+++ /dev/null
-From a2e1753b8054344f32cf94f31c6399a58794a380 Mon Sep 17 00:00:00 2001
-From: Alexander Bulekov <alxndr@bu.edu>
-Date: Thu, 27 Apr 2023 17:10:06 -0400
-Subject: [PATCH] memory: prevent dma-reentracy issues
-
-Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA.
-This flag is set/checked prior to calling a device's MemoryRegion
-handlers, and set when device code initiates DMA. The purpose of this
-flag is to prevent two types of DMA-based reentrancy issues:
-
-1.) mmio -> dma -> mmio case
-2.) bh -> dma write -> mmio case
-
-These issues have led to problems such as stack-exhaustion and
-use-after-frees.
-
-Summary of the problem from Peter Maydell:
-https://lore.kernel.org/qemu-devel/CAFEAcA_23vc7hE3iaM-JVA6W38LK4hJoWae5KcknhPRD5fPBZA@mail.gmail.com
-
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/557
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/827
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282
-Resolves: CVE-2023-0330
-
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
-Reviewed-by: Thomas Huth <thuth@redhat.com>
-Message-Id: <20230427211013.2994127-2-alxndr@bu.edu>
-[thuth: Replace warn_report() with warn_report_once()]
-Signed-off-by: Thomas Huth <thuth@redhat.com>
-
-Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/a2e1753b8054344f32cf94f31c6399a58794a380]
-CVE: CVE-2023-0330
-Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
----
- include/exec/memory.h | 5 +++++
- include/hw/qdev-core.h | 7 +++++++
- memory.c | 16 ++++++++++++++++
- 3 files changed, 28 insertions(+)
-
-diff --git a/include/exec/memory.h b/include/exec/memory.h
-index 2b8bccdd..0c8cdb8e 100644
---- a/include/exec/memory.h
-+++ b/include/exec/memory.h
-@@ -378,6 +378,8 @@ struct MemoryRegion {
- bool is_iommu;
- RAMBlock *ram_block;
- Object *owner;
-+ /* owner as TYPE_DEVICE. Used for re-entrancy checks in MR access hotpath */
-+ DeviceState *dev;
-
- const MemoryRegionOps *ops;
- void *opaque;
-@@ -400,6 +402,9 @@ struct MemoryRegion {
- const char *name;
- unsigned ioeventfd_nb;
- MemoryRegionIoeventfd *ioeventfds;
-+
-+ /* For devices designed to perform re-entrant IO into their own IO MRs */
-+ bool disable_reentrancy_guard;
- };
-
- struct IOMMUMemoryRegion {
-diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
-index 1518495b..206f0a70 100644
---- a/include/hw/qdev-core.h
-+++ b/include/hw/qdev-core.h
-@@ -138,6 +138,10 @@ struct NamedGPIOList {
- QLIST_ENTRY(NamedGPIOList) node;
- };
-
-+typedef struct {
-+ bool engaged_in_io;
-+} MemReentrancyGuard;
-+
- /**
- * DeviceState:
- * @realized: Indicates whether the device has been fully constructed.
-@@ -163,6 +167,9 @@ struct DeviceState {
- int num_child_bus;
- int instance_id_alias;
- int alias_required_for_version;
-+
-+ /* Is the device currently in mmio/pio/dma? Used to prevent re-entrancy */
-+ MemReentrancyGuard mem_reentrancy_guard;
- };
-
- struct DeviceListener {
-diff --git a/memory.c b/memory.c
-index 8cafb86a..94ebcaf9 100644
---- a/memory.c
-+++ b/memory.c
-@@ -531,6 +531,18 @@ static MemTxResult access_with_adjusted_size(hwaddr addr,
- access_size_max = 4;
- }
-
-+ /* Do not allow more than one simultaneous access to a device's IO Regions */
-+ if (mr->dev && !mr->disable_reentrancy_guard &&
-+ !mr->ram_device && !mr->ram && !mr->rom_device && !mr->readonly) {
-+ if (mr->dev->mem_reentrancy_guard.engaged_in_io) {
-+ warn_report_once("Blocked re-entrant IO on MemoryRegion: "
-+ "%s at addr: 0x%" HWADDR_PRIX,
-+ memory_region_name(mr), addr);
-+ return MEMTX_ACCESS_ERROR;
-+ }
-+ mr->dev->mem_reentrancy_guard.engaged_in_io = true;
-+ }
-+
- /* FIXME: support unaligned access? */
- access_size = MAX(MIN(size, access_size_max), access_size_min);
- access_mask = MAKE_64BIT_MASK(0, access_size * 8);
-@@ -545,6 +557,9 @@ static MemTxResult access_with_adjusted_size(hwaddr addr,
- access_mask, attrs);
- }
- }
-+ if (mr->dev) {
-+ mr->dev->mem_reentrancy_guard.engaged_in_io = false;
-+ }
- return r;
- }
-
-@@ -1132,6 +1147,7 @@ static void memory_region_do_init(MemoryRegion *mr,
- }
- mr->name = g_strdup(name);
- mr->owner = owner;
-+ mr->dev = (DeviceState *) object_dynamic_cast(mr->owner, TYPE_DEVICE);
- mr->ram_block = NULL;
-
- if (name) {
---
-2.25.1
-
projects / thirdparty / openembedded / openembedded-core.git / commitdiff
