On Thu, 16 Mar 2023 at 16:21, Akihiko Odaki <akihiko.odaki@daynix.com> wrote:
A guest may request ask a memory-mapped device to perform DMA. If the
address specified for DMA is the device performing DMA, it will create
recursion. It is very unlikely that device implementations are prepared
for such an abnormal access, which can result in unpredictable behavior.
In particular, such a recursion breaks e1000e, a network device. If
the device is configured to write the received packet to the register
to trigger receiving, it triggers re-entry to the Rx logic of e1000e.
This causes use-after-free since the Rx logic is not re-entrant.
As there should be no valid reason to perform recursive memory access,
check for recursion before accessing memory-mapped device.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1543
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
---
V1 -> V2: Marked the variable thread-local. Introduced linked list.
Don't we already have proposals on the mailing list for
addressing this? How does this patch differ from those?
Also, "device A DMAs to device A" is only a subset of the problems --
you can also have "device A DMAs to device B which triggers DMA to
device A" and more complicated situations.
thanks
-- PMM