From nobody Sun Nov 16 05:58:57 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=163.com ARC-Seal: i=1; a=rsa-sha256; t=1599063891; cv=none; d=zohomail.com; s=zohoarc; b=Rl6B+SucdwgAODsb6nEE9NRNePgXvGKBtNgNf7nHTfI49Nht3DCskafBzFZx9uQEj3+FBV8PIg4LK9HevA/KmHwjy86kYlbH3TjHcX0SP8m8oTIQ5QUiupSu1P77u2OsZKkN31OX3lY0c3Z9pvCT5LWnttcoJSn5yo/KyA+OPEM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1599063891; h=Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:To; bh=WDZisVGn33WdOeureI+tCYgWp8IxXY0GWRUNVGO8h1s=; b=fIy/33Ux+h2Nsz6FjLuifgcs0zmK0WEaRgyURx+GRMUTO6NkKJ4yYr98/ArL3a6ulxWMpKdkL1b2j/wFpkLD0isrpOQAv06zpxl5pu4KUiyG3M0tMRfg9QO3p2er3MBNzQNuhgrSExb/Tv0/ZF5tZlHR+Nlp6GcfVOLwhqdfO7w= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1599063891314891.4560729174854; Wed, 2 Sep 2020 09:24:51 -0700 (PDT) Received: from localhost ([::1]:51698 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kDVZ4-0005zM-Ho for importer@patchew.org; Wed, 02 Sep 2020 12:24:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35232) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kDVWx-0002wP-1x for qemu-devel@nongnu.org; Wed, 02 Sep 2020 12:22:39 -0400 Received: from mail-m971.mail.163.com ([123.126.97.1]:43392) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kDVWr-0002uq-TE for qemu-devel@nongnu.org; Wed, 02 Sep 2020 12:22:37 -0400 Received: from localhost.localdomain (unknown [183.134.168.235]) by smtp1 (Coremail) with SMTP id GdxpCgAXbyO1xk9fAIYUAQ--.82S5; Thu, 03 Sep 2020 00:22:18 +0800 (CST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id; bh=WDZisVGn33WdOeureI +tCYgWp8IxXY0GWRUNVGO8h1s=; b=IZAt6nDwGHPV2ZFJxxs2TviyuoKQd/7CD1 sDVUHAbpf8aIY+bEsZnoAlejTuwEbN5cf+IzwGtqB3p0Ny9F33J6v1jdwIVofqHL 1dyiCsgLJTzUgaT2nqycAKRYbIyhr2ZiwYv/HB+cMD7Str3UCjTegsQj7qbEr/aB CeanYV+lI= From: Li Qiang To: mst@redhat.com, kraxel@redhat.com, dmitry.fleytman@gmail.com, jasowang@redhat.com, alxndr@bu.edu, peter.maydell@linaro.org, pbonzini@redhat.com Subject: [RFC 1/3] e1000e: make the IO handler reentrant Date: Wed, 2 Sep 2020 09:22:04 -0700 Message-Id: <20200902162206.101872-2-liq3ea@163.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200902162206.101872-1-liq3ea@163.com> References: <20200902162206.101872-1-liq3ea@163.com> X-CM-TRANSID: GdxpCgAXbyO1xk9fAIYUAQ--.82S5 X-Coremail-Antispam: 1Uf129KBjvJXoWxWw1rZw4fur15CF13Ar48Crg_yoW5ZF17pF W8KFZ8X3WFkr17GrnrXr45JF15Xws7AasrJ39xZ3ZY9r45u3s5tF9IqrWUGrsru347CFy7 XF4DAFW3tr4DZ3JanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07UQ_-QUUUUU= X-Originating-IP: [183.134.168.235] X-CM-SenderInfo: 5oltjvrd6rljoofrz/xtbBoRuTbVQHLbTxYQAAse Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=123.126.97.1; envelope-from=liq3ea@163.com; helo=mail-m971.mail.163.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/09/02 12:22:24 X-ACL-Warn: Detected OS = Linux 3.1-3.10 X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Li Qiang , liq3ea@gmail.com, qemu-devel@nongnu.