From patchwork Tue Apr  9 10:55:34 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?=
 <philmd@linaro.org>
X-Patchwork-Id: 787194
Delivered-To: patch@linaro.org
Received: by 2002:adf:fdd2:0:b0:346:15ad:a2a with SMTP id i18csp154299wrs;
 Tue, 9 Apr 2024 03:56:14 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCXshD6/HjhDrx0nD1eSYyjKWZF5Fg3VT5wchbLZc/bwnT8dksXV5c2hhM9NDr2l6cV8FBpGLUNEPji3s9EeM1YK
X-Google-Smtp-Source: AGHT+IGHIGltlDcbjB75GuoFbIm7c52GwPfF58eJGls4d6BZiH5TcQrQOpgfu/rNe1joJV3rX98K
X-Received: by 2002:ac8:4983:0:b0:434:e40a:30a1 with SMTP id
 f3-20020ac84983000000b00434e40a30a1mr944714qtq.5.1712660174465;
 Tue, 09 Apr 2024 03:56:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1712660174; cv=none;
 d=google.com; s=arc-20160816;
 b=mjBtO5dX/h7cNZYNyefKgHDgAf9wCSDItwElxdjiTUXNqJUE3SbysQ510IfZuzo4ef
 V+ub4i7yO6is9EMrfNikhMLm70Nt0HS8bIUzVcTWwRDyDiFzdgG/ldjVCGizWauxQc79
 p8TIaW6nnjvSx6jF6NfUsJL4IUDZvEppZxWxbXVKpY8niTQGlMKCvy5nb8fJWnxsNHFT
 0ZPhuke3X7oDsJxfu/Djs9N5GsItEQxUxT6BtPhXdHI2NGn0g6gZT4a//ee8IoqxBFaJ
 6LQHseKBEVvWkU1DTs89lnXmrKF8qSVnFk0HOc9EdKU34c+bwg1JZ7rzxVLbBPtGachO
 O9yA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from:dkim-signature;
 bh=3F/dkK0NgSzUFlZfqjm2SxtzBV4mhAilLiKtDZ6AMsk=;
 fh=1zoNzwI8t7QfLy5PX76S5e2vmcPHpb/V/xLic8g+aJE=;
 b=xoKi+hdSGOW7AqalpwfT/A9zC69ZB5hTSmHrv3i+8y1ig/Dx6d1WAHe4emTDLJqjXV
 irb+xNpYJfqU7Oq/kQ+SsZX0Msnj599t+DLXEJ0W2vM5PzzuLmEZdJ3yga4ucx42WluI
 EiOiQgYY65rMDBZY88qYGby8wycgQBiSl3+3A9S9oqJGSXKRbIe4tbM/7MrHdLbwlL3M
 FUelxZ2hELLCa3iR9bRMWM4lLO23WMBykZjhAl2F9GgDQESs9X7IR8q4wm67Ak5TuRPJ
 yySrxCP+5eDN1tvQFH+gq77sE+trGpB64Tjq4ixEsLkpQ6IWjIzJajREAN/8h9uRsIA+
 soUw==; dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=hai15fzD;
 spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org";
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17])
 by mx.google.com with ESMTPS id
 x9-20020a05622a000900b0043180fdcc36si1795912qtw.217.2024.04.09.03.56.14
 for <patch@linaro.org>
 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
 Tue, 09 Apr 2024 03:56:14 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=hai15fzD;
 spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org";
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from localhost ([::1] helo=lists1p.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <qemu-devel-bounces@nongnu.org>)
 id 1ru98p-0001N9-8o; Tue, 09 Apr 2024 06:55:51 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <philmd@linaro.org>) id 1ru98o-0001N0-HM
 for qemu-devel@nongnu.org; Tue, 09 Apr 2024 06:55:50 -0400
Received: from mail-lj1-x235.google.com ([2a00:1450:4864:20::235])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <philmd@linaro.org>) id 1ru98m-000355-RC
 for qemu-devel@nongnu.org; Tue, 09 Apr 2024 06:55:50 -0400
Received: by mail-lj1-x235.google.com with SMTP id
 38308e7fff4ca-2d89346eb45so24329611fa.0
 for <qemu-devel@nongnu.org>; Tue, 09 Apr 2024 03:55:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=linaro.org; s=google; t=1712660146; x=1713264946; darn=nongnu.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=3F/dkK0NgSzUFlZfqjm2SxtzBV4mhAilLiKtDZ6AMsk=;
 b=hai15fzDVniOa31ue0+WEPkcMx9keI8SAjNL3OMzI+jkzMW+8xJQ0m758TYrgBoub/
 L7uoRgQMZKpeJ5wIwHaAE4uIBTmZzhFdBnzMRXF7fibkPNBO1wYVitzyueGyLP/6qiqO
 itNhZoUsNFfF3Gmzprd/s5YW7Rsv1LeF+DonuzwUd0bL6Glw35Pk6VVXu/ugi5mWhp+S
 2hqussnqytvthybZ4DdW335DVe6vshzeykyw+N558wws3GUO0HpC7j9G+gj09D5OT1x8
 c/vym+s+/b/RfSxwUdZMeKLlD3UzOGApas9YQFB8N3XMxQNfMbRA2kjEkUa8P3Nb3RVe
 W0ug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1712660146; x=1713264946;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=3F/dkK0NgSzUFlZfqjm2SxtzBV4mhAilLiKtDZ6AMsk=;
 b=p4kMh429ibtafQTSHZDwqGupozhN81mF1Y45Cn8KpnWZ/Fuk0EHPWOtKW/6i15pAZ+
 0ES9pkENI48X2ZuA9YPzJY8YOX850vO/AQP1BPx10WFw89B+X0y6PvO/V3dem6+o2szd
 /Wl9Hm1rjudaumDB9cAgHRpip1PTuc2xqu7Fi0MwbbKXFs/2ILaIedMurVQ/LGn9CMYn
 81PVlf40NJ2ZHU+wgIq9pI+pzpeVPCtwKqIU5Uw3J522aOdu+Fc/RXnM9WsYLGwkBe8N
 noJEA6FICy73FYvU4ZQoyF8Wl7a6ALW+tSAliGCvN3+bEmIrDHtfZ4VCNTEH5UiKZD22
 d+pg==
X-Gm-Message-State: AOJu0YxG/0zabUhqkSyF9D6zQybnuUcB2V77tHelj2NyzWaTc9sMS93k
 jbeNE9jNPuAhdC3IfsPBRZfnaH72oNnOI95Pb/NXCeTk6M3gSWj1JdF62F+Tu3cqX9IS08ZHkAR
 U
X-Received: by 2002:a2e:924b:0:b0:2d8:5b34:b9ab with SMTP id
 v11-20020a2e924b000000b002d85b34b9abmr9692442ljg.34.1712660146429;
 Tue, 09 Apr 2024 03:55:46 -0700 (PDT)
Received: from m1x-phil.lan ([176.176.160.134])
 by smtp.gmail.com with ESMTPSA id
 el4-20020a170907284400b00a51b3410e46sm4525826ejc.7.2024.04.09.03.55.45
 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
 Tue, 09 Apr 2024 03:55:46 -0700 (PDT)
From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>
To: qemu-devel@nongnu.org
Cc: Amit Shah <amit@kernel.org>, Paolo Bonzini <pbonzini@redhat.com>,
 "Gonglei (Arei)" <arei.gonglei@huawei.com>,
 Laurent Vivier <lvivier@redhat.com>, Gerd Hoffmann <kraxel@redhat.com>,
 "Michael S. Tsirkin" <mst@redhat.com>,
 =?utf-8?q?Marc-Andr=C3=A9_Lureau?= <marcandre.lureau@redhat.com>,
 =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>
Subject: [PATCH-for-9.0 v2 1/4] hw/virtio: Introduce virtio_bh_new_guarded()
 helper
Date: Tue,  9 Apr 2024 12:55:34 +0200
Message-ID: <20240409105537.18308-2-philmd@linaro.org>
X-Mailer: git-send-email 2.41.0
In-Reply-To: <20240409105537.18308-1-philmd@linaro.org>
References: <20240409105537.18308-1-philmd@linaro.org>
MIME-Version: 1.0
Received-SPF: pass client-ip=2a00:1450:4864:20::235;
 envelope-from=philmd@linaro.org; helo=mail-lj1-x235.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org

