68 lines
2.5 KiB
Diff
68 lines
2.5 KiB
Diff
From 4e30ca551fb3740a428017a0debf0a6aab976639 Mon Sep 17 00:00:00 2001
|
|
From: Ani Sinha <anisinha@redhat.com>
|
|
Date: Mon, 19 Jun 2023 12:22:09 +0530
|
|
Subject: [PATCH 6/6] vhost-vdpa: do not cleanup the vdpa/vhost-net structures
|
|
if peer nic is present
|
|
|
|
RH-Author: Ani Sinha <None>
|
|
RH-MergeRequest: 174: vhost-vdpa: do not cleanup the vdpa/vhost-net structures if peer nic is present
|
|
RH-Bugzilla: 2128929
|
|
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
|
|
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
RH-Commit: [1/1] c70d4e5fd93256326d318e0b507db6b9eb93ad86 (anisinha/centos-qemu-kvm)
|
|
|
|
When a peer nic is still attached to the vdpa backend, it is too early to free
|
|
up the vhost-net and vdpa structures. If these structures are freed here, then
|
|
QEMU crashes when the guest is being shut down. The following call chain
|
|
would result in an assertion failure since the pointer returned from
|
|
vhost_vdpa_get_vhost_net() would be NULL:
|
|
|
|
do_vm_stop() -> vm_state_notify() -> virtio_set_status() ->
|
|
virtio_net_vhost_status() -> get_vhost_net().
|
|
|
|
Therefore, we defer freeing up the structures until at guest shutdown
|
|
time when qemu_cleanup() calls net_cleanup() which then calls
|
|
qemu_del_net_client() which would eventually call vhost_vdpa_cleanup()
|
|
again to free up the structures. This time, the loop in net_cleanup()
|
|
ensures that vhost_vdpa_cleanup() will be called one last time when
|
|
all the peer nics are detached and freed.
|
|
|
|
All unit tests pass with this change.
|
|
|
|
CC: imammedo@redhat.com
|
|
CC: jusual@redhat.com
|
|
CC: mst@redhat.com
|
|
Fixes: CVE-2023-3301
|
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2128929
|
|
Signed-off-by: Ani Sinha <anisinha@redhat.com>
|
|
Message-Id: <20230619065209.442185-1-anisinha@redhat.com>
|
|
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
(cherry picked from commit a0d7215e339b61c7d7a7b3fcf754954d80d93eb8)
|
|
---
|
|
net/vhost-vdpa.c | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c
|
|
index 99904a0da7..8c8900f0f4 100644
|
|
--- a/net/vhost-vdpa.c
|
|
+++ b/net/vhost-vdpa.c
|
|
@@ -184,6 +184,14 @@ static void vhost_vdpa_cleanup(NetClientState *nc)
|
|
{
|
|
VhostVDPAState *s = DO_UPCAST(VhostVDPAState, nc, nc);
|
|
|
|
+ /*
|
|
+ * If a peer NIC is attached, do not cleanup anything.
|
|
+ * Cleanup will happen as a part of qemu_cleanup() -> net_cleanup()
|
|
+ * when the guest is shutting down.
|
|
+ */
|
|
+ if (nc->peer && nc->peer->info->type == NET_CLIENT_DRIVER_NIC) {
|
|
+ return;
|
|
+ }
|
|
qemu_vfree(s->cvq_cmd_out_buffer);
|
|
qemu_vfree(s->status);
|
|
if (s->vhost_net) {
|
|
--
|
|
2.39.3
|
|
|