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @163.com) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The guest can program the e1000e DMA address to its MMIO. This will cause an UAF issue. Following is the reproducer: cat << EOF | ./i386-softmmu/qemu-system-i386 -M q35,accel=3Dqtest \ -qtest stdio -nographic -monitor none -serial none outl 0xcf8 0x80001010 outl 0xcfc 0xe1020000 outl 0xcf8 0x80001014 outl 0xcf8 0x80001004 outw 0xcfc 0x7 outl 0xcf8 0x800010a2 write 0xe102003b 0x1 0xff write 0xe1020103 0x1e 0xffffff055c5e5c30be4511d084fffffffffffffffffffffffff= fffffffff write 0xe1020420 0x4 0xffffffff write 0xe1020424 0x4 0xffffffff write 0xe102042b 0x1 0xff write 0xe1020430 0x4 0x055c5e5c write 0x5c041 0x1 0x04 write 0x5c042 0x1 0x02 write 0x5c043 0x1 0xe1 write 0x5c048 0x1 0x8a write 0x5c04a 0x1 0x31 write 0x5c04b 0x1 0xff write 0xe1020403 0x1 0xff EOF This patch avoid this by adding a 'in_io' in E1000EState to indicate it is = in IO processing. Buglink: https://bugs.launchpad.net/qemu/+bug/1886362 Reported-by: Alexander Bulekov Signed-off-by: Li Qiang --- hw/net/e1000e.c | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/hw/net/e1000e.c b/hw/net/e1000e.c index fda34518c9..eb6b34b7f3 100644 --- a/hw/net/e1000e.c +++ b/hw/net/e1000e.c @@ -77,6 +77,8 @@ typedef struct E1000EState { =20 bool disable_vnet; =20 + bool in_io; + E1000ECore core; =20 } E1000EState; @@ -98,7 +100,15 @@ static uint64_t e1000e_mmio_read(void *opaque, hwaddr addr, unsigned size) { E1000EState *s =3D opaque; - return e1000e_core_read(&s->core, addr, size); + uint64_t ret; + + if (s->in_io) { + return 0; + } + s->in_io =3D true; + ret =3D e1000e_core_read(&s->core, addr, size); + s->in_io =3D false; + return ret; } =20 static void @@ -106,7 +116,13 @@ e1000e_mmio_write(void *opaque, hwaddr addr, uint64_t val, unsigned size) { E1000EState *s =3D opaque; + + if (s->in_io) { + return; + } + s->in_io =3D true; e1000e_core_write(&s->core, addr, val, size); + s->in_io =3D false; } =20 static bool @@ -138,19 +154,28 @@ e1000e_io_read(void *opaque, hwaddr addr, unsigned si= ze) uint32_t idx =3D 0; uint64_t val; =20 + if (s->in_io) { + return 0; + } + s->in_io =3D true; + switch (addr) { case E1000_IOADDR: trace_e1000e_io_read_addr(s->ioaddr); + s->in_io =3D false; return s->ioaddr; case E1000_IODATA: if (e1000e_io_get_reg_index(s, &idx)) { val =3D e1000e_core_read(&s->core, idx, sizeof(val)); trace_e1000e_io_read_data(idx, val); + s->in_io =3D false; return val; } + s->in_io =3D false; return 0; default: trace_e1000e_wrn_io_read_unknown(addr); + s->in_io =3D false; return 0; } } @@ -162,19 +187,27 @@ e1000e_io_write(void *opaque, hwaddr addr, E1000EState *s =3D opaque; uint32_t idx =3D 0; =20 + if (s->in_io) { + return; + } + s->in_io =3D true; + switch (addr) { case E1000_IOADDR: trace_e1000e_io_write_addr(val); s->ioaddr =3D (uint32_t) val; + s->in_io =3D false; return; case E1000_IODATA: if (e1000e_io_get_reg_index(s, &idx)) { trace_e1000e_io_write_data(idx, val); e1000e_core_write(&s->core, idx, val, sizeof(val)); } + s->in_io =3D false; return; default: trace_e1000e_wrn_io_write_unknown(addr); + s->in_io =3D false; return; } } --=20 2.17.1 From nobody Sun Nov 16 05:58:57 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=163.com ARC-Seal: i=1; a=rsa-sha256; t=1599063828; cv=none; d=zohomail.com; s=zohoarc; b=SXdJhiHAHvVPDe1SvdLGucHu06dytAwI9bcUWmPIlHxloeVqKxR3CsE91wC1e3Mt+tJieAdEvKsGi2JyPZ4GTFtgJbafUuYdVX1Wj06wunoSBkQ8TS/XkwdfHGG+PfV1tF12GdbrJ6+Jnf3sl/z3Vinffs9UdvrBHRYAQjpzdGs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1599063828; h=Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:To; bh=qCEdw/S4IrIs/afZWIaYzQk1WsGow2KZ0FANMJCyoOQ=; b=PHTfDR3A7pxGnqHI4Ib9xrwzVJwG9oZBtg57BqSR5moAmR4tAGAczUjY7VLWbzwS3DeYv3J7chGGLCUh8jNVO4U8pf88QRIaYXfyDvcjQ7KlA7ehiwNf/l/r1H//6hsnsU44xbEzLAcNfBzw119O5xU3PjwXG8NCvJwSm7cv2pc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1599063828320341.3839545811528; Wed, 2 Sep 2020 09:23:48 -0700 (PDT) Received: from localhost ([::1]:47428 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kDVY3-0004E2-Jx for importer@patchew.org; Wed, 02 Sep 2020 12:23:47 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35246) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kDVWw-0002wV-TD for qemu-devel@nongnu.org; Wed, 02 Sep 2020 12:22:38 -0400 Received: from mail-m971.mail.163.com ([123.126.97.1]:43446) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kDVWt-0002vA-DG for qemu-devel@nongnu.org; Wed, 02 Sep 2020 12:22:38 -0400 Received: from localhost.localdomain (unknown [183.134.168.235]) by smtp1 (Coremail) with SMTP id GdxpCgAXbyO1xk9fAIYUAQ--.82S6; Thu, 03 Sep 2020 00:22:21 +0800 (CST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id; bh=qCEdw/S4IrIs/afZWI aYzQk1WsGow2KZ0FANMJCyoOQ=; b=MHMJuaQEigh+oLRlL5wycuh91eBxrmyLBS BKG6IFYZ/M6+p9Cw5ARtXB/NF9AlwMnKbds7XBzTcZT1nf3EzGZQB+2Btj+0WaQY lGweTRpH42+BS4sUJEx9IxtZK3miQtHeZwl5Wnj3xsdaICvrTn1lLobhJ2ROG5f4 ySh4D1gZ4= From: Li Qiang To: mst@redhat.com, kraxel@redhat.com, dmitry.fleytman@gmail.com, jasowang@redhat.com, alxndr@bu.edu, peter.maydell@linaro.org, pbonzini@redhat.com Subject: [RFC 2/3] xhci: make the IO handler reentrant Date: Wed, 2 Sep 2020 09:22:05 -0700 Message-Id: <20200902162206.101872-3-liq3ea@163.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200902162206.101872-1-liq3ea@163.com> References: <20200902162206.101872-1-liq3ea@163.com> X-CM-TRANSID: GdxpCgAXbyO1xk9fAIYUAQ--.82S6 X-Coremail-Antispam: 1Uf129KBjvJXoWxuFWrur4kWrWxCw4kCrW7Jwb_yoW7tr4rpF W0y34qgF4ftFsFgFs3J3yDAr15Grs7JF93Jr9xtryjvF4kAr9Ik3WayrWUtrsxWFy8G3yj 9F4DZFyYkrnIyaDanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07UdGYJUUUUU= X-Originating-IP: [183.134.168.235] X-CM-SenderInfo: 5oltjvrd6rljoofrz/1tbiKR2TbVXlxi+gwAAAsz Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=123.126.97.1; envelope-from=liq3ea@163.com; helo=mail-m971.mail.163.