qemu/hw/s390x
Carlos López f0d634ea19 virtio: refresh vring region cache after updating a virtqueue size
When a virtqueue size is changed by the guest via
virtio_queue_set_num(), its region cache is not automatically updated.
If the size was increased, this could lead to accessing the cache out
of bounds. For example, in vring_get_used_event():

    static inline uint16_t vring_get_used_event(VirtQueue *vq)
    {
        return vring_avail_ring(vq, vq->vring.num);
    }

    static inline uint16_t vring_avail_ring(VirtQueue *vq, int i)
    {
        VRingMemoryRegionCaches *caches = vring_get_region_caches(vq);
        hwaddr pa = offsetof(VRingAvail, ring[i]);

        if (!caches) {
            return 0;
        }

        return virtio_lduw_phys_cached(vq->vdev, &caches->avail, pa);
    }

vq->vring.num will be greater than caches->avail.len, which will
trigger a failed assertion down the call path of
virtio_lduw_phys_cached().

Fix this by calling virtio_init_region_cache() after
virtio_queue_set_num() if we are not already calling
virtio_queue_set_rings(). In the legacy path this is already done by
virtio_queue_update_rings().

Signed-off-by: Carlos López <clopez@suse.de>
Message-Id: <20230317002749.27379-1-clopez@suse.de>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Acked-by: Halil Pasic <pasic@linux.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2023-04-21 03:08:21 -04:00
..
3270-ccw.c s390x/css: Refactor IRB construction 2021-06-21 08:48:21 +02:00
ap-bridge.c qbus: Rename qbus_create() to qbus_new() 2021-09-30 13:44:08 +01:00
ap-device.c ap-device: Rename AP_DEVICE_TYPE to TYPE_AP_DEVICE 2020-09-09 13:20:22 -04:00
ccw-device.c hw/s390x/ccw: Register qbus type in abstract TYPE_CCW_DEVICE parent 2021-05-20 14:19:30 +02:00
ccw-device.h hw/s390x/ccw: Register qbus type in abstract TYPE_CCW_DEVICE parent 2021-05-20 14:19:30 +02:00
css-bridge.c qbus: Rename qbus_create() to qbus_new() 2021-09-30 13:44:08 +01:00
css.c s390x/css: revert SCSW ctrl/flag bits on error 2022-11-06 12:27:35 +01:00
event-facility.c hw/s390x/event-facility: Replace DO_UPCAST(SCLPEvent) by SCLP_EVENT() 2023-02-14 09:11:27 +01:00
ipl.c machine: use QAPI struct for boot configuration 2022-05-12 12:29:43 +02:00
ipl.h s390x: Fix spelling errors 2022-11-16 10:15:26 +01:00
Kconfig kconfig: add CONFIG_MSI_NONBROKEN 2019-03-18 09:39:57 +01:00
meson.build s390x/pci: enable for load/store interpretation 2022-09-26 17:23:47 +02:00
pv.c s390x/pv: Add support for asynchronous teardown for reboot 2023-02-27 09:15:39 +01:00
s390-ccw.c misc: fix commonly doubled up words 2022-08-01 11:58:02 +02:00
s390-pci-bus.c s390x/pci: reset ISM passthrough devices on shutdown and system reset 2022-12-15 15:02:34 +01:00
s390-pci-inst.c * s390x header clean-ups from Philippe 2023-01-09 15:54:31 +00:00
s390-pci-kvm.c Revert "s390x/s390-virtio-ccw: add zpcii-disable machine property" 2022-11-08 10:10:57 +01:00
s390-pci-vfio.c s390x/pci: reset ISM passthrough devices on shutdown and system reset 2022-12-15 15:02:34 +01:00
s390-skeys-kvm.c hw/s390x/s390-skeys: rename skeys_enabled to skeys_are_enabled 2021-09-06 16:24:05 +02:00
s390-skeys.c hw/s390x/s390-skeys: lazy storage key enablement under TCG 2021-09-06 16:24:05 +02:00
s390-stattrib-kvm.c target/s390x: move kvm files into kvm/ 2021-07-07 14:01:59 +02:00
s390-stattrib.c migration: Rename res_{postcopy,precopy}_only 2023-02-15 20:04:30 +01:00
s390-virtio-ccw.c s390x/pv: Add support for asynchronous teardown for reboot 2023-02-27 09:15:39 +01:00
s390-virtio-hcall.c s390x: rename s390-virtio.h to s390-virtio-hcall.h 2017-09-19 18:31:31 +02:00
s390-virtio-hcall.h s390/kvm_virtio/linux-headers: remove traces of old virtio transport 2017-11-24 10:52:05 +01:00
sclp.c Mark remaining global TypeInfo instances as const 2022-02-21 13:30:20 +00:00
sclpcpu.c Do not include cpu.h if it's not really necessary 2021-05-02 17:24:51 +02:00
sclpquiesce.c sysemu: Split sysemu/runstate.h off sysemu/sysemu.h 2019-08-16 13:37:36 +02:00
tod-kvm.c s390x/tod-kvm: don't save/restore the TOD in PV guests 2022-10-27 09:09:50 +02:00
tod-tcg.c Mark remaining global TypeInfo instances as const 2022-02-21 13:30:20 +00:00
tod.c Mark remaining global TypeInfo instances as const 2022-02-21 13:30:20 +00:00
trace-events docs: fix references to docs/devel/tracing.rst 2021-06-02 06:51:09 +02:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
vhost-scsi-ccw.c virtio-ccw: move device type declarations to .c files 2022-04-06 14:31:56 +02:00
vhost-user-fs-ccw.c virtio: add vhost-user-fs-ccw device 2020-09-23 13:41:58 +01:00
vhost-vsock-ccw.c virtio-ccw: move device type declarations to .c files 2022-04-06 14:31:56 +02:00
virtio-ccw-9p.c virtio-ccw: move device type declarations to .c files 2022-04-06 14:31:56 +02:00
virtio-ccw-balloon.c virtio-ccw: move device type declarations to .c files 2022-04-06 14:31:56 +02:00
virtio-ccw-blk.c virtio-ccw: move device type declarations to .c files 2022-04-06 14:31:56 +02:00
virtio-ccw-crypto.c virtio-ccw: move device type declarations to .c files 2022-04-06 14:31:56 +02:00
virtio-ccw-gpu.c modules: introduces module_kconfig directive 2022-06-06 09:26:53 +02:00
virtio-ccw-input.c virtio-ccw: move device type declarations to .c files 2022-04-06 14:31:56 +02:00
virtio-ccw-net.c virtio-ccw: move device type declarations to .c files 2022-04-06 14:31:56 +02:00
virtio-ccw-rng.c virtio-ccw: move device type declarations to .c files 2022-04-06 14:31:56 +02:00
virtio-ccw-scsi.c virtio-ccw: move device type declarations to .c files 2022-04-06 14:31:56 +02:00
virtio-ccw-serial.c Drop duplicate #include 2023-02-08 07:28:05 +01:00
virtio-ccw.c virtio: refresh vring region cache after updating a virtqueue size 2023-04-21 03:08:21 -04:00
virtio-ccw.h virtio-ccw: do not include headers for all virtio devices 2022-04-06 14:31:56 +02:00