| リビジョン | a021a2dd8b790437d27db95774969349632f856a (tree) |
|---|---|
| 日時 | 2022-01-28 00:14:21 |
| 作者 | Ross Lagerwall <ross.lagerwall@citr...> |
| コミッター | Anthony PERARD |
xen-mapcache: Avoid entry->lock overflow
In some cases, a particular mapcache entry may be mapped 256 times
causing the lock field to wrap to 0. For example, this may happen when
using emulated NVME and the guest submits a large scatter-gather write.
At this point, the entry map be remapped causing QEMU to write the wrong
data or crash (since remap is not atomic).
Avoid this overflow by increasing the lock field to a uint32_t and also
detect it and abort rather than continuing regardless.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Reviewed-by: Paul Durrant <paul@xen.org>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Message-Id: <20220124104450.152481-1-ross.lagerwall@citrix.com>
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
hw/i386/xen/xen-mapcache.c (diff)| @@ -52,7 +52,7 @@ typedef struct MapCacheEntry { | ||
| 52 | 52 | hwaddr paddr_index; |
| 53 | 53 | uint8_t *vaddr_base; |
| 54 | 54 | unsigned long *valid_mapping; |
| 55 | - uint8_t lock; | |
| 55 | + uint32_t lock; | |
| 56 | 56 | #define XEN_MAPCACHE_ENTRY_DUMMY (1 << 0) |
| 57 | 57 | uint8_t flags; |
| 58 | 58 | hwaddr size; |
| @@ -355,6 +355,12 @@ tryagain: | ||
| 355 | 355 | if (lock) { |
| 356 | 356 | MapCacheRev *reventry = g_malloc0(sizeof(MapCacheRev)); |
| 357 | 357 | entry->lock++; |
| 358 | + if (entry->lock == 0) { | |
| 359 | + fprintf(stderr, | |
| 360 | + "mapcache entry lock overflow: "TARGET_FMT_plx" -> %p\n", | |
| 361 | + entry->paddr_index, entry->vaddr_base); | |
| 362 | + abort(); | |
| 363 | + } | |
| 358 | 364 | reventry->dma = dma; |
| 359 | 365 | reventry->vaddr_req = mapcache->last_entry->vaddr_base + address_offset; |
| 360 | 366 | reventry->paddr_index = mapcache->last_entry->paddr_index; |
Fork