This patch fixes the problem that vhost_vdpa_net_handle_ctrl_avail()
mistakenly frees the `elem`, even if it fails to forward the
CVQ command to vdpa device. This can result in a use-after-free
TestStep
========
1. test the patch using vp-vdpa device
- For L0 guest, boot QEMU with virtio-net-pci net device with `ctrl_vq`
feature on, something like:
-device virtio-net-pci,rx_queue_size=256,tx_queue_size=256,
iommu_platform=on,ctrl_vq=on,...
- For L1 guest, apply the patch series, then apply an addtional
patch to make the vhost_vdpa_net_handle_ctrl_avail() fails to process
the CVQ command as below:
diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c
index d8f37694ac..1f22355a41 100644
--- a/net/vhost-vdpa.c
+++ b/net/vhost-vdpa.c
@@ -797,7 +797,8 @@ static int
vhost_vdpa_net_handle_ctrl_avail(VhostShadowVirtqueue *svq,
dev_written = sizeof(status);
*s->status = VIRTIO_NET_OK;
} else {
- dev_written = vhost_vdpa_net_cvq_add(s, out.iov_len, sizeof(status));
+ //dev_written = vhost_vdpa_net_cvq_add(s, out.iov_len, sizeof(status));
+ dev_written = -EINVAL;
if (unlikely(dev_written < 0)) {
goto out;
}
start QEMU with vdpa device with svq mode and enable the `ctrl_vq`
feature on, something like:
-netdev type=vhost-vdpa,x-svq=true,...
-device virtio-net-pci,ctrl_vq=on,...
With this series, QEMU should not trigger any error or warning.
Without this series, QEMU should fail with
"free(): double free detected in tcache 2".
Hawkins Jiawei (1):
vdpa: Fix possible use-after-free for VirtQueueElement
net/vhost-vdpa.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--
2.25.1
