vring_get_region_caches() must be called with the RCU read lock
acquired. virtqueue_packed_drop_all() does not, and uses the
'caches' pointer. Fix that by using the RCU_READ_LOCK_GUARD()
macro.

Reported-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
 hw/virtio/virtio.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 97f60017466..7d3bf9091ee 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -1704,6 +1704,8 @@ static unsigned int virtqueue_packed_drop_all(VirtQueue *vq)
     VirtIODevice *vdev = vq->vdev;
     VRingPackedDesc desc;
 
+    RCU_READ_LOCK_GUARD();
+
     caches = vring_get_region_caches(vq);
     if (!caches) {
         return 0;
-- 
2.31.1

On Mon, Sep 06, 2021 at 12:43:17PM +0200, Philippe Mathieu-Daudé wrote:
> vring_get_region_caches() must be called with the RCU read lock
> acquired. virtqueue_packed_drop_all() does not, and uses the
> 'caches' pointer. Fix that by using the RCU_READ_LOCK_GUARD()
> macro.

Is this a bug that has been encountered, is it a latent bug, a code
cleanup, etc? The impact of this isn't clear but it sounds a little
scary so I wanted to check.

> 
> Reported-by: Stefano Garzarella <sgarzare@redhat.com>
> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> ---
>  hw/virtio/virtio.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
> index 97f60017466..7d3bf9091ee 100644
> --- a/hw/virtio/virtio.c
> +++ b/hw/virtio/virtio.c
> @@ -1704,6 +1704,8 @@ static unsigned int virtqueue_packed_drop_all(VirtQueue *vq)
>      VirtIODevice *vdev = vq->vdev;
>      VRingPackedDesc desc;
>  
> +    RCU_READ_LOCK_GUARD();
> +
>      caches = vring_get_region_caches(vq);
>      if (!caches) {
>          return 0;
> -- 
> 2.31.1
> 

On 10/4/21 11:23, Stefan Hajnoczi wrote:
> On Mon, Sep 06, 2021 at 12:43:17PM +0200, Philippe Mathieu-Daudé wrote:
>> vring_get_region_caches() must be called with the RCU read lock
>> acquired. virtqueue_packed_drop_all() does not, and uses the
>> 'caches' pointer. Fix that by using the RCU_READ_LOCK_GUARD()
>> macro.
> 
> Is this a bug that has been encountered, is it a latent bug, a code
> cleanup, etc? The impact of this isn't clear but it sounds a little
> scary so I wanted to check.

I'll defer to Stefano, but IIUC it is a latent bug discovered
during code audit.

> 
>>
>> Reported-by: Stefano Garzarella <sgarzare@redhat.com>
>> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
>> ---
>>  hw/virtio/virtio.c | 2 ++
>>  1 file changed, 2 insertions(+)
>>
>> diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
>> index 97f60017466..7d3bf9091ee 100644
>> --- a/hw/virtio/virtio.c
>> +++ b/hw/virtio/virtio.c
>> @@ -1704,6 +1704,8 @@ static unsigned int virtqueue_packed_drop_all(VirtQueue *vq)
>>      VirtIODevice *vdev = vq->vdev;
>>      VRingPackedDesc desc;
>>  
>> +    RCU_READ_LOCK_GUARD();
>> +
>>      caches = vring_get_region_caches(vq);
>>      if (!caches) {
>>          return 0;
>> -- 
>> 2.31.1
>>

On Mon, Oct 04, 2021 at 11:27:12AM +0200, Philippe Mathieu-Daudé wrote:
>On 10/4/21 11:23, Stefan Hajnoczi wrote:
>> On Mon, Sep 06, 2021 at 12:43:17PM +0200, Philippe Mathieu-Daudé wrote:
>>> vring_get_region_caches() must be called with the RCU read lock
>>> acquired. virtqueue_packed_drop_all() does not, and uses the
>>> 'caches' pointer. Fix that by using the RCU_READ_LOCK_GUARD()
>>> macro.
>>
>> Is this a bug that has been encountered, is it a latent bug, a code
>> cleanup, etc? The impact of this isn't clear but it sounds a little
>> scary so I wanted to check.
>
>I'll defer to Stefano, but IIUC it is a latent bug discovered
>during code audit.

Yep, I confirm this. We discovered it by discussing the documentation in 
a previous series.

Thanks,
Stefano