Introduce virtio_bh_new_guarded(), similar to qemu_bh_new_guarded()
but using the transport memory guard, instead of the device one
(there can only be one virtio device per virtio bus).

Inspired-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 include/hw/virtio/virtio.h |  7 +++++++
 hw/virtio/virtio.c         | 10 ++++++++++
 2 files changed, 17 insertions(+)

diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h
index b3c74a1bca..a4388c7db3 100644
--- a/include/hw/virtio/virtio.h
+++ b/include/hw/virtio/virtio.h
@@ -22,6 +22,7 @@
 #include "standard-headers/linux/virtio_config.h"
 #include "standard-headers/linux/virtio_ring.h"
 #include "qom/object.h"
+#include "block/aio.h"
 
 /*
  * A guest should never accept this. It implies negotiation is broken
@@ -527,4 +528,10 @@ static inline bool virtio_device_disabled(VirtIODevice *vdev)
 bool virtio_legacy_allowed(VirtIODevice *vdev);
 bool virtio_legacy_check_disabled(VirtIODevice *vdev);
 
+QEMUBH *virtio_bh_new_guarded_full(DeviceState *dev,
+                                   QEMUBHFunc *cb, void *opaque,
+                                   const char *name);
+#define virtio_bh_new_guarded(dev, cb, opaque) \
+    virtio_bh_new_guarded_full((dev), (cb), (opaque), (stringify(cb)))
+
 #endif
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index fb6b4ccd83..efe02deb77 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -4176,3 +4176,13 @@ static void virtio_register_types(void)
 }
 
 type_init(virtio_register_types)
+
+QEMUBH *virtio_bh_new_guarded_full(DeviceState *dev,
+                                   QEMUBHFunc *cb, void *opaque,
+                                   const char *name)
+{
+    DeviceState *transport = qdev_get_parent_bus(dev)->parent;
+
+    return qemu_bh_new_full(cb, opaque, name,
+                            &transport->mem_reentrancy_guard);
+}

