Vhost shadow virtqueue is an intermediate jump for virtqueue
notifications and buffers, allowing qemu to track them.
Signed-off-by: Eugenio Pérez <eperezma@redhat.com>
---
hw/virtio/vhost-shadow-virtqueue.h | 24 ++++++++++++
hw/virtio/vhost-shadow-virtqueue.c | 63 ++++++++++++++++++++++++++++++
hw/virtio/meson.build | 2 +-
3 files changed, 88 insertions(+), 1 deletion(-)
create mode 100644 hw/virtio/vhost-shadow-virtqueue.h
create mode 100644 hw/virtio/vhost-shadow-virtqueue.c
diff --git a/hw/virtio/vhost-shadow-virtqueue.h b/hw/virtio/vhost-shadow-virtqueue.h
new file mode 100644
index 0000000000..6cc18d6acb
--- /dev/null
+++ b/hw/virtio/vhost-shadow-virtqueue.h
@@ -0,0 +1,24 @@
+/*
+ * vhost software live migration ring
+ *
+ * SPDX-FileCopyrightText: Red Hat, Inc. 2021
+ * SPDX-FileContributor: Author: Eugenio Pérez <eperezma@redhat.com>
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#ifndef VHOST_SHADOW_VIRTQUEUE_H
+#define VHOST_SHADOW_VIRTQUEUE_H
+
+#include "qemu/osdep.h"
+
+#include "hw/virtio/virtio.h"
+#include "hw/virtio/vhost.h"
+
+typedef struct VhostShadowVirtqueue VhostShadowVirtqueue;
+
+VhostShadowVirtqueue *vhost_shadow_vq_new(struct vhost_dev *dev, int idx);
+
+void vhost_shadow_vq_free(VhostShadowVirtqueue *vq);
+
+#endif
diff --git a/hw/virtio/vhost-shadow-virtqueue.c b/hw/virtio/vhost-shadow-virtqueue.c
new file mode 100644
index 0000000000..b5d2645ae0
--- /dev/null
+++ b/hw/virtio/vhost-shadow-virtqueue.c
@@ -0,0 +1,63 @@
+/*
+ * vhost software live migration ring
+ *
+ * SPDX-FileCopyrightText: Red Hat, Inc. 2021
+ * SPDX-FileContributor: Author: Eugenio Pérez <eperezma@redhat.com>
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "hw/virtio/vhost-shadow-virtqueue.h"
+
+#include "qemu/error-report.h"
+#include "qemu/event_notifier.h"
+
+/* Shadow virtqueue to relay notifications */
+typedef struct VhostShadowVirtqueue {
+ /* Shadow kick notifier, sent to vhost */
+ EventNotifier kick_notifier;
+ /* Shadow call notifier, sent to vhost */
+ EventNotifier call_notifier;
+} VhostShadowVirtqueue;
+
+/*
+ * Creates vhost shadow virtqueue, and instruct vhost device to use the shadow
+ * methods and file descriptors.
+ */
+VhostShadowVirtqueue *vhost_shadow_vq_new(struct vhost_dev *dev, int idx)
+{
+ g_autofree VhostShadowVirtqueue *svq = g_new0(VhostShadowVirtqueue, 1);
+ int r;
+
+ r = event_notifier_init(&svq->kick_notifier, 0);
+ if (r != 0) {
+ error_report("Couldn't create kick event notifier: %s",
+ strerror(errno));
+ goto err_init_kick_notifier;
+ }
+
+ r = event_notifier_init(&svq->call_notifier, 0);
+ if (r != 0) {
+ error_report("Couldn't create call event notifier: %s",
+ strerror(errno));
+ goto err_init_call_notifier;
+ }
+
+ return svq;
+
+err_init_call_notifier:
+ event_notifier_cleanup(&svq->kick_notifier);
+
+err_init_kick_notifier:
+ return NULL;
+}
+
+/*
+ * Free the resources of the shadow virtqueue.
