[PATCH v1 8/8] virtio: Error out on endless free lists

From: Andi Kleen
Date: Wed Jun 02 2021 - 20:42:00 EST

Next message: Andi Kleen: "[PATCH v1 7/8] virtio: Abort IO when descriptor points outside forced swiotlb"
Previous message: Andi Kleen: "[PATCH v1 6/8] dma: Add return value to dma_unmap_page"
In reply to: Andi Kleen: "Re: [PATCH v1 6/8] dma: Add return value to dma_unmap_page"
Next in thread: Andi Kleen: "[PATCH v1 7/8] virtio: Abort IO when descriptor points outside forced swiotlb"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Error out with a warning when the free list loops longer
than the maximum size while freeing descriptors. While technically
we don't care about DOS it is still better to abort it early.

We ran into this problem while fuzzing the virtio interactions
where the fuzzed code would get stuck for a long time.

Signed-off-by: Andi Kleen <ak@xxxxxxxxxxxxxxx>
---
drivers/virtio/virtio_ring.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
index 244a5b62d85c..96adaa4c5404 100644
--- a/drivers/virtio/virtio_ring.c
+++ b/drivers/virtio/virtio_ring.c
@@ -685,6 +685,11 @@ static int detach_buf_split(struct vring_virtqueue *vq, unsigned int head,
if (!inside_split_ring(vq, i))
return -EIO;
vq->vq.num_free++;
+ if (WARN_ONCE(vq->vq.num_free >
+ vq->split.queue_size_in_bytes /
+ sizeof(struct vring_desc),
+ "Virtio freelist corrupted"))
+ return -EIO;
}

vring_unmap_one_split(vq, &vq->split.vring.desc[i]);
--
2.25.4

Next message: Andi Kleen: "[PATCH v1 7/8] virtio: Abort IO when descriptor points outside forced swiotlb"
Previous message: Andi Kleen: "[PATCH v1 6/8] dma: Add return value to dma_unmap_page"
In reply to: Andi Kleen: "Re: [PATCH v1 6/8] dma: Add return value to dma_unmap_page"
Next in thread: Andi Kleen: "[PATCH v1 7/8] virtio: Abort IO when descriptor points outside forced swiotlb"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]