Re: kern/57304: Recent updates to virtio trigger KASSERT with virtio_mmio on aarch64

[Taylor R Campbell <riastradh%NetBSD.org@localhost>]

The following reply was made to PR kern/57304; it has been noted by GNATS.

From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
To: Nick Hudson <skrll%NetBSD.org@localhost>
Cc: yamaguchi%NetBSD.org@localhost, gnats-bugs%NetBSD.org@localhost
Subject: Re: kern/57304: Recent updates to virtio trigger KASSERT with virtio_mmio on aarch64
Date: Wed, 29 Mar 2023 04:38:35 +0000

 This is a multi-part message in MIME format.
 --=_tVq9BOFzAnpXS9N5Qy8XBZQoi+hFOgDk
 Content-Transfer-Encoding: quoted-printable
 
 > Date: Wed, 29 Mar 2023 04:37:02 +0000
 > From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
 >=20
 > Looks like syzkaller hit this too:
 >=20
 > https://syzkaller.appspot.com/bug?id=3Db5dca2969f8f18418beda74c5f7998a5c3=
 8ba7ef
 >=20
 > I'm testing the attached change as a candidate fix for this.
 
 Not that change, which is empty, oops -- this change!
 
 --=_tVq9BOFzAnpXS9N5Qy8XBZQoi+hFOgDk
 Content-Type: text/plain; charset="ISO-8859-1"; name="allocvq"
 Content-Transfer-Encoding: quoted-printable
 Content-Disposition: attachment; filename="allocvq.patch"
 
 From 41606c9357700373b7d4f3e3c22e58322d1a5a79 Mon Sep 17 00:00:00 2001
 From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
 Date: Wed, 29 Mar 2023 04:27:31 +0000
 Subject: [PATCH] virtio(4): Fix sizing of virtqueue allocation.
 
 vq->vq_avail[0].ring is a zero-length array, and thus sizeof is zero;
 likewise vq->vq_used[0].ring.
 
 Use vq->vq_avail[0].ring[0] and vq->vq_used[0].ring[0] to fix this
 and restore the previous allocation sizing logic.
 
 XXX We shouldn't use zero-length arrays here -- they are asking for
 trouble like this, and C99 has a standard way to express what we're
 actually trying to get at it, flexible array members.
 
 PR kern/57304
 
 Reported-by: syzbot+7fb1047f5dfa33b26331%syzkaller.appspotmail.com@localhost
 ---
  sys/dev/pci/virtio.c | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/sys/dev/pci/virtio.c b/sys/dev/pci/virtio.c
 index 70209f164a86..1ffd6c62fe35 100644
 --- a/sys/dev/pci/virtio.c
 +++ b/sys/dev/pci/virtio.c
 @@ -784,9 +784,9 @@ virtio_alloc_vq(struct virtio_softc *sc, struct virtque=
 ue *vq,
 =20
  	size_desc =3D sizeof(vq->vq_desc[0]) * vq_num;
  	size_avail =3D sizeof(uint16_t) * hdrlen
 -	    + sizeof(vq->vq_avail[0].ring) * vq_num;
 +	    + sizeof(vq->vq_avail[0].ring[0]) * vq_num;
  	size_used =3D sizeof(uint16_t) *hdrlen
 -	    + sizeof(vq->vq_used[0].ring) * vq_num;
 +	    + sizeof(vq->vq_used[0].ring[0]) * vq_num;
  	size_indirect =3D (sc->sc_indirect && maxnsegs >=3D MINSEG_INDIRECT) ?
  	    sizeof(struct vring_desc) * maxnsegs * vq_num : 0;
 =20
 
 --=_tVq9BOFzAnpXS9N5Qy8XBZQoi+hFOgDk--