From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:51470)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1bZQxf-0008Vh-1L
	for qemu-devel@nongnu.org; Mon, 15 Aug 2016 19:06:28 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1bZQxa-0002iB-Nv
	for qemu-devel@nongnu.org; Mon, 15 Aug 2016 19:06:25 -0400
Received: from mx1.redhat.com ([209.132.183.28]:38456)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1bZQxa-0002i3-I5
	for qemu-devel@nongnu.org; Mon, 15 Aug 2016 19:06:22 -0400
Date: Tue, 16 Aug 2016 00:26:34 +0300
From: "Michael S. Tsirkin" <mst@redhat.com>
Message-ID: <20160816000200-mutt-send-email-mst@kernel.org>
References: <1471015978-1123-1-git-send-email-stefanha@redhat.com>
	<87zioderpi.fsf@meteor.durcheinandertal.bofh>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87zioderpi.fsf@meteor.durcheinandertal.bofh>
Subject: Re: [Qemu-devel] [PATCH for-2.7 0/4] virtio-balloon: fix stats vq
 migration
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Gaudenz Steinlin <gaudenz@debian.org>
Cc: Stefan Hajnoczi <stefanha@redhat.com>, qemu-devel@nongnu.org, Luiz Capitulino <lcapitulino@redhat.com>

On Mon, Aug 15, 2016 at 09:51:21PM +0200, Gaudenz Steinlin wrote:
> Stefan Hajnoczi <stefanha@redhat.com> writes:
> 
> > Gaudenz Steinlin <gaudenz@debian.org> reported that virtqueue_pop() terminates
> > QEMU because the virtqueue size is exceeded following the CVE-2016-5403 fix.  I
> > have been unable to reproduce this or understand the root cause by code
> > inspection.  Along the way I did discover a few bugs in virtio-balloon and
> > virtio code.
> >
> > Please see the individual patches for details.
> >
> > Gaudenz: If you can reproduce the bug you reported, please try again with these
> > patches applied.
> 
> As mentioned in the original thread I only tested on QEMU 2.0.0 so far.
> I tried to apply your patches to this version, but did not succeed. I
> could not apply the first patch in the series because the code changed
> too much and with only the others applied QEMU failed to compile. I gave
> up at that point.
> 
> Does it make sense at all to test these patches on 2.0.0? Ubuntu
> reverted the problematic fix in their latest package update for trusty,
> so my immediate problem is "solved". Is there a chance to get a fix for
> CVE-2016-5403 that works on QEMU 2.0.0 without breaking migrations?
> 
> Best regards and thanks to all for the effort so far,
> Gaudenz

You will have to debug the failure I'm afraid.
Most likely inuse is incremented in pop but not
decremented.

Maybe you need

commit 0cf33fb6b49a19de32859e2cdc6021334f448fb3
Author: Jason Wang <jasowang@redhat.com>
Date:   Fri Sep 25 13:21:30 2015 +0800

    virtio-net: correctly drop truncated packets


It's hard to say.

-- 
MST