|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [qemu-xen master] virtio-balloon: Prevent guest from starting a report when we didn't request one
commit 20a4da0f23078deeff5ea6d1e12f47d968d7c3c9
Author: Alexander Duyck <alexander.h.duyck@xxxxxxxxxxxxxxx>
AuthorDate: Mon Jul 20 10:51:15 2020 -0700
Commit: Michael S. Tsirkin <mst@xxxxxxxxxx>
CommitDate: Wed Jul 22 07:57:07 2020 -0400
virtio-balloon: Prevent guest from starting a report when we didn't request
one
Based on code review it appears possible for the driver to force the device
out of a stopped state when hinting by repeating the last ID it was
provided.
Prevent this by only allowing a transition to the start state when we are
in the requested state. This way the driver is only allowed to send one
descriptor that will transition the device into the start state. All others
will leave it in the stop state once it has finished.
Fixes: c13c4153f76d ("virtio-balloon: VIRTIO_BALLOON_F_FREE_PAGE_HINT")
Acked-by: David Hildenbrand <david@xxxxxxxxxx>
Signed-off-by: Alexander Duyck <alexander.h.duyck@xxxxxxxxxxxxxxx>
Message-Id: <20200720175115.21935.99563.stgit@localhost.localdomain>
Cc: qemu-stable@xxxxxxxxxx
Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
---
hw/virtio/virtio-balloon.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
index e670f1e595..ce70adcc69 100644
--- a/hw/virtio/virtio-balloon.c
+++ b/hw/virtio/virtio-balloon.c
@@ -526,7 +526,8 @@ static bool get_free_page_hints(VirtIOBalloon *dev)
ret = false;
goto out;
}
- if (id == dev->free_page_report_cmd_id) {
+ if (dev->free_page_report_status == FREE_PAGE_REPORT_S_REQUESTED &&
+ id == dev->free_page_report_cmd_id) {
dev->free_page_report_status = FREE_PAGE_REPORT_S_START;
} else {
/*
--
generated by git-patchbot for /home/xen/git/qemu-xen.git#master
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |