qemu/hw/virtio
Hawkins Jiawei 5d410557de vhost: fix possible wrap in SVQ descriptor ring
QEMU invokes vhost_svq_add() when adding a guest's element
into SVQ. In vhost_svq_add(), it uses vhost_svq_available_slots()
to check whether QEMU can add the element into SVQ. If there is
enough space, then QEMU combines some out descriptors and some
in descriptors into one descriptor chain, and adds it into
`svq->vring.desc` by vhost_svq_vring_write_descs().

Yet the problem is that, `svq->shadow_avail_idx - svq->shadow_used_idx`
in vhost_svq_available_slots() returns the number of occupied elements,
or the number of descriptor chains, instead of the number of occupied
descriptors, which may cause wrapping in SVQ descriptor ring.

Here is an example. In vhost_handle_guest_kick(), QEMU forwards
as many available buffers to device by virtqueue_pop() and
vhost_svq_add_element(). virtqueue_pop() returns a guest's element,
and then this element is added into SVQ by vhost_svq_add_element(),
a wrapper to vhost_svq_add(). If QEMU invokes virtqueue_pop() and
vhost_svq_add_element() `svq->vring.num` times,
vhost_svq_available_slots() thinks QEMU just ran out of slots and
everything should work fine. But in fact, virtqueue_pop() returns
`svq->vring.num` elements or descriptor chains, more than
`svq->vring.num` descriptors due to guest memory fragmentation,
and this causes wrapping in SVQ descriptor ring.

This bug is valid even before marking the descriptors used.
If the guest memory is fragmented, SVQ must add chains
so it can try to add more descriptors than possible.

This patch solves it by adding `num_free` field in
VhostShadowVirtqueue structure and updating this field
in vhost_svq_add() and vhost_svq_get_buf(), to record
the number of free descriptors.

