From nobody Wed May 15 16:57:50 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted
 sender)  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1559566723; cv=none;
	d=zoho.com; s=zohoarc;
	b=Ct/Z96CtOP0rtX3NEBoL2gifZdKQOnh8zB4j1+AXKni9zCmgf7T5Up9EyXuLcxah0RP+znFe1YcaBnLEx1vdzdz0dIXKx3YavDC2DHYzA3OXCE4idVhux27iuZow/xFO0u0+R4l0Jt14b75RJdtZLlGjrOZwJXHQOyHWvtFy92c=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com;
 s=zohoarc;
	t=1559566723;
 h=Content-Type:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To:ARC-Authentication-Results;
	bh=7eVu234t1BSrcGSNpUbGNCRW8a5Dug3whm2QZNBROzY=;
	b=fPrSwYL/828u44bIlMdEzz+rZWTJ6UyF6QlhmMmtgDBpu2pBxXfzo32zg+eMCJVVuAXxwBOCvFxGJ3SMchTjrw4vjtpKVGNH5LDTNsasJUnhRTZDAbUiWiMGoroxcugyboxZiM1w9PSh/J/xO3e8wMLRjCB9eGZ+5yAWfuIiXQk=
ARC-Authentication-Results: i=1; mx.zoho.com;
	spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted
 sender)  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1559566722986436.82682330941907;
 Mon, 3 Jun 2019 05:58:42 -0700 (PDT)
Received: from localhost ([127.0.0.1]:34829 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1hXmXt-00016T-9T
	for importer@patchew.org; Mon, 03 Jun 2019 08:58:37 -0400
Received: from eggs.gnu.org ([209.51.188.92]:44675)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <lihangjing@baidu.com>) id 1hXgMW-0006TI-8L
	for qemu-devel@nongnu.org; Mon, 03 Jun 2019 02:22:29 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <lihangjing@baidu.com>) id 1hXgGi-0006uR-3w
	for qemu-devel@nongnu.org; Mon, 03 Jun 2019 02:16:29 -0400
Received: from mx22.baidu.com ([220.181.50.185]:57703 helo=baidu.com)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <lihangjing@baidu.com>) id 1hXgGh-0006Nd-LB
	for qemu-devel@nongnu.org; Mon, 03 Jun 2019 02:16:28 -0400
Received: from m1-mail-ex09.internal.baidu.com (unknown [10.44.89.49])
	by Forcepoint Email with ESMTPS id 20AB4864EA32A;
	Mon,  3 Jun 2019 14:16:14 +0800 (CST)
Received: from BC-Mail-Ex03.internal.baidu.com (172.31.40.17) by
	m1-mail-ex09.internal.baidu.com (10.44.89.49) with Microsoft SMTP
	Server
	(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
	15.1.1531.3; Mon, 3 Jun 2019 14:16:15 +0800
Received: from DDAFF7EBB9FF247.internal.baidu.com (172.31.63.8) by
	BC-Mail-Ex03.internal.baidu.com (172.31.40.17) with Microsoft SMTP
	Server
	(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
	15.1.1531.3; Mon, 3 Jun 2019 14:16:08 +0800
From: "lihangjing@baidu.com" <lihangjing@baidu.com>
To: <mst@redhat.com>
Date: Mon, 3 Jun 2019 14:15:24 +0800
Message-ID: <20190603061524.24076-1-lihangjing@baidu.com>
X-Mailer: git-send-email 2.15.1.windows.2
MIME-Version: 1.0
X-Originating-IP: [172.31.63.8]
X-ClientProxiedBy: BC-MAIL-EX01.internal.baidu.com (172.31.40.15) To
	BC-Mail-Ex03.internal.baidu.com (172.31.40.17)
X-Baidu-BdMsfe-DateCheck: 1_BC-Mail-Ex03_2019-06-03 14:16:08:671
X-Baidu-BdMsfe-VirusCheck: BC-Mail-Ex03_GRAY_Inside_WithoutAtta_2019-06-03
	14:16:08:718
X-Baidu-BdMsfe-DateCheck: 1_BC-Mail-Ex03_2019-06-03 14:16:08:733
X-Baidu-BdMsfe-DateCheck: 1_m1-mail-ex09_2019-06-03 14:16:15:794
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 220.181.50.185
X-Mailman-Approved-At: Mon, 03 Jun 2019 08:50:25 -0400
Subject: [Qemu-devel] [PATCH] vhost: fix vhost_log size overflow during
 migration
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Li Hangjing <lihangjing@baidu.com>, qemu-devel@nongnu.org
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Li Hangjing <lihangjing@baidu.com>

