Re: [Qemu-devel] [PATCH for-2.7 0/4] virtio-balloon: fix stats vq migration

["Michael S. Tsirkin" <mst@redhat.com>]

On Mon, Aug 15, 2016 at 09:51:21PM +0200, Gaudenz Steinlin wrote:
> Stefan Hajnoczi <stefanha@redhat.com> writes:
> 
> > Gaudenz Steinlin <gaudenz@debian.org> reported that virtqueue_pop() terminates
> > QEMU because the virtqueue size is exceeded following the CVE-2016-5403 fix.  I
> > have been unable to reproduce this or understand the root cause by code
> > inspection.  Along the way I did discover a few bugs in virtio-balloon and
> > virtio code.
> >
> > Please see the individual patches for details.
> >
> > Gaudenz: If you can reproduce the bug you reported, please try again with these
> > patches applied.
> 
> As mentioned in the original thread I only tested on QEMU 2.0.0 so far.
> I tried to apply your patches to this version, but did not succeed. I
> could not apply the first patch in the series because the code changed
> too much and with only the others applied QEMU failed to compile. I gave
> up at that point.
> 
> Does it make sense at all to test these patches on 2.0.0? Ubuntu
> reverted the problematic fix in their latest package update for trusty,
> so my immediate problem is "solved". Is there a chance to get a fix for
> CVE-2016-5403 that works on QEMU 2.0.0 without breaking migrations?
> 
> Best regards and thanks to all for the effort so far,
> Gaudenz

You will have to debug the failure I'm afraid.
Most likely inuse is incremented in pop but not
decremented.

Maybe you need

commit 0cf33fb6b49a19de32859e2cdc6021334f448fb3
Author: Jason Wang <jasowang@redhat.com>
Date:   Fri Sep 25 13:21:30 2015 +0800

    virtio-net: correctly drop truncated packets


It's hard to say.

-- 
MST