Module Name: src
Committed By: yamaguchi
Date: Fri Apr 21 02:17:32 UTC 2023
Modified Files:
src/sys/dev/pci: virtio.c
Log Message:
virtio(4): change members of struct vring_desc_extra before free a slot
This prevents the following race condition.
1. Thread-A: calls virtio_dequeue_commit() and
puts a slot into free descriptor chain in vq_free_slot()
2. Thread-B: calls virtio_enqueue_prep() and get the slot stored by Thread-A
3. Thread-B: calls virtio_enqueue_reserve() and
changes desc_base and desc_free_idx for the slot
4. Thread-A: changes the same members updated by Thread-B
reported by hannken, thanks.
To generate a diff of this commit:
cvs rdiff -u -r1.77 -r1.78 src/sys/dev/pci/virtio.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/pci/virtio.c
diff -u src/sys/dev/pci/virtio.c:1.77 src/sys/dev/pci/virtio.c:1.78
--- src/sys/dev/pci/virtio.c:1.77 Wed Apr 19 00:40:30 2023
+++ src/sys/dev/pci/virtio.c Fri Apr 21 02:17:32 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: virtio.c,v 1.77 2023/04/19 00:40:30 yamaguchi Exp $ */
+/* $NetBSD: virtio.c,v 1.78 2023/04/21 02:17:32 yamaguchi Exp $ */
/*
* Copyright (c) 2020 The NetBSD Foundation, Inc.
@@ -28,7 +28,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: virtio.c,v 1.77 2023/04/19 00:40:30 yamaguchi Exp $");
+__KERNEL_RCSID(0, "$NetBSD: virtio.c,v 1.78 2023/04/21 02:17:32 yamaguchi Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -1258,12 +1258,12 @@ virtio_enqueue_abort(struct virtio_softc
{
struct vring_desc_extra *vdx;
- vq_free_slot(sc, vq, slot);
-
vdx = &vq->vq_descx[slot];
vdx->desc_free_idx = VRING_DESC_CHAIN_END;
vdx->desc_base = NULL;
+ vq_free_slot(sc, vq, slot);
+
return 0;
}
@@ -1308,12 +1308,12 @@ virtio_dequeue_commit(struct virtio_soft
{
struct vring_desc_extra *vdx;
- vq_free_slot(sc, vq, slot);
-
vdx = &vq->vq_descx[slot];
vdx->desc_base = NULL;
vdx->desc_free_idx = VRING_DESC_CHAIN_END;
+ vq_free_slot(sc, vq, slot);
+
return 0;
}