+ */
+void vhost_shadow_vq_free(VhostShadowVirtqueue *vq)
+{
+ event_notifier_cleanup(&vq->kick_notifier);
+ event_notifier_cleanup(&vq->call_notifier);
+ g_free(vq);
+}
diff --git a/hw/virtio/meson.build b/hw/virtio/meson.build
index fbff9bc9d4..8b5a0225fe 100644
--- a/hw/virtio/meson.build
+++ b/hw/virtio/meson.build
@@ -11,7 +11,7 @@ softmmu_ss.add(when: 'CONFIG_ALL', if_true: files('vhost-stub.c'))
virtio_ss = ss.source_set()
virtio_ss.add(files('virtio.c'))
-virtio_ss.add(when: 'CONFIG_VHOST', if_true: files('vhost.c', 'vhost-backend.c'))
+virtio_ss.add(when: 'CONFIG_VHOST', if_true: files('vhost.c', 'vhost-backend.c', 'vhost-shadow-virtqueue.c'))
virtio_ss.add(when: 'CONFIG_VHOST_USER', if_true: files('vhost-user.c'))
virtio_ss.add(when: 'CONFIG_VHOST_VDPA', if_true: files('vhost-vdpa.c'))
virtio_ss.add(when: 'CONFIG_VIRTIO_BALLOON', if_true: files('virtio-balloon.c'))
--
2.27.0
On Tue, Feb 09, 2021 at 04:37:54PM +0100, Eugenio Pérez wrote:
> +/*
> + * Creates vhost shadow virtqueue, and instruct vhost device to use the shadow
> + * methods and file descriptors.
> + */
> +VhostShadowVirtqueue *vhost_shadow_vq_new(struct vhost_dev *dev, int idx)
> +{
> + g_autofree VhostShadowVirtqueue *svq = g_new0(VhostShadowVirtqueue, 1);
> + int r;
> +
> + r = event_notifier_init(&svq->kick_notifier, 0);
> + if (r != 0) {
> + error_report("Couldn't create kick event notifier: %s",
> + strerror(errno));
> + goto err_init_kick_notifier;
> + }
> +
> + r = event_notifier_init(&svq->call_notifier, 0);
> + if (r != 0) {
> + error_report("Couldn't create call event notifier: %s",
> + strerror(errno));
> + goto err_init_call_notifier;
> + }
> +
> + return svq;
Use-after-free due to g_autofree. I think this should be:
return g_steal_pointer(&svq)
https://developer.gnome.org/glib/stable/glib-Memory-Allocation.html#g-steal-pointer
On Wed, Feb 17, 2021 at 2:01 PM Stefan Hajnoczi <stefanha@redhat.com> wrote:
>
> On Tue, Feb 09, 2021 at 04:37:54PM +0100, Eugenio Pérez wrote:
> > +/*
> > + * Creates vhost shadow virtqueue, and instruct vhost device to use the shadow
> > + * methods and file descriptors.
> > + */
> > +VhostShadowVirtqueue *vhost_shadow_vq_new(struct vhost_dev *dev, int idx)
> > +{
> > + g_autofree VhostShadowVirtqueue *svq = g_new0(VhostShadowVirtqueue, 1);
> > + int r;
> > +
> > + r = event_notifier_init(&svq->kick_notifier, 0);
> > + if (r != 0) {
> > + error_report("Couldn't create kick event notifier: %s",
> > + strerror(errno));
> > + goto err_init_kick_notifier;
> > + }
> > +
> > + r = event_notifier_init(&svq->call_notifier, 0);
> > + if (r != 0) {
> > + error_report("Couldn't create call event notifier: %s",
> > + strerror(errno));
> > + goto err_init_call_notifier;
> > + }
> > +
> > + return svq;
>
> Use-after-free due to g_autofree. I think this should be:
>
> return g_steal_pointer(&svq)
>
> https://developer.gnome.org/glib/stable/glib-Memory-Allocation.html#g-steal-pointer
What a miss, thanks for pointing it out!
© 2016 - 2026 Red Hat, Inc.