[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v2 3/5] virtio-blk: add vq_rq[] bounds check in virtio_blk_dma_re
From: |
Stefan Hajnoczi |
Subject: |
[PATCH v2 3/5] virtio-blk: add vq_rq[] bounds check in virtio_blk_dma_restart_cb() |
Date: |
Tue, 6 Feb 2024 14:06:08 -0500 |
Hanna Czenczek <hreitz@redhat.com> noted that the array index in
virtio_blk_dma_restart_cb() is not bounds-checked:
g_autofree VirtIOBlockReq **vq_rq = g_new0(VirtIOBlockReq *, num_queues);
...
while (rq) {
VirtIOBlockReq *next = rq->next;
uint16_t idx = virtio_get_queue_index(rq->vq);
rq->next = vq_rq[idx];
^^^^^^^^^^
The code is correct because both rq->vq and vq_rq[] depend on
num_queues, but this is indirect and not 100% obvious. Add an assertion.
Suggested-by: Hanna Czenczek <hreitz@redhat.com>
Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/block/virtio-blk.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index e430ba583c..31212506ca 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -1209,6 +1209,8 @@ static void virtio_blk_dma_restart_cb(void *opaque, bool
running,
VirtIOBlockReq *next = rq->next;
uint16_t idx = virtio_get_queue_index(rq->vq);
+ /* Only num_queues vqs were created so vq_rq[idx] is within bounds */
+ assert(idx < num_queues);
rq->next = vq_rq[idx];
vq_rq[idx] = rq;
rq = next;
--
2.43.0
- [PATCH v2 0/5] virtio-blk: iothread-vq-mapping cleanups, Stefan Hajnoczi, 2024/02/06
- [PATCH v2 1/5] virtio-blk: enforce iothread-vq-mapping validation, Stefan Hajnoczi, 2024/02/06
- [PATCH v2 2/5] virtio-blk: clarify that there is at least 1 virtqueue, Stefan Hajnoczi, 2024/02/06
- [PATCH v2 5/5] monitor: use aio_co_reschedule_self(), Stefan Hajnoczi, 2024/02/06
- [PATCH v2 3/5] virtio-blk: add vq_rq[] bounds check in virtio_blk_dma_restart_cb(),
Stefan Hajnoczi <=
- [PATCH v2 4/5] virtio-blk: declare VirtIOBlock::rq with a type, Stefan Hajnoczi, 2024/02/06
- Re: [PATCH v2 0/5] virtio-blk: iothread-vq-mapping cleanups, Michael S. Tsirkin, 2024/02/06
- Re: [PATCH v2 0/5] virtio-blk: iothread-vq-mapping cleanups, Kevin Wolf, 2024/02/07