From patchwork Tue Apr  9 10:55:35 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?=
 <philmd@linaro.org>
X-Patchwork-Id: 787198
Delivered-To: patch@linaro.org
Received: by 2002:adf:fdd2:0:b0:346:15ad:a2a with SMTP id i18csp154571wrs;
 Tue, 9 Apr 2024 03:57:17 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCXaEHeFOJOvHI6XR9QuShPUlPgR0OPV6uX4YqzZo3BrJqSdsydizKScTwgZYAezYNsSWX9Kowwb1WKDxtsdh4e8
X-Google-Smtp-Source: AGHT+IEi3WRfqly8d5c11AqnGoLLZ/WtEAvraB5xnKClacnMubJg1cCZIbcxAsAAe0QwuLPDBpEB
X-Received: by 2002:a05:6214:19e5:b0:69b:1ecd:c7c0 with SMTP id
 q5-20020a05621419e500b0069b1ecdc7c0mr5436799qvc.39.1712660237535;
 Tue, 09 Apr 2024 03:57:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1712660237; cv=none;
 d=google.com; s=arc-20160816;
 b=AC7LCOygzsHayzqH7o9CMWaj5Zx1Y4H33/XXFwRzDwK1l0DCP/RtCzvpR4wcIVRl/D
 DfvL9UO2UtHb8xdskQhGxbwtIPNYtAxe4Mkn532431wBWBLADV+uCMwEzClUt++t1h7z
 iDiGorPG36YfIlxkrJOXnqXdraP4X96E60hZ/0KUdPNvlpwmvKDfGzqIWCAqtDi1jGyN
 AB/nla66TIWcjiFJOtieaTb0KUNJ2D81FKqU9SYQQiTXGHeEy2fi3UVV0XyNnkOZX3qz
 74pxeYXrvw7P3gJgQ1oVMT1Y/PyR07LXu2B2berXkQ69jH5OygKR2MqnnS+oasMFUjT6
 X5Mw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from:dkim-signature;
 bh=7ftq4zs1KH4h2Nl8xlNfkOji3kcpdUIoLmwA4b59RfE=;
 fh=bDdqkbtH6aFW4lgKnCOAxcgEPDnd0fGhfEaFyXPuU4g=;
 b=o0xOn+6KMZBD4EvPy95Mm4IPlZMpZpd94YWL4dwZAxPpiOYYtIV8HJNqPnwEhOPU9V
 vOm94dvHB5uQal9aVmwbY0aAA3ZyDc3LPigKLVHoJV5VX4v/fG175SM4MO0SxB6CNO8/
 AXqJme9zotdQgjZmwj4Wwqyvl+NvUVQX4Ct3u1pBHaNjLHgqD412wsSOAipWNRn+/j+m
 n/U+N2rR0CAFgBUWCQDwMbsRfroFNb9KHRmuHdk7nWP9+TU/UifP0r31cHh1r1LmnpCP
 pHjLLplYKZ5UvZVRiI4/+aJcWCC27PXeX2oq/exdkDwdNN/vruQCBVY8bD4VFSNePEhG
 IfeQ==; dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b="MEQZrmo/";
 spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org";
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17])
 by mx.google.com with ESMTPS id
 cp14-20020ad44aee000000b006994885bf8fsi8380288qvb.527.2024.04.09.03.57.17
 for <patch@linaro.org>
 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
 Tue, 09 Apr 2024 03:57:17 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b="MEQZrmo/";
 spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org";
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from localhost ([::1] helo=lists1p.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <qemu-devel-bounces@nongnu.org>)
 id 1ru98w-0001OH-9r; Tue, 09 Apr 2024 06:55:58 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <philmd@linaro.org>) id 1ru98u-0001Nl-C4
 for qemu-devel@nongnu.org; Tue, 09 Apr 2024 06:55:56 -0400
Received: from mail-ej1-x62d.google.com ([2a00:1450:4864:20::62d])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <philmd@linaro.org>) id 1ru98s-00038I-E7
 for qemu-devel@nongnu.org; Tue, 09 Apr 2024 06:55:56 -0400
Received: by mail-ej1-x62d.google.com with SMTP id
 a640c23a62f3a-a450bedffdfso765490666b.3
 for <qemu-devel@nongnu.org>; Tue, 09 Apr 2024 03:55:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=linaro.org; s=google; t=1712660152; x=1713264952; darn=nongnu.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=7ftq4zs1KH4h2Nl8xlNfkOji3kcpdUIoLmwA4b59RfE=;
 b=MEQZrmo/82y0cVFn3YUaOr6Ui5GrOZTz3VwLXcdbma9eaNhtF5TcC9TWbKmJFiAj3x
 KJi6YqPbEWx0U7JS52ky/zWm0jwtNgdtXy4RPLTsHrVJWunXMTDTJlGZ/ngWUatHQhmw
 MnGJk4UL8EYV0BOrERhp6fmu4qBBXLeerunzKso1pMDcf1rRh4D9FfacuMYRlns6dBaA
 ff4T1fenvrR9NalBvO2ukKy1tZkBfEezi2ZxKJcrUUnzqz/MMn9Zi9cuUHuNRXX104LK
 /PHSflEc92/zMSFzZYR+TAnexE85dg7K8l3ksoDoGC9a4/4MoYzVCuNZv71YRxvRXOHn
 toyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1712660152; x=1713264952;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=7ftq4zs1KH4h2Nl8xlNfkOji3kcpdUIoLmwA4b59RfE=;
 b=HMKJLWgc+lXZ5QUKcXKRcLAq3EiaKo9fvgxoZVQNGjTtDfNu0HSdAF+5rwz5tUabKI
 betRops9YYv5UvJD14OH+NwjDDCiZBhnA/H2Cvatx/c9GnpjvNcGq3G/q0G3hw1i+1EO
 j955HeRUyrPB7ucAVO9GkO6hsTcJ1YwD0zVQEvg2Se8j7Dw//asWngotmVMJY6i71vLV
 HKurWTQglA2vvp9pXInQcn4Zr+Dt2kijz2Gl43MMsHoFdMBZuGLWGuQs65CygHUQM22k
 txrcsnJfOh0P7y/ksuOOUb7BtEc1IXcmncF+/rSPVjmQ58nLX5RbfL19b6NU3F6sIwOg
 RQJw==
X-Gm-Message-State: AOJu0Yy4urzNkRXXqcwV7jGucTwOmqJgA3ezzsPcLPhFLzgV62aNRikR
 b6J6vSgld0DPijRWlTHwBt68IXiojP0ScnCpvzO5BqZvV7vYA4sEKZEUJk4VUpokgJ5+jtK5ADu
 T
X-Received: by 2002:a17:907:72cc:b0:a51:c1db:6578 with SMTP id
 du12-20020a17090772cc00b00a51c1db6578mr6332833ejc.14.1712660152654;
 Tue, 09 Apr 2024 03:55:52 -0700 (PDT)
Received: from m1x-phil.lan ([176.176.160.134])
 by smtp.gmail.com with ESMTPSA id
 ov7-20020a170906fc0700b00a4e44f724e8sm5519312ejb.186.2024.04.09.03.55.50
 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
 Tue, 09 Apr 2024 03:55:52 -0700 (PDT)
From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>
To: qemu-devel@nongnu.org
Cc: Amit Shah <amit@kernel.org>, Paolo Bonzini <pbonzini@redhat.com>,
 "Gonglei (Arei)" <arei.gonglei@huawei.com>,
 Laurent Vivier <lvivier@redhat.com>, Gerd Hoffmann <kraxel@redhat.com>,
 "Michael S. Tsirkin" <mst@redhat.com>,
 =?utf-8?q?Marc-Andr=C3=A9_Lureau?= <marcandre.lureau@redhat.com>,
 =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 qemu-stable@nongnu.org, Alexander Bulekov <alxndr@bu.edu>,
 Yongkang Jia <kangel@zju.edu.cn>, Xiao Lei <nop.leixiao@gmail.com>,
 Yiming Tao <taoym@zju.edu.cn>
Subject: [PATCH-for-9.0 v2 2/4] hw/display/virtio-gpu: Protect from DMA
 re-entrancy bugs
Date: Tue,  9 Apr 2024 12:55:35 +0200
Message-ID: <20240409105537.18308-3-philmd@linaro.org>
X-Mailer: git-send-email 2.41.0
In-Reply-To: <20240409105537.18308-1-philmd@linaro.org>
References: <20240409105537.18308-1-philmd@linaro.org>
MIME-Version: 1.0
Received-SPF: pass client-ip=2a00:1450:4864:20::62d;
 envelope-from=philmd@linaro.org; helo=mail-ej1-x62d.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org

