep, Jan Kiszka, Tyrone Ting, Hao Wu, Max Filippov,
Jiri Pirko, Daniel Henrique Barboza, David Gibson, Greg Kurz,
Harsh Prateek Bora, Sven Schnelle, Michael S. Tsirkin,
Stefano Stabellini, Anthony Perard, Paul Durrant, Rob Herring,
Gerd Hoffmann, qemu-arm, qemu-devel, qemu-ppc, xen-devel
On 26/4/24 14:37, Akihiko Odaki wrote:
> On 2024/04/24 21:32, Thomas Huth wrote:
>> On 24/04/2024 12.41, Prasad Pandit wrote:
>>> On Wednesday, 24 April, 2024 at 03:36:01 pm IST, Philippe
>>> Mathieu-Daudé wrote:
>>>> On 1/6/23 05:18, Akihiko Odaki wrote:
>>>>> Recently MemReentrancyGuard was added to DeviceState to record that
>>>>> the
>>>>> device is engaging in I/O. The network device backend needs to
>>>>> update it
>>>>> when delivering a packet to a device.
>>>>> In preparation for such a change, add MemReentrancyGuard * as a
>>>>> parameter of qemu_new_nic().
>>>>
>>>> An user on IRC asked if this patch is related/fixing CVE-2021-20255,
>>>> any clue?
>>>
>>> * CVE-2021-20255 bug: infinite recursion is pointing at a different
>>> fix patch.
>>> -> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-20255
>>>
>>> * And the this patch below has different issue tagged
>>> -> https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08312.html
>>> Fixes: CVE-2023-3019
>>>
>>>
>>> * They look different, former is an infinite recursion issue and the
>>> latter is a use-after-free one.
>>
>> I assume the eepro reentrancy issue has been fixed with:
>>
>> https://gitlab.com/qemu-project/qemu/-/issues/556
>> i.e.:
>> https://gitlab.com/qemu-project/qemu/-/commit/c40ca2301c7603524eaddb5308a3
>
> I agree. Commit c40ca2301c7603524eaddb5308a3 should be what fixed
> CVE-2021-20255, not this patch.
Thank you all for clarifying!
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v2 1/2] net: Provide MemReentrancyGuard * to qemu_new_nic()
2024-04-26 13:38 ` Philippe Mathieu-Daudé
@ 2024-04-26 16:02 ` BALATON Zoltan
0 siblings, 0 replies; 17+ messages in thread
From: BALATON Zoltan @ 2024-04-26 16:02 UTC (permalink / raw)
To: Philippe Mathieu-Daudé
Cc: Akihiko Odaki, Thomas Huth, Prasad Pandit, Mauro Matteo Cascella,
Alexander Bulekov, Dmitry Fleytman, Beniamino Galvani,
Peter Maydell, Strahinja Jankovic, Jason Wang, Edgar E. Iglesias,
Alistair Francis, Stefan Weil, Cédric Le Goater,
Andrew Jeffery, Joel Stanley, Richard Henderson, Helge Deller,
Sriram Yagnaraman, Thomas Huth, Aleksandar Rikalo,
Subbaraya Sundeep, Jan Kiszka, Tyrone Ting, Hao Wu, Max Filippov,
Jiri Pirko, Daniel Henrique Barboza, David Gibson, Greg Kurz,
Harsh Prateek Bora, Sven Schnelle, Michael S. Tsirkin,
Stefano Stabellini, Anthony Perard, Paul Durrant, Rob Herring,
Gerd Hoffmann, qemu-arm, qemu-devel, qemu-ppc, xen-devel
[-- Attachment #1: Type: text/plain, Size: 1766 bytes --]
On Fri, 26 Apr 2024, Philippe Mathieu-Daudé wrote:
> On 26/4/24 14:37, Akihiko Odaki wrote:
>> On 2024/04/24 21:32, Thomas Huth wrote:
>>> On 24/04/2024 12.41, Prasad Pandit wrote:
>>>> On Wednesday, 24 April, 2024 at 03:36:01 pm IST, Philippe Mathieu-Daudé
>>>> wrote:
>>>>> On 1/6/23 05:18, Akihiko Odaki wrote:
>>>>>> Recently MemReentrancyGuard was added to DeviceState to record that the
>>>>>> device is engaging in I/O. The network device backend needs to update
>>>>>> it
>>>>>> when delivering a packet to a device.
>>>>>> In preparation for such a change, add MemReentrancyGuard * as a
>>>>>> parameter of qemu_new_nic().
>>>>>
>>>>> An user on IRC asked if this patch is related/fixing CVE-2021-20255,
>>>>> any clue?
>>>>
>>>> * CVE-2021-20255 bug: infinite recursion is pointing at a different fix
>>>> patch.
>>>> -> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-20255
>>>>
>>>> * And the this patch below has different issue tagged
>>>> -> https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08312.html
>>>> Fixes: CVE-2023-3019
>>>>
>>>>
>>>> * They look different, former is an infinite recursion issue and the
>>>> latter is a use-after-free one.
>>>
>>> I assume the eepro reentrancy issue has been fixed with:
>>>
>>> https://gitlab.com/qemu-project/qemu/-/issues/556
>>> i.e.:
>>> https://gitlab.com/qemu-project/qemu/-/commit/c40ca2301c7603524eaddb5308a3
>>
>> I agree. Commit c40ca2301c7603524eaddb5308a3 should be what fixed
>> CVE-2021-20255, not this patch.
>
> Thank you all for clarifying!
$ git log -p c40ca2301c7603524eaddb5308a3 --
fatal: bad revision 'c40ca2301c7603524eaddb5308a3'
It seems to actually be commit a2e1753b8054344f32cf94f31c6399a58794a380
Regards,
BALATON Zoltan
^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2024-04-26 16:03 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-01 3:18 [PATCH v2 0/2] net: Update MemReentrancyGuard for NIC Akihiko Odaki
2023-06-01 3:18 ` [PATCH v2 1/2] net: Provide MemReentrancyGuard * to qemu_new_nic() Akihiko Odaki
2023-06-05 8:06 ` Alexander Bulekov
2023-06-05 10:50 ` Akihiko Odaki
2024-04-24 10:05 ` Philippe Mathieu-Daudé
2024-04-24 10:41 ` Prasad Pandit
2024-04-24 12:32 ` Thomas Huth
2024-04-26 12:37 ` Akihiko Odaki
2024-04-26 13:38 ` Philippe Mathieu-Daudé
2024-04-26 16:02 ` BALATON Zoltan
2023-06-01 3:18 ` [PATCH v2 2/2] net: Update MemReentrancyGuard for NIC Akihiko Odaki
2023-06-05 8:04 ` Alexander Bulekov
2023-06-01 7:16 ` [PATCH v2 0/2] " Philippe Mathieu-Daudé
2023-06-01 7:41 ` Akihiko Odaki
2023-06-01 8:56 ` Philippe Mathieu-Daudé
2023-09-21 7:16 ` Akihiko Odaki
2023-11-14 5:29 ` Jason Wang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).