[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 03/16] virtio-blk: add vq_rq[] bounds check in virtio_blk_dma_rest
|
From: |
Kevin Wolf |
|
Subject: |
[PULL 03/16] virtio-blk: add vq_rq[] bounds check in virtio_blk_dma_restart_cb() |
|
Date: |
Wed, 7 Feb 2024 22:55:53 +0100 |
From: Stefan Hajnoczi <stefanha@redhat.com>
Hanna Czenczek <hreitz@redhat.com> noted that the array index in
virtio_blk_dma_restart_cb() is not bounds-checked:
g_autofree VirtIOBlockReq **vq_rq = g_new0(VirtIOBlockReq *, num_queues);
...
while (rq) {
VirtIOBlockReq *next = rq->next;
uint16_t idx = virtio_get_queue_index(rq->vq);
rq->next = vq_rq[idx];
^^^^^^^^^^
The code is correct because both rq->vq and vq_rq[] depend on
num_queues, but this is indirect and not 100% obvious. Add an assertion.
Suggested-by: Hanna Czenczek <hreitz@redhat.com>
Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20240206190610.107963-4-stefanha@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
hw/block/virtio-blk.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index e430ba583c..31212506ca 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -1209,6 +1209,8 @@ static void virtio_blk_dma_restart_cb(void *opaque, bool
running,
VirtIOBlockReq *next = rq->next;
uint16_t idx = virtio_get_queue_index(rq->vq);
+ /* Only num_queues vqs were created so vq_rq[idx] is within bounds */
+ assert(idx < num_queues);
rq->next = vq_rq[idx];
vq_rq[idx] = rq;
rq = next;
--
2.43.0
- [PULL 00/16] Block layer patches, Kevin Wolf, 2024/02/07
- [PULL 02/16] virtio-blk: clarify that there is at least 1 virtqueue, Kevin Wolf, 2024/02/07
- [PULL 04/16] virtio-blk: declare VirtIOBlock::rq with a type, Kevin Wolf, 2024/02/07
- [PULL 05/16] monitor: use aio_co_reschedule_self(), Kevin Wolf, 2024/02/07
- [PULL 07/16] scsi: Await request purging, Kevin Wolf, 2024/02/07
- [PULL 01/16] virtio-blk: enforce iothread-vq-mapping validation, Kevin Wolf, 2024/02/07
- [PULL 03/16] virtio-blk: add vq_rq[] bounds check in virtio_blk_dma_restart_cb(),
Kevin Wolf <=
- [PULL 06/16] block-backend: Allow concurrent context changes, Kevin Wolf, 2024/02/07
- [PULL 08/16] iotests: fix leak of tmpdir in dry-run mode, Kevin Wolf, 2024/02/07
- [PULL 09/16] iotests: give tempdir an identifying name, Kevin Wolf, 2024/02/07
- [PULL 10/16] virtio-blk: do not use C99 mixed declarations, Kevin Wolf, 2024/02/07
- [PULL 11/16] scsi: Don't ignore most usb-storage properties, Kevin Wolf, 2024/02/07
- [PULL 12/16] blkio: Respect memory-alignment for bounce buffer allocations, Kevin Wolf, 2024/02/07
- [PULL 13/16] virtio-scsi: Attach event vq notifier with no_poll, Kevin Wolf, 2024/02/07
- [PULL 14/16] virtio: Re-enable notifications after drain, Kevin Wolf, 2024/02/07
- [PULL 15/16] virtio-blk: Use ioeventfd_attach in start_ioeventfd, Kevin Wolf, 2024/02/07
- [PULL 16/16] virtio-blk: avoid using ioeventfd state in irqfd conditional, Kevin Wolf, 2024/02/07