Replace qemu_bh_new_guarded() by virtio_bh_new_guarded()
so the bus and device use the same guard. Otherwise the
DMA-reentrancy protection can be bypassed:

  $ cat << EOF | qemu-system-i386 -display none -nodefaults \
                                  -machine q35,accel=qtest \
                                  -m 512M \
                                  -device virtio-gpu \
                                  -qtest stdio
  outl 0xcf8 0x80000820
  outl 0xcfc 0xe0004000
  outl 0xcf8 0x80000804
  outw 0xcfc 0x06
  write 0xe0004030 0x4 0x024000e0
  write 0xe0004028 0x1 0xff
  write 0xe0004020 0x4 0x00009300
  write 0xe000401c 0x1 0x01
  write 0x101 0x1 0x04
  write 0x103 0x1 0x1c
  write 0x9301c8 0x1 0x18
  write 0x105 0x1 0x1c
  write 0x107 0x1 0x1c
  write 0x109 0x1 0x1c
  write 0x10b 0x1 0x00
  write 0x10d 0x1 0x00
  write 0x10f 0x1 0x00
  write 0x111 0x1 0x00
  write 0x113 0x1 0x00
  write 0x115 0x1 0x00
  write 0x117 0x1 0x00
  write 0x119 0x1 0x00
  write 0x11b 0x1 0x00
  write 0x11d 0x1 0x00
  write 0x11f 0x1 0x00
  write 0x121 0x1 0x00
  write 0x123 0x1 0x00
  write 0x125 0x1 0x00
  write 0x127 0x1 0x00
  write 0x129 0x1 0x00
  write 0x12b 0x1 0x00
  write 0x12d 0x1 0x00
  write 0x12f 0x1 0x00
  write 0x131 0x1 0x00
  write 0x133 0x1 0x00
  write 0x135 0x1 0x00
  write 0x137 0x1 0x00
  write 0x139 0x1 0x00
  write 0xe0007003 0x1 0x00
  EOF
  ...
  =================================================================
  ==276099==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000011178
  at pc 0x562cc3b736c7 bp 0x7ffed49dee60 sp 0x7ffed49dee58
  READ of size 8 at 0x60d000011178 thread T0
      #0 0x562cc3b736c6 in virtio_gpu_ctrl_response hw/display/virtio-gpu.c:180:42
      #1 0x562cc3b7c40b in virtio_gpu_ctrl_response_nodata hw/display/virtio-gpu.c:192:5
      #2 0x562cc3b7c40b in virtio_gpu_simple_process_cmd hw/display/virtio-gpu.c:1015:13
      #3 0x562cc3b82873 in virtio_gpu_process_cmdq hw/display/virtio-gpu.c:1050:9
      #4 0x562cc4a85514 in aio_bh_call util/async.c:169:5
      #5 0x562cc4a85c52 in aio_bh_poll util/async.c:216:13
      #6 0x562cc4a1a79b in aio_dispatch util/aio-posix.c:423:5
      #7 0x562cc4a8a2da in aio_ctx_dispatch util/async.c:358:5
      #8 0x7f36840547a8 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x547a8)
      #9 0x562cc4a8b753 in glib_pollfds_poll util/main-loop.c:290:9
      #10 0x562cc4a8b753 in os_host_main_loop_wait util/main-loop.c:313:5
      #11 0x562cc4a8b753 in main_loop_wait util/main-loop.c:592:11
      #12 0x562cc3938186 in qemu_main_loop system/runstate.c:782:9
      #13 0x562cc43b7af5 in qemu_default_main system/main.c:37:14
      #14 0x7f3683a6c189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
      #15 0x7f3683a6c244 in __libc_start_main csu/../csu/libc-start.c:381:3
      #16 0x562cc2a58ac0 in _start (qemu-system-i386+0x231bac0)

