[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PULL 1/1] virtio-pci: fix use of a released vector
From: |
Peter Maydell |
Subject: |
Re: [PULL 1/1] virtio-pci: fix use of a released vector |
Date: |
Tue, 16 Apr 2024 12:50:34 +0100 |
On Tue, 16 Apr 2024 at 12:05, Cindy Lu <lulu@redhat.com> wrote:
>
> On Tue, Apr 16, 2024 at 6:01 PM Peter Maydell <peter.maydell@linaro.org>
> wrote:
> > Here we pass that through to kvm_virtio_pci_vector_use_one().
> > In kvm_virtio_pci_vector_use_one()'s error-exit path ("undo")
> > it does
> > vector = virtio_queue_vector(vdev, queue_no);
> > and in virtio_queue_vector() it does:
> >
> > return n < VIRTIO_QUEUE_MAX ? vdev->vq[n].vector :
> > VIRTIO_NO_VECTOR;
> >
> > where 'n' is an int, so if we can get here with queue_no being
> > VIRTIO_CONFIG_IRQ_IDX then we'll index off the front of the
> > vdev->vq[] array.
> >
> > Maybe this is a "can't happen" case, but it does seem odd that
> > virtio_queue_vector() only bounds-checks the "too big" case
> > for its argument and not the "too small" case and/or it
> > doesn't have a special case for VIRTIO_CONFIG_IRQ_IDX.
> >
> > > + }
> > > +}
> > > +
> >
> hi peter
> I think we can simply remove the part
> vector = virtio_queue_vector(vdev, queue_no);
> the vector is get from virtio_pci_get_notifier() and don't need to get it
> again
> I will send the fix soon
The error handling in kvm_virtio_pci_vector_use_one() looks
a bit odd in other ways, too. The only bit of "undoing"
it does as far as I can see is calling kvm_virtio_pci_irqfd_release(),
but there is no code path that gets to there where the
main codepath's call to kvm_virtio-pci_irqfd_use() succeeded
and needs to be undone. So perhaps the entire "undo" code
block should be deleted, and the "goto undo" lines
replaced by simple "return ret;" ? (The codepath
for "kvm_virtio_pci_irqfd_use() failed" already does the
"kvm_virtio_pci_vq_vector_release()" by hand there.)
thanks
-- PMM
Re: [PULL 0/1] virtio: bugfix, Peter Maydell, 2024/04/15