[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[qemu-xen stable-4.14] virtio-balloon: Prevent guest from starting a report when we didn't request one

commit 67808fda375e3a795ae84f3fb19b540f954fa96a
Author:     Alexander Duyck <alexander.h.duyck@xxxxxxxxxxxxxxx>
AuthorDate: Mon Jul 20 10:51:15 2020 -0700
Commit:     Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
CommitDate: Wed Sep 2 19:06:19 2020 -0500

    virtio-balloon: Prevent guest from starting a report when we didn't request 
one
    
    Based on code review it appears possible for the driver to force the device
    out of a stopped state when hinting by repeating the last ID it was
    provided.
    
    Prevent this by only allowing a transition to the start state when we are
    in the requested state. This way the driver is only allowed to send one
    descriptor that will transition the device into the start state. All others
    will leave it in the stop state once it has finished.
    
    Fixes: c13c4153f76d ("virtio-balloon: VIRTIO_BALLOON_F_FREE_PAGE_HINT")
    Acked-by: David Hildenbrand <david@xxxxxxxxxx>
    Signed-off-by: Alexander Duyck <alexander.h.duyck@xxxxxxxxxxxxxxx>
    Message-Id: <20200720175115.21935.99563.stgit@localhost.localdomain>
    Cc: qemu-stable@xxxxxxxxxx
    Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
    Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
    (cherry picked from commit 20a4da0f23078deeff5ea6d1e12f47d968d7c3c9)
    Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
---
 hw/virtio/virtio-balloon.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
index e20f90dad4..a30a0c7bfa 100644
--- a/hw/virtio/virtio-balloon.c
+++ b/hw/virtio/virtio-balloon.c
@@ -466,7 +466,8 @@ static bool get_free_page_hints(VirtIOBalloon *dev)
             ret = false;
             goto out;
         }
-        if (id == dev->free_page_report_cmd_id) {
+        if (dev->free_page_report_status == FREE_PAGE_REPORT_S_REQUESTED &&
+            id == dev->free_page_report_cmd_id) {
             dev->free_page_report_status = FREE_PAGE_REPORT_S_START;
         } else {
             /*
--
generated by git-patchbot for /home/xen/git/qemu-xen.git#stable-4.14

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.