  0x60d000011178 is located 56 bytes inside of 136-byte region [0x60d000011140,0x60d0000111c8)
  freed by thread T0 here:
      #0 0x562cc2adb662 in __interceptor_free (qemu-system-i386+0x239e662)
      #1 0x562cc3b86b21 in virtio_gpu_reset hw/display/virtio-gpu.c:1524:9
      #2 0x562cc416e20e in virtio_reset hw/virtio/virtio.c:2145:9
      #3 0x562cc37c5644 in virtio_pci_reset hw/virtio/virtio-pci.c:2249:5
      #4 0x562cc4233758 in memory_region_write_accessor system/memory.c:497:5
      #5 0x562cc4232eea in access_with_adjusted_size system/memory.c:573:18

  previously allocated by thread T0 here:
      #0 0x562cc2adb90e in malloc (qemu-system-i386+0x239e90e)
      #1 0x7f368405a678 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5a678)
      #2 0x562cc4163ffc in virtqueue_split_pop hw/virtio/virtio.c:1612:12
      #3 0x562cc4163ffc in virtqueue_pop hw/virtio/virtio.c:1783:16
      #4 0x562cc3b91a95 in virtio_gpu_handle_ctrl hw/display/virtio-gpu.c:1112:15
      #5 0x562cc4a85514 in aio_bh_call util/async.c:169:5
      #6 0x562cc4a85c52 in aio_bh_poll util/async.c:216:13
      #7 0x562cc4a1a79b in aio_dispatch util/aio-posix.c:423:5

  SUMMARY: AddressSanitizer: heap-use-after-free hw/display/virtio-gpu.c:180:42 in virtio_gpu_ctrl_response

With this change, the same reproducer triggers:

  qemu-system-i386: warning: Blocked re-entrant IO on MemoryRegion: virtio-pci-common-virtio-gpu at addr: 0x6

Fixes: CVE-2024-3446
Cc: qemu-stable@nongnu.org
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Yongkang Jia <kangel@zju.edu.cn>
Reported-by: Xiao Lei <nop.leixiao@gmail.com>
Reported-by: Yiming Tao <taoym@zju.edu.cn>
Buglink: https://bugs.launchpad.net/qemu/+bug/1888606
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 hw/display/virtio-gpu.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 78d5a4f164..ae831b6b3e 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -1492,10 +1492,8 @@ void virtio_gpu_device_realize(DeviceState *qdev, Error **errp)
 
     g->ctrl_vq = virtio_get_queue(vdev, 0);
     g->cursor_vq = virtio_get_queue(vdev, 1);
-    g->ctrl_bh = qemu_bh_new_guarded(virtio_gpu_ctrl_bh, g,
-                                     &qdev->mem_reentrancy_guard);
-    g->cursor_bh = qemu_bh_new_guarded(virtio_gpu_cursor_bh, g,
-                                       &qdev->mem_reentrancy_guard);
+    g->ctrl_bh = virtio_bh_new_guarded(qdev, virtio_gpu_ctrl_bh, g);
+    g->cursor_bh = virtio_bh_new_guarded(qdev, virtio_gpu_cursor_bh, g);
     g->reset_bh = qemu_bh_new(virtio_gpu_reset_bh, g);
     qemu_cond_init(&g->reset_cond);
     QTAILQ_INIT(&g->reslist);