When a guest which doesn't support multiqueue is migrated with a multi queu=
es
vhost-user-blk deivce, a crash will occur like:

0 qemu_memfd_alloc (name=3D<value optimized out>, size=3D562949953421312, s=
eals=3D<value optimized out>, fd=3D0x7f87171fe8b4, errp=3D0x7f87171fe8a8) a=
t util/memfd.c:153
1 0x00007f883559d7cf in vhost_log_alloc (size=3D70368744177664, share=3Dtru=
e) at hw/virtio/vhost.c:186
2 0x00007f88355a0758 in vhost_log_get (listener=3D0x7f8838bd7940, enable=3D=
1) at qemu-2-12/hw/virtio/vhost.c:211
3 vhost_dev_log_resize (listener=3D0x7f8838bd7940, enable=3D1) at hw/virtio=
/vhost.c:263
4 vhost_migration_log (listener=3D0x7f8838bd7940, enable=3D1) at hw/virtio/=
vhost.c:787
5 0x00007f88355463d6 in memory_global_dirty_log_start () at memory.c:2503
6 0x00007f8835550577 in ram_init_bitmaps (f=3D0x7f88384ce600, opaque=3D0x7f=
8836024098) at migration/ram.c:2173
7 ram_init_all (f=3D0x7f88384ce600, opaque=3D0x7f8836024098) at migration/r=
am.c:2192
8 ram_save_setup (f=3D0x7f88384ce600, opaque=3D0x7f8836024098) at migration=
/ram.c:2219
9 0x00007f88357a419d in qemu_savevm_state_setup (f=3D0x7f88384ce600) at mig=
ration/savevm.c:1002
10 0x00007f883579fc3e in migration_thread (opaque=3D0x7f8837530400) at migr=
ation/migration.c:2382
11 0x00007f8832447893 in start_thread () from /lib64/libpthread.so.0
12 0x00007f8832178bfd in clone () from /lib64/libc.so.6

This is because vhost_get_log_size() returns a overflowed vhost-log size.
In this function, it uses the uninitialized variable vqs->used_phys and
vqs->used_size to get the vhost-log size.

Signed-off-by: Li Hangjing <lihangjing@baidu.com>
Reviewed-by: Xie Yongji <xieyongji@baidu.com>
Reviewed-by: Chai Wen <chaiwen@baidu.com>
---
 hw/virtio/vhost.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
index 7f61018f2a..6d3a013f49 100644
--- a/hw/virtio/vhost.c
+++ b/hw/virtio/vhost.c
@@ -131,6 +131,11 @@ static int vhost_sync_dirty_bitmap(struct vhost_dev *d=
ev,
     }
     for (i =3D 0; i < dev->nvqs; ++i) {
         struct vhost_virtqueue *vq =3D dev->vqs + i;
+
+        if (!vq->used_phys && !vq->used_size) {
+            continue;
+        }
+
         vhost_dev_sync_region(dev, section, start_addr, end_addr, vq->used=
_phys,
                               range_get_last(vq->used_phys, vq->used_size)=
);
     }
@@ -168,6 +173,11 @@ static uint64_t vhost_get_log_size(struct vhost_dev *d=
ev)
     }
     for (i =3D 0; i < dev->nvqs; ++i) {
         struct vhost_virtqueue *vq =3D dev->vqs + i;
+
+        if (!vq->used_phys && !vq->used_size) {
+            continue;
+        }
+
         uint64_t last =3D vq->used_phys + vq->used_size - 1;
         log_size =3D MAX(log_size, last / VHOST_LOG_CHUNK + 1);
     }
--=20
2.15.1.windows.2