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/09/02 12:22:24 X-ACL-Warn: Detected OS = Linux 3.1-3.10 X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Li Qiang , liq3ea@gmail.com, qemu-devel@nongnu.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @163.com) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The guest can program the xhci DMA address to its MMIO. This will cause an UAF issue. Following is the reproducer: cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \ -trace usb\* -device usb-audio -device usb-storage,drive=3Dmydrive \ -drive id=3Dmydrive,file=3Dnull-co://,size=3D2M,format=3Draw,if=3Dnone \ -nodefaults -nographic -qtest stdio outl 0xcf8 0x80001010 outl 0xcfc 0xc0202 outl 0xcf8 0x80001004 outl 0xcfc 0x1c77695e writel 0xc0040 0xffffd855 writeq 0xc2000 0xff05140100000000 write 0x1d 0x1 0x27 write 0x2d 0x1 0x2e write 0x17232 0x1 0x03 write 0x17254 0x1 0x05 write 0x17276 0x1 0x72 write 0x17278 0x1 0x02 write 0x3d 0x1 0x27 write 0x40 0x1 0x2e write 0x41 0x1 0x72 write 0x42 0x1 0x01 write 0x4d 0x1 0x2e write 0x4f 0x1 0x01 write 0x2007c 0x1 0xc7 writeq 0xc2000 0x5c05140100000000 write 0x20070 0x1 0x80 write 0x20078 0x1 0x08 write 0x2007c 0x1 0xfe write 0x2007d 0x1 0x08 write 0x20081 0x1 0xff write 0x20082 0x1 0x0b write 0x20089 0x1 0x8c write 0x2008d 0x1 0x04 write 0x2009d 0x1 0x10 writeq 0xc2000 0x2505ef019e092f00 EOF This patch avoid this by adding a 'in_io' in XHCIState to indicate it is in= IO processing. Buglink: https://bugs.launchpad.net/qemu/+bug/1891354 Reported-by: Alexander Bulekov Signed-off-by: Li Qiang --- hw/usb/hcd-xhci.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++ hw/usb/hcd-xhci.h | 1 + 2 files changed, 61 insertions(+) diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index 46a2186d91..06cd235123 100644 --- a/hw/usb/hcd-xhci.c +++ b/hw/usb/hcd-xhci.c @@ -2738,6 +2738,11 @@ static uint64_t xhci_cap_read(void *ptr, hwaddr reg,= unsigned size) XHCIState *xhci =3D ptr; uint32_t ret; =20 + if (xhci->in_io) { + return 0; + } + xhci->in_io =3D true; + switch (reg) { case 0x00: /* HCIVERSION, CAPLENGTH */ ret =3D 0x01000000 | LEN_CAP; @@ -2805,6 +2810,9 @@ static uint64_t xhci_cap_read(void *ptr, hwaddr reg, = unsigned size) } =20 trace_usb_xhci_cap_read(reg, ret); + + xhci->in_io =3D false; + return ret; } =20 @@ -2813,6 +2821,11 @@ static uint64_t xhci_port_read(void *ptr, hwaddr reg= , unsigned size) XHCIPort *port =3D ptr; uint32_t ret; =20 + if (port->xhci->in_io) { + return 0; + } + port->xhci->in_io =3D true; + switch (reg) { case 0x00: /* PORTSC */ ret =3D port->portsc; @@ -2828,6 +2841,9 @@ static uint64_t xhci_port_read(void *ptr, hwaddr reg,= unsigned size) } =20 trace_usb_xhci_port_read(port->portnr, reg, ret); + + port->xhci->in_io =3D false; + return ret; } =20 @@ -2837,6 +2853,11 @@ static void xhci_port_write(void *ptr, hwaddr reg, XHCIPort *port =3D ptr; uint32_t portsc, notify; =20 + if (port->xhci->in_io) { + return; + } + port->xhci->in_io =3D true; + trace_usb_xhci_port_write(port->portnr, reg, val); =20 switch (reg) { @@ -2896,6 +2917,7 @@ static void xhci_port_write(void *ptr, hwaddr reg, default: trace_usb_xhci_unimplemented("port write", reg); } + port->xhci->in_io =3D false; } =20 static uint64_t xhci_oper_read(void *ptr, hwaddr reg, unsigned size) @@ -2903,6 +2925,11 @@ static uint64_t xhci_oper_read(void *ptr, hwaddr reg= , unsigned size) XHCIState *xhci =3D ptr; uint32_t ret; =20 + if (xhci->in_io) { + return 0; + } + xhci->in_io =3D true; + switch (reg) { case 0x00: /* USBCMD */ ret =3D xhci->usbcmd; @@ -2937,6 +2964,9 @@ static uint64_t xhci_oper_read(void *ptr, hwaddr reg,= unsigned size) } =20 trace_usb_xhci_oper_read(reg, ret); + + xhci->in_io =3D false; + return ret; } =20 @@ -2946,6 +2976,11 @@ static void xhci_oper_write(void *ptr, hwaddr reg, XHCIState *xhci =3D ptr; DeviceState *d =3D DEVICE(ptr); =20 + if (xhci->in_io) { + return; + } + xhci->in_io =3D true; + trace_usb_xhci_oper_write(reg, val); =20 switch (reg) { @@ -3008,6 +3043,7 @@ static void xhci_oper_write(void *ptr, hwaddr reg, default: trace_usb_xhci_unimplemented("oper write", reg); } + xhci->in_io =3D false; } =20 static uint64_t xhci_runtime_read(void *ptr, hwaddr reg, @@ -3016,6 +3052,11 @@ static uint64_t xhci_runtime_read(void *ptr, hwaddr = reg, XHCIState *xhci =3D ptr; uint32_t ret =3D 0; =20 + if (xhci->in_io) { + return 0; + } + xhci->in_io =3D true; + if (reg < 0x20) { switch (reg) { case 0x00: /* MFINDEX */ @@ -3054,6 +3095,9 @@ static uint64_t xhci_runtime_read(void *ptr, hwaddr r= eg, } =20 trace_usb_xhci_runtime_read(reg, ret); + + xhci->in_io =3D false; + return ret; } =20 @@ -3063,10 +3107,17 @@ static void xhci_runtime_write(void *ptr, hwaddr re= g, XHCIState *xhci =3D ptr; int v =3D (reg - 0x20) / 0x20; XHCIInterrupter *intr =3D &xhci->intr[v]; + + if (xhci->in_io) { + return; + } + xhci->in_io =3D true; + trace_usb_xhci_runtime_write(reg, val); =20 if (reg < 0x20) { trace_usb_xhci_unimplemented("runtime write", reg); + xhci->in_io =3D false; return; } =20 @@ -3121,6 +3172,7 @@ static void xhci_runtime_write(void *ptr, hwaddr reg, default: trace_usb_xhci_unimplemented("oper write", reg); } + xhci->in_io =3D false; } =20 static uint64_t xhci_doorbell_read(void *ptr, hwaddr reg, @@ -3137,10 +3189,17 @@ static void xhci_doorbell_write(void *ptr, hwaddr r= eg, XHCIState *xhci =3D ptr; unsigned int epid, streamid; =20 + if (xhci->in_io) { + return; + } + + xhci->in_io =3D true; + trace_usb_xhci_doorbell_write(reg, val); =20 if (!xhci_running(xhci)) { DPRINTF("xhci: wrote doorbell while xHC stopped or paused\n"); + xhci->in_io =3D false; return; } =20 @@ -3165,6 +3224,7 @@ static void xhci_doorbell_write(void *ptr, hwaddr reg, xhci_kick_ep(xhci, reg, epid, streamid); } } + xhci->in_io =3D false; } =20 static void xhci_cap_write(void *opaque, hwaddr addr, uint64_t val, diff --git a/hw/usb/hcd-xhci.h b/hw/usb/hcd-xhci.h index 