From patchwork Tue Apr  9 10:55:36 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?=
 <philmd@linaro.org>
X-Patchwork-Id: 787197
Delivered-To: patch@linaro.org
Received: by 2002:adf:fdd2:0:b0:346:15ad:a2a with SMTP id i18csp154395wrs;
 Tue, 9 Apr 2024 03:56:43 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCXuSa0IflggANW2pAdYIWDcR7/GhXFsuIHQ2Ron4sPPW3aWG1Wj5Tq3U29hXkjjbJzisGbmJEvBZjRJe/fcNASF
X-Google-Smtp-Source: AGHT+IEMQbLplguwr4PGK7FmtV+0yAk3xy/RN5tew1PhxJQk0h0fA1tBN6j5g45fGlnAZ33FCE4d
X-Received: by 2002:a37:e31a:0:b0:78d:6479:7c39 with SMTP id
 y26-20020a37e31a000000b0078d64797c39mr5803999qki.19.1712660202886;
 Tue, 09 Apr 2024 03:56:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1712660202; cv=none;
 d=google.com; s=arc-20160816;
 b=0R8QZEgARYeaoISe2sCBMryoGrfEvyfA+B95hufakWwkYALvttaB62M0O4sEnS5EzX
 1LoanDMCiavsss3uLa7vvvXSMKBTAKKwiDIgmmFzYxF/IEnrVKYy/yn/g5PchamYG7d2
 6G+DtvbJ8WY9n9HUywGSS5HBDgbpM/ioEW4iz2kDNkbCvMdiRdcH0YipzwVz1sSyo6Ke
 PbPN14kErhLXIioFehLfQ4FNpoXuF9Lvo4uGXBRwNdX74yldkViCbJ1iXD05OY+syrCJ
 LoCk6MsT9xYr6W091C3ah754GivUXQjqjq3ZLF10pwX6NCkScOCpyO9cIqRwJBR8w7g8
 G7kg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from:dkim-signature;
 bh=9koRp/akTxCLkggEjRm+VVx6B9q0FvygX7l6hjj+Eio=;
 fh=efaySp+CZJjT4zsbkUuQsSIewSY05qvC4k2De2XDAlo=;
 b=jwuL7wEQBo7pOHThXedvpZPtqf9+J12JGGaMY1uRAsLaWlKRsfllk//v5zSE6lITqa
 8TgsHV+AvxyhOLZO4pYHK6/dixK1Kk89h7/AanJjV1upNLd2+WD4qaEQ0XrISxqOwAU0
 PchBp9Vc0G5NPAGO92q5uWblTV1Rpm6W5DikzUF+EFhqqMrXYmTsbkVVgi2OIRhX7tEg
 8B2GB7tPuVxjjJ7Ukoz0j2mOxITlsQrGPv0RUc8q3jbWTG7Q264PPxBsGRKpy8Y2m4sB
 uR4Ap41R5HT9vDl+L7mBnOamp0wFkdHeYHzazFOghPzVS2rkFxCzUj9cF/kftP9EzlpU
 m7rw==; dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=Oa9cNFht;
 spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org";
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17])
 by mx.google.com with ESMTPS id
 dt31-20020a05620a479f00b0078d5e64dd6csi6588865qkb.484.2024.04.09.03.56.42
 for <patch@linaro.org>
 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
 Tue, 09 Apr 2024 03:56:42 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=Oa9cNFht;
 spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org";
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from localhost ([::1] helo=lists1p.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <qemu-devel-bounces@nongnu.org>)
 id 1ru992-0001Q5-P2; Tue, 09 Apr 2024 06:56:04 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <philmd@linaro.org>) id 1ru991-0001PQ-5z
 for qemu-devel@nongnu.org; Tue, 09 Apr 2024 06:56:03 -0400
Received: from mail-ej1-x635.google.com ([2a00:1450:4864:20::635])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <philmd@linaro.org>) id 1ru98y-00039r-IL
 for qemu-devel@nongnu.org; Tue, 09 Apr 2024 06:56:02 -0400
Received: by mail-ej1-x635.google.com with SMTP id
 a640c23a62f3a-a51d0dda061so296776866b.1
 for <qemu-devel@nongnu.org>; Tue, 09 Apr 2024 03:55:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=linaro.org; s=google; t=1712660158; x=1713264958; darn=nongnu.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=9koRp/akTxCLkggEjRm+VVx6B9q0FvygX7l6hjj+Eio=;
 b=Oa9cNFhtX1Sv9iAqsWZBpBWnRLhlHtuoXu952DnD7cVr4d8WeStvenuTuy12dbOL2S
 s2iWZ9fCEPFkoc7zMMP8HjTsM0DwUTC8ZY2D+hPXulHYcj5sweRYp/g4x+zRcVjv+RoK
 m06KbbQeO1sql7HlrRGlnpZSKIyzMBte5aj3egixHIKJb9uek6otm5rbEJWAUL3GgISG
 3NHTRUX0SEu928mek/3amMxzySY0ACUkMlJXF+kAsVtYox1bG7IVbrR61CsWrStLJppb
 6EPTrJho/RBk9QGbulJDQNUVMaH4Lo7MBz7UlDNnpeDfJtBbCAk6qQvr0WToiBfkHSK9
 PBGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1712660158; x=1713264958;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=9koRp/akTxCLkggEjRm+VVx6B9q0FvygX7l6hjj+Eio=;
 b=FNQa/zAL/6xnXTcR7rxFaKyyRS3kom+VE+rQs1BPRKca75ZuAnuyD2WewK6cFMi5Fp
 QvBvCrbXOU7yZNZftCR396DulpzD31ZUNwBgbSPDnY5WStW+kR2qFcVUcKY4jCgWM00Q
 cgftRTUbigQ0kFG69uXa6ot+PZB1uYjdF+tn159a3bnAIlcUuU4j0Pkz0AGf32732lus
 SWa0Wysd0Zl9G4zlVhZLPGuqeoSQeIVXS8MrMj9STyg00TeNxQNg676+IiSiSi+bCnXe
 0rhqPBHOpoei217jZb7H+oGR5JpjxzTjt1aTe2rjQEEwi4ASSgT17/MEg7rLom+SM7iF
 kTHw==
X-Gm-Message-State: AOJu0Yy+DgnQ5cURBPZuEb3vOOLLP902w+qV5cRH/po2y/5HwiDjvE12
 SCK62Oj2LAFO20FsZ7KLfqTJD5Q+LsM9RJldJ5af6GsLecZXFZ8BIsbshY8SjtzKPV/4c3G7Gv5
 G
X-Received: by 2002:a17:906:d205:b0:a51:d081:4bab with SMTP id
 w5-20020a170906d20500b00a51d0814babmr1999966ejz.21.1712660158691;
 Tue, 09 Apr 2024 03:55:58 -0700 (PDT)
Received: from m1x-phil.lan ([176.176.160.134])
 by smtp.gmail.com with ESMTPSA id
 gl2-20020a170906e0c200b00a4df5e48d11sm5565924ejb.72.2024.04.09.03.55.56
 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
 Tue, 09 Apr 2024 03:55:58 -0700 (PDT)
From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>
To: qemu-devel@nongnu.org
Cc: Amit Shah <amit@kernel.org>, Paolo Bonzini <pbonzini@redhat.com>,
 "Gonglei (Arei)" <arei.gonglei@huawei.com>,
 Laurent Vivier <lvivier@redhat.com>, Gerd Hoffmann <kraxel@redhat.com>,
 "Michael S. Tsirkin" <mst@redhat.com>,
 =?utf-8?q?Marc-Andr=C3=A9_Lureau?= <marcandre.lureau@redhat.com>,
 =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 qemu-stable@nongnu.org, Alexander Bulekov <alxndr@bu.edu>
Subject: [PATCH-for-9.0 v2 3/4] hw/char/virtio-serial-bus: Protect from DMA
 re-entrancy bugs
Date: Tue,  9 Apr 2024 12:55:36 +0200
Message-ID: <20240409105537.18308-4-philmd@linaro.org>
X-Mailer: git-send-email 2.41.0
In-Reply-To: <20240409105537.18308-1-philmd@linaro.org>
References: <20240409105537.18308-1-philmd@linaro.org>
MIME-Version: 1.0
Received-SPF: pass client-ip=2a00:1450:4864:20::635;
 envelope-from=philmd@linaro.org; helo=mail-ej1-x635.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org

