[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20210603004133.4079390-9-ak@linux.intel.com>
Date: Wed, 2 Jun 2021 17:41:33 -0700
From: Andi Kleen <ak@...ux.intel.com>
To: mst@...hat.com
Cc: jasowang@...hat.com, virtualization@...ts.linux-foundation.org,
hch@....de, m.szyprowski@...sung.com, robin.murphy@....com,
iommu@...ts.linux-foundation.org, x86@...nel.org,
sathyanarayanan.kuppuswamy@...ux.intel.com, jpoimboe@...hat.com,
linux-kernel@...r.kernel.org, Andi Kleen <ak@...ux.intel.com>
Subject: [PATCH v1 8/8] virtio: Error out on endless free lists
Error out with a warning when the free list loops longer
than the maximum size while freeing descriptors. While technically
we don't care about DOS it is still better to abort it early.
We ran into this problem while fuzzing the virtio interactions
where the fuzzed code would get stuck for a long time.
Signed-off-by: Andi Kleen <ak@...ux.intel.com>
---
drivers/virtio/virtio_ring.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
index 244a5b62d85c..96adaa4c5404 100644
--- a/drivers/virtio/virtio_ring.c
+++ b/drivers/virtio/virtio_ring.c
@@ -685,6 +685,11 @@ static int detach_buf_split(struct vring_virtqueue *vq, unsigned int head,
if (!inside_split_ring(vq, i))
return -EIO;
vq->vq.num_free++;
+ if (WARN_ONCE(vq->vq.num_free >
+ vq->split.queue_size_in_bytes /
+ sizeof(struct vring_desc),
+ "Virtio freelist corrupted"))
+ return -EIO;
}
vring_unmap_one_split(vq, &vq->split.vring.desc[i]);
--
2.25.4
Powered by blists - more mailing lists