On Thu, 16 Mar 2023 at 16:21, Akihiko Odaki <akihiko.od...@daynix.com> wrote: > > A guest may request ask a memory-mapped device to perform DMA. If the > address specified for DMA is the device performing DMA, it will create > recursion. It is very unlikely that device implementations are prepared > for such an abnormal access, which can result in unpredictable behavior. > > In particular, such a recursion breaks e1000e, a network device. If > the device is configured to write the received packet to the register > to trigger receiving, it triggers re-entry to the Rx logic of e1000e. > This causes use-after-free since the Rx logic is not re-entrant. > > As there should be no valid reason to perform recursive memory access, > check for recursion before accessing memory-mapped device. > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1543 > Signed-off-by: Akihiko Odaki <akihiko.od...@daynix.com> > --- > V1 -> V2: Marked the variable thread-local. Introduced linked list.
Don't we already have proposals on the mailing list for addressing this? How does this patch differ from those? Also, "device A DMAs to device A" is only a subset of the problems -- you can also have "device A DMAs to device B which triggers DMA to device A" and more complicated situations. thanks -- PMM