Fixes: 100890f7ca ("vhost: Shadow virtqueue buffers forwarding")
Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
Acked-by: Eugenio Pérez <eperezma@redhat.com>
Message-Id: <20230509084817.3973-1-yin31149@gmail.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Tested-by: Lei Yang <leiyang@redhat.com>
2023-05-19 01:36:09 -04:00
..
Kconfig vdpa: add vdpa-dev support 2022-12-21 06:35:28 -05:00
meson.build virtio: Move HMP commands from monitor/ to hw/virtio/ 2023-02-04 07:56:54 +01:00
trace-events vdpa: add vhost_vdpa_suspend 2023-03-07 12:38:59 -05:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
vdpa-dev-pci.c vdpa: add vdpa-dev-pci support 2022-12-21 06:35:28 -05:00
vdpa-dev.c vdpa-dev: get iova range explicitly 2023-01-08 01:54:22 -05:00
vhost-backend.c vhost: add method vhost_set_vring_err 2022-06-27 18:53:18 -04:00
vhost-iova-tree.c util: accept iova_tree_remove_parameter by value 2022-09-02 10:22:39 +08:00
vhost-iova-tree.h util: accept iova_tree_remove_parameter by value 2022-09-02 10:22:39 +08:00
vhost-scsi-pci.c hw/virtio: move virtio-pci.h into shared include space 2022-05-16 04:38:40 -04:00
vhost-shadow-virtqueue.c vhost: fix possible wrap in SVQ descriptor ring 2023-05-19 01:36:09 -04:00
vhost-shadow-virtqueue.h vhost: fix possible wrap in SVQ descriptor ring 2023-05-19 01:36:09 -04:00
vhost-stub.c vhost-user: simplify vhost_user_init/vhost_user_cleanup 2019-03-12 21:22:31 -04:00
vhost-user-blk-pci.c hw/virtio: move virtio-pci.h into shared include space 2022-05-16 04:38:40 -04:00
vhost-user-fs-pci.c hw/virtio: move virtio-pci.h into shared include space 2022-05-16 04:38:40 -04:00
vhost-user-fs.c vhost-user-fs: Back up vqs before cleaning up vhost_dev 2023-02-09 10:21:11 -05:00
vhost-user-gpio-pci.c hw/virtio: add vhost-user-gpio-pci boilerplate 2022-10-07 09:41:51 -04:00
vhost-user-gpio.c vhost-user-gpio: Configure vhost_dev when connecting 2023-03-02 03:10:47 -05:00
vhost-user-i2c-pci.c hw/virtio: move virtio-pci.h into shared include space 2022-05-16 04:38:40 -04:00
vhost-user-i2c.c virtio: i2c: Check notifier helpers for VIRTIO_CONFIG_IRQ_IDX 2023-04-24 22:56:55 -04:00
vhost-user-input-pci.c hw/virtio: move virtio-pci.h into shared include space 2022-05-16 04:38:40 -04:00
vhost-user-rng-pci.c hw/virtio: move virtio-pci.h into shared include space 2022-05-16 04:38:40 -04:00
vhost-user-rng.c vhost-user-rng: Back up vqs before cleaning up vhost_dev 2023-03-02 03:10:47 -05:00
vhost-user-scsi-pci.c hw/virtio: move virtio-pci.h into shared include space 2022-05-16 04:38:40 -04:00
vhost-user-vsock-pci.c hw/virtio: move virtio-pci.h into shared include space 2022-05-16 04:38:40 -04:00
vhost-user-vsock.c hw/virtio: introduce virtio_device_should_start 2022-11-07 14:08:18 -05:00
vhost-user.c hw/virtio/vhost-user: avoid using unitialized errp 2023-03-07 19:51:07 -05:00
vhost-vdpa.c vdpa: return VHOST_F_LOG_ALL in vhost-vdpa devices 2023-03-07 12:38:59 -05:00
vhost-vsock-common.c virtio: introduce macro VIRTIO_CONFIG_IRQ_IDX 2023-01-08 01:54:22 -05:00
vhost-vsock-pci.c hw/virtio: move virtio-pci.h into shared include space 2022-05-16 04:38:40 -04:00
vhost-vsock.c hw/virtio: introduce virtio_device_should_start 2022-11-07 14:08:18 -05:00
vhost.c vhost: Drop unused eventfd_add|del hooks 2023-04-21 04:25:52 -04:00
virtio-9p-pci.c hw/virtio: move virtio-pci.h into shared include space 2022-05-16 04:38:40 -04:00
virtio-balloon-pci.c hw/virtio: move virtio-pci.h into shared include space 2022-05-16 04:38:40 -04:00
virtio-balloon.c hw: replace most qemu_bh_new calls with qemu_bh_new_guarded 2023-04-28 11:31:54 +02:00
virtio-blk-pci.c hw/virtio: move virtio-pci.h into shared include space 2022-05-16 04:38:40 -04:00
virtio-bus.c virtio: stop ioeventfd on reset 2022-06-14 16:50:30 +02:00
virtio-config-io.c hw/virtio: Extract config read/write accessors to virtio-config-io.c 2022-12-21 07:32:24 -05:00
virtio-crypto-pci.c Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
virtio-crypto.c hw: replace most qemu_bh_new calls with qemu_bh_new_guarded 2023-04-28 11:31:54 +02:00
virtio-hmp-cmds.c virtio: Move HMP commands from monitor/ to hw/virtio/ 2023-02-04 07:56:54 +01:00
virtio-input-host-pci.c hw/virtio: move virtio-pci.h into shared include space 2022-05-16 04:38:40 -04:00
virtio-input-pci.c hw/virtio: move virtio-pci.h into shared include space 2022-05-16 04:38:40 -04:00
virtio-iommu-pci.c hw/virtio/virtio-iommu-pci: Enforce the device is plugged on the root bus 2022-11-07 13:12:19 -05:00
virtio-iommu.c hw: Use TYPE_PCI_BUS definition where appropriate 2023-01-28 06:21:30 -05:00
virtio-mem-pci.c qapi machine: Elide redundant has_FOO in generated C 2022-12-14 20:04:47 +01:00
virtio-mem-pci.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
virtio-mem.c virtio-mem: Proper support for preallocation with migration 2023-02-06 19:22:56 +01:00
virtio-mmio.c virtio: refresh vring region cache after updating a virtqueue size 2023-04-21 03:08:21 -04:00
virtio-net-pci.c hw/virtio: move virtio-pci.h into shared include space 2022-05-16 04:38:40 -04:00
virtio-pci.c virtio: refresh vring region cache after updating a virtqueue size 2023-04-21 03:08:21 -04:00
virtio-pmem-pci.c qapi machine: Elide redundant has_FOO in generated C 2022-12-14 20:04:47 +01:00
virtio-pmem-pci.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
virtio-pmem.c thread-pool: avoid passing the pool parameter every time 2023-04-25 13:17:28 +02:00
virtio-qmp.c virtio-blk: add zoned storage emulation for zoned devices 2023-05-15 08:18:10 -04:00
virtio-qmp.h include/hw/virtio: Break inclusion loop 2023-01-08 01:54:22 -05:00
virtio-rng-pci.c virtio-rng-pci: Allow setting nvectors, so we can use MSI-X 2022-11-07 13:12:20 -05:00
virtio-rng.c virtio: drop name parameter for virtio_init() 2022-05-16 04:38:40 -04:00
virtio-scsi-pci.c hw/virtio: move virtio-pci.h into shared include space 2022-05-16 04:38:40 -04:00
virtio-serial-pci.c hw/virtio: move virtio-pci.h into shared include space 2022-05-16 04:38:40 -04:00
virtio-stub.c qmp: add QMP command x-query-virtio-queue-element 2022-10-09 16:38:45 -04:00
virtio.c virtio: refresh vring region cache after updating a virtqueue size 2023-04-21 03:08:21 -04:00