Legacy virtio pci has no way to communicate a change in vq size to the hypervisor. If ring sizes don't match hypervisor will happily corrupt memory.
We add a check to vring size before calling vp_legacy_set_queue_address(). Checking the memory range directly is a bit cumbersome. Signed-off-by: Xuan Zhuo <[email protected]> --- v2: replace BUG_ON with WARN_ON_ONCE. @Linus drivers/virtio/virtio_pci_legacy.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/virtio/virtio_pci_legacy.c b/drivers/virtio/virtio_pci_legacy.c index 2257f1b3d8ae..091e73d74e94 100644 --- a/drivers/virtio/virtio_pci_legacy.c +++ b/drivers/virtio/virtio_pci_legacy.c @@ -146,6 +146,15 @@ static struct virtqueue *setup_vq(struct virtio_pci_device *vp_dev, goto out_del_vq; } + /* Legacy virtio pci has no way to communicate a change in vq size to + * the hypervisor. If ring sizes don't match hypervisor will happily + * corrupt memory. + */ + if (WARN_ON_ONCE(num != virtqueue_get_vring_size(vq))) { + err = -EPERM; + goto out_del_vq; + } + /* activate the queue */ vp_legacy_set_queue_address(&vp_dev->ldev, index, q_pfn); -- 2.31.0 _______________________________________________ Virtualization mailing list [email protected] https://lists.linuxfoundation.org/mailman/listinfo/virtualization