946af51fc2..ed16232c96 100644 --- a/hw/usb/hcd-xhci.h +++ b/hw/usb/hcd-xhci.h @@ -227,6 +227,7 @@ struct XHCIState { XHCIRing cmd_ring; =20 bool nec_quirks; + bool in_io; }; =20 #endif --=20 2.17.1 From nobody Sun Nov 16 05:58:57 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=163.com ARC-Seal: i=1; a=rsa-sha256; t=1599063828; cv=none; d=zohomail.com; s=zohoarc; b=bt0Ei/SXOw0ghtdgTG1PqHadSOV70nqkz4DPB96DkG/0DyLqZX7/JF1RFRk3tO9bHjUru20E73r/qj77VdBiaeiiKzzc2653OL21Nbpx1x0qEko+PChvsUm4c5ewaXszUslHe0keXl7to6qG4t/nGfxSSr8b5pr6ajhXgnz0grM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1599063828; h=Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:To; bh=wfcpJ4DDOpMy4YNA9RleV70ACEl8JRMmMnrNcmMTWi8=; b=QYU9OSs+odFmSuJgnFojCiokxEiJUgP1Gsa+1CMSppbrtDI4zFleFPuZ7wATtI/pKXDnyzXlh3Nf7AhQ9HUW005BqyTVo2kT2rI5yw2j6wKdMZKA2Y9eZSgkrQLn0SrkRpSMdoLZeGdSIUSvanncJGwkzIKsWnUQtnKGElKtsVY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1599063828330368.12674792970995; Wed, 2 Sep 2020 09:23:48 -0700 (PDT) Received: from localhost ([::1]:47470 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kDVY3-0004F9-CK for importer@patchew.org; Wed, 02 Sep 2020 12:23:47 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35268) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kDVWz-0002xs-Ot for qemu-devel@nongnu.org; Wed, 02 Sep 2020 12:22:41 -0400 Received: from mail-m971.mail.163.com ([123.126.97.1]:43634) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kDVWw-0002vR-I4 for qemu-devel@nongnu.org; Wed, 02 Sep 2020 12:22:41 -0400 Received: from localhost.localdomain (unknown [183.134.168.235]) by smtp1 (Coremail) with SMTP id GdxpCgAXbyO1xk9fAIYUAQ--.82S7; Thu, 03 Sep 2020 00:22:31 +0800 (CST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id; bh=wfcpJ4DDOpMy4YNA9R leV70ACEl8JRMmMnrNcmMTWi8=; b=ItnPucwJHNL92oKa4QjDtdjp24POVsEJwX tp1hFvxdm8THNoWwlVNfD5TfU1pwHncRPUnMJCTVhnGNLMdXh4RE6YVhvmG2ZFpr fymLLjnniQbIKe4v0rIYNJpsQmyvHhI1idXpjtkMt1ismHBGA0hBUy4fYnP1vWx3 Kt1qBg/xo= From: Li Qiang To: mst@redhat.com, kraxel@redhat.com, dmitry.fleytman@gmail.com, jasowang@redhat.com, alxndr@bu.edu, peter.maydell@linaro.org, pbonzini@redhat.com Subject: [RFC 3/3] virtio-gpu: make the IO handler reentrant Date: Wed, 2 Sep 2020 09:22:06 -0700 Message-Id: <20200902162206.101872-4-liq3ea@163.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200902162206.101872-1-liq3ea@163.com> References: <20200902162206.101872-1-liq3ea@163.com> X-CM-TRANSID: GdxpCgAXbyO1xk9fAIYUAQ--.82S7 X-Coremail-Antispam: 1Uf129KBjvJXoWxGF4fKryfCF4UCw17Jw1fJFb_yoW5WF17pF 1UAFy5WF48XF17Jas5XF4xWrn8CFZ5A3ZrCrnYvFyF9wsxtF97A3WrKFy2yrW3Ar48AF45 GFn2934jyr4qvw7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07jeVbgUUUUU= X-Originating-IP: [183.134.168.235] X-CM-SenderInfo: 5oltjvrd6rljoofrz/1tbiFB2TbVaD7LNrjQABsa Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=123.126.97.1; envelope-from=liq3ea@163.com; helo=mail-m971.mail.163.