qemu/hw
Carlos López f0d634ea19 virtio: refresh vring region cache after updating a virtqueue size
When a virtqueue size is changed by the guest via
virtio_queue_set_num(), its region cache is not automatically updated.
If the size was increased, this could lead to accessing the cache out
of bounds. For example, in vring_get_used_event():

    static inline uint16_t vring_get_used_event(VirtQueue *vq)
    {
        return vring_avail_ring(vq, vq->vring.num);
    }

    static inline uint16_t vring_avail_ring(VirtQueue *vq, int i)
    {
        VRingMemoryRegionCaches *caches = vring_get_region_caches(vq);
        hwaddr pa = offsetof(VRingAvail, ring[i]);

        if (!caches) {
            return 0;
        }

        return virtio_lduw_phys_cached(vq->vdev, &caches->avail, pa);
    }

vq->vring.num will be greater than caches->avail.len, which will
trigger a failed assertion down the call path of
virtio_lduw_phys_cached().

Fix this by calling virtio_init_region_cache() after
virtio_queue_set_num() if we are not already calling
virtio_queue_set_rings(). In the legacy path this is already done by
virtio_queue_update_rings().

Signed-off-by: Carlos López <clopez@suse.de>
Message-Id: <20230317002749.27379-1-clopez@suse.de>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Acked-by: Halil Pasic <pasic@linux.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2023-04-21 03:08:21 -04:00
..
9pfs hw/xen: Build PV backend drivers for CONFIG_XEN_BUS 2023-03-07 17:04:30 +00:00
acpi pcihp: add ACPI PCI hotplug specific is_hotpluggable_bus() callback 2023-03-07 12:39:00 -05:00
adc
alpha Drop duplicate #include 2023-02-08 07:28:05 +01:00
arm hw/arm: do not free machine->fdt in arm_load_dtb() 2023-04-03 16:12:30 +01:00
audio hw/audio/via-ac97: Basic implementation of audio playback 2023-03-08 00:37:48 +01:00
avr
block hw/block: replace TABs with space 2023-03-24 11:45:46 +01:00
char hw/xen: Fix double-free in xen_console store_con_info() 2023-04-13 10:09:31 +01:00
core migration: Fix potential race on postcopy_qemufile_src 2023-04-12 21:44:38 +02:00
cpu hw/cpu: Mark arm11 and realview mpcore as target-independent code 2023-01-16 17:51:20 +01:00
cris
cxl hw/pxb-cxl: Support passthrough HDM Decoders unless overridden 2023-03-07 19:51:07 -05:00
display ui: rename cursor_{put->unref} 2023-03-13 22:57:39 +04:00
dma replace TABs with spaces 2023-03-20 12:43:50 +01:00
gpio replace TABs with spaces 2023-03-20 12:43:50 +01:00
hppa hw/isa: Rename isa_bus_irqs() -> isa_bus_register_input_irqs() 2023-02-27 22:29:02 +01:00
hyperv win32: replace closesocket() with close() wrapper 2023-03-13 15:39:31 +04:00
i2c hw/i2c/allwinner-i2c: Fix subclassing of TYPE_AW_I2C_SUN6I 2023-04-11 14:13:29 +01:00
i386 Revert "memory: Optimize replay of guest mapping" 2023-04-05 13:31:52 +01:00
ide hw/ide: replace TABs with space 2023-03-24 11:45:33 +01:00
input replace TABs with spaces 2023-03-20 12:43:50 +01:00
intc *: Add missing includes of qemu/error-report.h 2023-03-22 15:06:57 +00:00
ipack include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
ipmi include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
isa virtio,pc,pci: features, fixes 2023-03-10 14:31:37 +00:00
loongarch hw/loongarch/virt: Fix virt_to_phys_addr function 2023-04-04 19:29:13 +08:00
m68k *: Add missing includes of qemu/error-report.h 2023-03-22 15:06:57 +00:00
mem *: Add missing includes of qemu/error-report.h 2023-03-22 15:06:57 +00:00
microblaze hw/char/xilinx_uartlite: Open-code xilinx_uartlite_create() 2023-02-27 13:27:05 +00:00
mips hw/mips/itu: Pass SAAR using QOM link property 2023-03-08 00:37:48 +01:00
misc MIPS (and few misc) patches 2023-03-09 10:22:50 +00:00
net igb: respect VMVIR and VMOLR for VLAN 2023-03-28 13:10:55 +08:00
nios2
nubus hw/nubus/nubus-device: Fix memory leak in nubus_device_realize 2023-02-27 22:29:01 +01:00
nvme hw/nvme: fix memory leak in nvme_dsm 2023-04-12 12:03:09 +02:00
nvram aspeed queue: 2023-03-03 17:11:22 +00:00
openrisc *: Add missing includes of qemu/error-report.h 2023-03-22 15:06:57 +00:00
pci -----BEGIN PGP SIGNATURE----- 2023-03-11 17:17:18 +00:00
pci-bridge hw/pxb-cxl: Support passthrough HDM Decoders unless overridden 2023-03-07 19:51:07 -05:00
pci-host hw/mips/gt64xxx_pci: Don't endian-swap GT_PCI0_CFGADDR 2023-03-30 15:03:36 +02:00
pcmcia
ppc *: Add missing includes of qemu/error-report.h 2023-03-22 15:06:57 +00:00
rdma Drop duplicate #include 2023-02-08 07:28:05 +01:00
remote Drop duplicate #include 2023-02-08 07:28:05 +01:00
riscv *: Add missing includes of qemu/error-report.h 2023-03-22 15:06:57 +00:00
rtc replace TABs with spaces 2023-03-20 12:43:50 +01:00
rx
s390x virtio: refresh vring region cache after updating a virtqueue size 2023-04-21 03:08:21 -04:00
scsi replace TABs with spaces 2023-03-20 12:43:50 +01:00
sd replace TABs with spaces 2023-03-20 12:43:50 +01:00
sensor Do not include hw/hw.h if it is not necessary 2023-02-27 09:15:38 +01:00
sh4 hw/ide/mmio: Extract TYPE_MMIO_IDE declarations to 'hw/ide/mmio.h' 2023-02-27 22:29:02 +01:00
smbios hw/smbios: fix field corruption in type 4 table 2023-03-02 03:10:46 -05:00
sparc
sparc64 hw/ide: Un-inline ide_set_irq() 2023-02-27 22:29:02 +01:00
ssi hw/ssi: Fix Linux driver init issue with xilinx_spi 2023-04-03 16:12:30 +01:00
timer hw/timer/hpet: Fix expiration time overflow 2023-03-02 03:10:47 -05:00
tpm hw/tpm: Move tpm_ppi.c out of target-specific source set 2023-01-16 17:51:20 +01:00
tricore
usb hw/usb/imx: Fix out of bounds access in imx_usbphy_read() 2023-03-21 13:19:07 +00:00
vfio *: Add missing includes of qemu/error-report.h 2023-03-22 15:06:57 +00:00
virtio virtio: refresh vring region cache after updating a virtqueue size 2023-04-21 03:08:21 -04:00
watchdog replace TABs with spaces 2023-03-20 12:43:50 +01:00
xen hw/xen: Avoid crash when backend watch fires too early 2023-03-07 17:04:30 +00:00
xenpv hw/xenpv: Initialize Xen backend operations 2023-03-24 14:52:14 +00:00
xtensa
Kconfig xen: add CONFIG_XEN_BUS and CONFIG_XEN_EMU options for Xen emulation 2023-03-01 08:22:49 +00:00
meson.build