Replace qemu_bh_new_guarded() by virtio_bh_new_guarded()
so the bus and device use the same guard. Otherwise the
DMA-reentrancy protection can be bypassed.

Fixes: CVE-2024-3446
Cc: qemu-stable@nongnu.org
Suggested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 hw/char/virtio-serial-bus.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/hw/char/virtio-serial-bus.c b/hw/char/virtio-serial-bus.c
index 016aba6374..2094d213cd 100644
--- a/hw/char/virtio-serial-bus.c
+++ b/hw/char/virtio-serial-bus.c
@@ -985,8 +985,7 @@ static void virtser_port_device_realize(DeviceState *dev, Error **errp)
         return;
     }
 
-    port->bh = qemu_bh_new_guarded(flush_queued_data_bh, port,
-                                   &dev->mem_reentrancy_guard);
+    port->bh = virtio_bh_new_guarded(dev, flush_queued_data_bh, port);
     port->elem = NULL;
 }
 

From patchwork Tue Apr  9 10:55:37 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?=
 <philmd@linaro.org>
X-Patchwork-Id: 787196
Delivered-To: patch@linaro.org
Received: by 2002:adf:fdd2:0:b0:346:15ad:a2a with SMTP id i18csp154387wrs;
 Tue, 9 Apr 2024 03:56:41 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCVHa0klsgc20gV2fT51fRpaRUgs9SZin0q+wNXm2w705k7626Bi5sPhqemGUzrPyI/TxDsPViRDTgOtP4VZXDKM
X-Google-Smtp-Source: AGHT+IGGrlggfYTETiDLAXenFtL03LVTM0mHJiCIKYepMLJtU+QC/sx8iwIAFRncIvJM1SUpea8r
X-Received: by 2002:a05:6214:d43:b0:690:c36d:f449 with SMTP id
 3-20020a0562140d4300b00690c36df449mr13475675qvr.60.1712660201388;
 Tue, 09 Apr 2024 03:56:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1712660201; cv=none;
 d=google.com; s=arc-20160816;
 b=gWxLRIyTZ6n9CEFa1HPJq96/nC8YlZvCxXZhCSXIg9VkJK7bZN5ypHP6ZmcEzrprjU
 gG9hTO+0R83TJbmrfGenf/0mYfKRce2919fGkOvviM1atmOrLjvU6a6jIHSB5Ll9W1K0
 iLEPcKSZ15KlGtr7FUQpj82wK3IHKAhzY80K8PD78vD+Za7lLv4a1DJawEvBTsEyDZ14
 BTX4/fFNAKXom10a/G7o1AudZ2TZ/3k7OfmqhvYUUdQPEKjOAqV8otL5NDwtIqeXFUTn
 duiP7hvwWP1vwq2GV1QOmxuPEA4ucqkK04ZPmH1PvJ+dfy158gGlkMJd6hHFAK4djWcP
 tVbA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from:dkim-signature;
 bh=6X/is+z5mVOkZYdPvY4GBR/yTqnpSG/pltprumSeFRE=;
 fh=efaySp+CZJjT4zsbkUuQsSIewSY05qvC4k2De2XDAlo=;
 b=MbH8Fy2xzHDZaxV9E7zv32VcTBiObW5luWP8OFxtQ9aXSKMmC7fKsyajWxufkF+61b
 l0k391nbalgI/xcI4djw0ZOAd3U/aukH0vL/3StcUaLv/s2oUseLfN+A4ixXObSf6+sq
 b5emYyABLdMltKN5Q5wparkN0kkJRrNQOr5/nFUmRNQ407URNlYje++1lNQCyKpDGURT
 mtEPwAae7rkk0nh2D7HMxGLbV1e6TbMgqUmVhsGey5X+xewDNzT5c+eIJJIWklTtMMjf
 XencXPQmx2zB0rvyKPWbxBHgSDYbjcSUkHxcYFlyNk1z5BbKytxTNe5BTUwEUfUkL96C
 o+Fw==; dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=pPXWKsz7;
 spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org";
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17])
 by mx.google.com with ESMTPS id
 cp18-20020ad44af2000000b0068eeb0d26ddsi10249603qvb.229.2024.04.09.03.56.41
 for <patch@linaro.org>
 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
 Tue, 09 Apr 2024 03:56:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=pPXWKsz7;
 spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org";
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from localhost ([::1] helo=lists1p.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <qemu-devel-bounces@nongnu.org>)
 id 1ru99O-0001tg-K9; Tue, 09 Apr 2024 06:56:26 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <philmd@linaro.org>) id 1ru99H-0001c3-MS
 for qemu-devel@nongnu.org; Tue, 09 Apr 2024 06:56:23 -0400
Received: from mail-ed1-x536.google.com ([2a00:1450:4864:20::536])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <philmd@linaro.org>) id 1ru995-0003C2-52
 for qemu-devel@nongnu.org; Tue, 09 Apr 2024 06:56:17 -0400
Received: by mail-ed1-x536.google.com with SMTP id
 4fb4d7f45d1cf-56e449187fcso3034002a12.3
