From: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
To: qemu-devel@nongnu.org, Stefan Hajnoczi <stefanha@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>, Hanna Reitz <hreitz@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
Michael Roth <michael.roth@amd.com>,
Markus Armbruster <armbru@redhat.com>,
Stefan Hajnoczi <stefanha@redhat.com>,
qemu-block@nongnu.org
Subject: Re: [PATCH 3/5] virtio-blk: add vq_rq[] bounds check in virtio_blk_dma_restart_cb()
Date: Tue, 06 Feb 2024 09:20:08 +0200 [thread overview]
Message-ID: <8fb60.m9gtpx2hueq@linaro.org> (raw)
In-Reply-To: <20240205172659.476970-4-stefanha@redhat.com>
On Mon, 05 Feb 2024 19:26, Stefan Hajnoczi <stefanha@redhat.com> wrote:
>Hanna Czenczek <hreitz@redhat.com> noted that the array index in
>virtio_blk_dma_restart_cb() is not bounds-checked:
>
> g_autofree VirtIOBlockReq **vq_rq = g_new0(VirtIOBlockReq *, num_queues);
> ...
> while (rq) {
> VirtIOBlockReq *next = rq->next;
> uint16_t idx = virtio_get_queue_index(rq->vq);
>
> rq->next = vq_rq[idx];
> ^^^^^^^^^^
>
>The code is correct because both rq->vq and vq_rq[] depend on
>num_queues, but this is indirect and not 100% obvious. Add an assertion.
This sentence could be useful as an inline comment too.
>
>Suggested-by: Hanna Czenczek <hreitz@redhat.com>
>Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
>---
> hw/block/virtio-blk.c | 1 +
> 1 file changed, 1 insertion(+)
>
>diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
>index a0735a9bca..f3193f4b75 100644
>--- a/hw/block/virtio-blk.c
>+++ b/hw/block/virtio-blk.c
>@@ -1209,6 +1209,7 @@ static void virtio_blk_dma_restart_cb(void *opaque, bool running,
> VirtIOBlockReq *next = rq->next;
> uint16_t idx = virtio_get_queue_index(rq->vq);
>
>+ assert(idx < num_queues);
> rq->next = vq_rq[idx];
> vq_rq[idx] = rq;
> rq = next;
>--
>2.43.0
>
Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
next prev parent reply other threads:[~2024-02-06 7:23 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-05 17:26 [PATCH 0/5] virtio-blk: iothread-vq-mapping cleanups Stefan Hajnoczi
2024-02-05 17:26 ` [PATCH 1/5] virtio-blk: enforce iothread-vq-mapping validation Stefan Hajnoczi
2024-02-06 7:29 ` Manos Pitsidianakis
2024-02-06 15:18 ` Stefan Hajnoczi
2024-02-06 15:07 ` Hanna Czenczek
2024-02-05 17:26 ` [PATCH 2/5] virtio-blk: clarify that there is at least 1 virtqueue Stefan Hajnoczi
2024-02-06 7:23 ` Manos Pitsidianakis
2024-02-06 15:08 ` Hanna Czenczek
2024-02-05 17:26 ` [PATCH 3/5] virtio-blk: add vq_rq[] bounds check in virtio_blk_dma_restart_cb() Stefan Hajnoczi
2024-02-06 7:20 ` Manos Pitsidianakis [this message]
2024-02-06 15:09 ` Hanna Czenczek
2024-02-05 17:26 ` [PATCH 4/5] virtio-blk: declare VirtIOBlock::rq with a type Stefan Hajnoczi
2024-02-06 7:16 ` Manos Pitsidianakis
2024-02-06 15:10 ` Hanna Czenczek
2024-02-05 17:26 ` [PATCH 5/5] monitor: use aio_co_reschedule_self() Stefan Hajnoczi
2024-02-06 7:28 ` Manos Pitsidianakis
2024-02-06 15:11 ` Hanna Czenczek
2024-02-07 7:04 ` Markus Armbruster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8fb60.m9gtpx2hueq@linaro.org \
--to=manos.pitsidianakis@linaro.org \
--cc=armbru@redhat.com \
--cc=hreitz@redhat.com \
--cc=kwolf@redhat.com \
--cc=michael.roth@amd.com \
--cc=mst@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.