[src/trunk]: src/sys/dev/pci virtio(4): change members of struct vring_desc_e...

[yamaguchi <yamaguchi%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/37a0ead151b4
branches:  trunk
changeset: 374358:37a0ead151b4
user:      yamaguchi <yamaguchi%NetBSD.org@localhost>
date:      Fri Apr 21 02:17:32 2023 +0000

description:
virtio(4): change members of struct vring_desc_extra before free a slot

This prevents the following race condition.
1. Thread-A: calls virtio_dequeue_commit() and
             puts a slot into free descriptor chain in vq_free_slot()
2. Thread-B: calls virtio_enqueue_prep() and get the slot stored by Thread-A
3. Thread-B: calls virtio_enqueue_reserve() and
             changes desc_base and desc_free_idx for the slot
4. Thread-A: changes the same members updated by Thread-B

reported by hannken, thanks.

diffstat:

 sys/dev/pci/virtio.c |  12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

diffs (48 lines):

diff -r 2c7900adf0a4 -r 37a0ead151b4 sys/dev/pci/virtio.c
--- a/sys/dev/pci/virtio.c      Thu Apr 20 22:23:53 2023 +0000
+++ b/sys/dev/pci/virtio.c      Fri Apr 21 02:17:32 2023 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: virtio.c,v 1.77 2023/04/19 00:40:30 yamaguchi Exp $    */
+/*     $NetBSD: virtio.c,v 1.78 2023/04/21 02:17:32 yamaguchi Exp $    */
 
 /*
  * Copyright (c) 2020 The NetBSD Foundation, Inc.
@@ -28,7 +28,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: virtio.c,v 1.77 2023/04/19 00:40:30 yamaguchi Exp $");
+__KERNEL_RCSID(0, "$NetBSD: virtio.c,v 1.78 2023/04/21 02:17:32 yamaguchi Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -1258,12 +1258,12 @@ virtio_enqueue_abort(struct virtio_softc
 {
        struct vring_desc_extra *vdx;
 
-       vq_free_slot(sc, vq, slot);
-
        vdx = &vq->vq_descx[slot];
        vdx->desc_free_idx = VRING_DESC_CHAIN_END;
        vdx->desc_base = NULL;
 
+       vq_free_slot(sc, vq, slot);
+
        return 0;
 }
 
@@ -1308,12 +1308,12 @@ virtio_dequeue_commit(struct virtio_soft
 {
        struct vring_desc_extra *vdx;
 
-       vq_free_slot(sc, vq, slot);
-
        vdx = &vq->vq_descx[slot];
        vdx->desc_base = NULL;
        vdx->desc_free_idx = VRING_DESC_CHAIN_END;
 
+       vq_free_slot(sc, vq, slot);
+
        return 0;
 }