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/09/02 12:22:24 X-ACL-Warn: Detected OS = Linux 3.1-3.10 X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Li Qiang , liq3ea@gmail.com, qemu-devel@nongnu.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @163.com) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The guest can program the virtio desc table. When the used ring is programmed by virtio-gpu's MMIO it may cause an reentrant issue. Following is the reproducer: cat << EOF | ./i386-softmmu/qemu-system-i386 -nographic -M pc -nodefaults -= m 512M -device virtio-vga -qtest stdio outl 0xcf8 0x80001018 outl 0xcfc 0xe0800000 outl 0xcf8 0x80001020 outl 0xcf8 0x80001004 outw 0xcfc 0x7 writeq 0xe0801024 0x10646c00776c6cff writeq 0xe080102d 0xe0801000320000 writeq 0xe0801015 0x12b2901ba000000 write 0x10646c02 0x1 0x2c write 0x999 0x1 0x25 write 0x8 0x1 0x78 write 0x2c7 0x1 0x32 write 0x2cb 0x1 0xff write 0x2cc 0x1 0x7e writeq 0xe0803000 0xf2b8f0540ff83 EOF This patch avoid this by adding a 'in_io' in VirtIOGPU to indicate it is in= IO processing. Notice this also address the race condition between 'virtio_gpu_process_cmd= q' and 'virtio_gpu_reset' as the 'virtio_gpu_process_cmdq' is run in a BH which in= the main thread and 'virtio_gpu_reset' is run in the vcpu thread and both of them access th= e 'g->cmdq'. Buglink: https://bugs.launchpad.net/qemu/+bug/1888606 Reported-by: Alexander Bulekov Signed-off-by: Li Qiang --- hw/display/virtio-gpu.c | 10 ++++++++++ include/hw/virtio/virtio-gpu.h | 1 + 2 files changed, 11 insertions(+) diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c index 5f0dd7c150..404b7dc174 100644 --- a/hw/display/virtio-gpu.c +++ b/hw/display/virtio-gpu.c @@ -809,6 +809,10 @@ void virtio_gpu_process_cmdq(VirtIOGPU *g) { struct virtio_gpu_ctrl_command *cmd; =20 + if (atomic_read(&g->in_io)) { + return; + } + atomic_set(&g->in_io, 1); while (!QTAILQ_EMPTY(&g->cmdq)) { cmd =3D QTAILQ_FIRST(&g->cmdq); =20 @@ -838,6 +842,7 @@ void virtio_gpu_process_cmdq(VirtIOGPU *g) g_free(cmd); } } + atomic_set(&g->in_io, 0); } =20 static void virtio_gpu_gl_unblock(VirtIOGPUBase *b) @@ -1144,6 +1149,10 @@ static void virtio_gpu_reset(VirtIODevice *vdev) struct virtio_gpu_simple_resource *res, *tmp; struct virtio_gpu_ctrl_command *cmd; =20 + if (atomic_read(&g->in_io)) { + return; + } + atomic_set(&g->in_io, 1); #ifdef CONFIG_VIRGL if (g->parent_obj.use_virgl_renderer) { virtio_gpu_virgl_reset(g); @@ -1179,6 +1188,7 @@ static void virtio_gpu_reset(VirtIODevice *vdev) #endif =20 virtio_gpu_base_reset(VIRTIO_GPU_BASE(vdev)); + atomic_set(&g->in_io, 0); } =20 static void diff --git a/include/hw/virtio/virtio-gpu.h b/include/hw/virtio/virtio-gpu.h index 7517438e10..aadcf0e332 100644 --- a/include/hw/virtio/virtio-gpu.h +++ b/include/hw/virtio/virtio-gpu.h @@ -150,6 +150,7 @@ typedef struct VirtIOGPU { =20 bool renderer_inited; bool renderer_reset; + bool in_io; QEMUTimer *fence_poll; QEMUTimer *print_stats; =20 --=20 2.17.1