 for <qemu-devel@nongnu.org>; Tue, 09 Apr 2024 03:56:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=linaro.org; s=google; t=1712660165; x=1713264965; darn=nongnu.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=6X/is+z5mVOkZYdPvY4GBR/yTqnpSG/pltprumSeFRE=;
 b=pPXWKsz7IL3u3rwjL5Edr9NebonWc4fRW/JylFnSY+uu3DxkEbTr3MQUk2evi2AIVr
 1VYsVh+Z10NbjxRF6BIA6tgcBM/1Ovl272NgLQk/Fk7/+1DjC6lLxS/D67mHNv10U+3x
 mrSIyj2j0qh970gfST1CMNQqcF7z4xXFD/4SQuCeM/8FRJR5ZXXHgGHefuLFldEmmnid
 EY046JpVnjYlDBWouR/jxj9d1JszVtTqtgJr99OCVtOKreqOnkdSNSPTRuiYPTUsaMqO
 87ImlfIfnK0Gw3s8fKSTsINH4YX3sF1QJ4Oaj9Vn4faAV7PJzObHwwilrMFlSpsLwOu3
 Imqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1712660165; x=1713264965;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=6X/is+z5mVOkZYdPvY4GBR/yTqnpSG/pltprumSeFRE=;
 b=huELxfvbBxIkXcPYiMiMOla5goUU6ujPXckn1Rly2IKbxGHZnq9jOoT2v+mLitia8H
 Kb7eGskmchleL+Swmyszo6d2zTCf+Rw6w2PKCApt4/WtGm3nSWXaukYtDlgcLYEZLr56
 NGHv+RlRR4iGBsIsDN3fKPRuReNrPBV5giBTte6mZmnxq59z0knISjJZbH+4ToN5KxZi
 +HYZUz4exxR3yGQRvIFB31qm50JIlXPWED1NfUQLKpepkd2ruhu2dpF4448lWO4Eh0py
 R70elNfjhk9Am8xFzagoMRzWVjwj+6eoEztYxx7O4i7zcTbDTFTJhgtfIMw1Dds1IN57
 6KZA==
X-Gm-Message-State: AOJu0Yxc+B0F2CPa3uyXLo2dLdZEOFkwMnNAcxZLbb+/f75wG4SsrStR
 qOEHmqeF8B5PujJmUEVx1X3bo+QfZ3ZCcBOuNqTZsIX94fNJ72L3WvJfB/BD7/DId7l8LV82sDJ
 P
X-Received: by 2002:a50:bb65:0:b0:56e:34c5:c482 with SMTP id
 y92-20020a50bb65000000b0056e34c5c482mr7134612ede.27.1712660164654;
 Tue, 09 Apr 2024 03:56:04 -0700 (PDT)
Received: from m1x-phil.lan ([176.176.160.134])
 by smtp.gmail.com with ESMTPSA id
 a59-20020a509ec1000000b0056bc0c44f02sm5289539edf.96.2024.04.09.03.56.03
 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
 Tue, 09 Apr 2024 03:56:04 -0700 (PDT)
From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>
To: qemu-devel@nongnu.org
Cc: Amit Shah <amit@kernel.org>, Paolo Bonzini <pbonzini@redhat.com>,
 "Gonglei (Arei)" <arei.gonglei@huawei.com>,
 Laurent Vivier <lvivier@redhat.com>, Gerd Hoffmann <kraxel@redhat.com>,
 "Michael S. Tsirkin" <mst@redhat.com>,
 =?utf-8?q?Marc-Andr=C3=A9_Lureau?= <marcandre.lureau@redhat.com>,
 =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 qemu-stable@nongnu.org, Alexander Bulekov <alxndr@bu.edu>
Subject: [PATCH-for-9.0 v2 4/4] hw/virtio/virtio-crypto: Protect from DMA
 re-entrancy bugs
Date: Tue,  9 Apr 2024 12:55:37 +0200
Message-ID: <20240409105537.18308-5-philmd@linaro.org>
X-Mailer: git-send-email 2.41.0
In-Reply-To: <20240409105537.18308-1-philmd@linaro.org>
References: <20240409105537.18308-1-philmd@linaro.org>
MIME-Version: 1.0
Received-SPF: pass client-ip=2a00:1450:4864:20::536;
 envelope-from=philmd@linaro.org; helo=mail-ed1-x536.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, 
 SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org

Replace qemu_bh_new_guarded() by virtio_bh_new_guarded()
so the bus and device use the same guard. Otherwise the
DMA-reentrancy protection can be bypassed.

Fixes: CVE-2024-3446
Cc: qemu-stable@nongnu.org
Suggested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 hw/virtio/virtio-crypto.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
index fe1313f2ad..bbe8aa4b99 100644
--- a/hw/virtio/virtio-crypto.c
+++ b/hw/virtio/virtio-crypto.c
@@ -1080,8 +1080,8 @@ static void virtio_crypto_device_realize(DeviceState *dev, Error **errp)
         vcrypto->vqs[i].dataq =
                  virtio_add_queue(vdev, 1024, virtio_crypto_handle_dataq_bh);
         vcrypto->vqs[i].dataq_bh =
-                 qemu_bh_new_guarded(virtio_crypto_dataq_bh, &vcrypto->vqs[i],
-                                     &dev->mem_reentrancy_guard);
+                 virtio_bh_new_guarded(dev, virtio_crypto_dataq_bh,
+                                       &vcrypto->vqs[i]);
         vcrypto->vqs[i].vcrypto = vcrypto;
     }