On 24.03.2026 09:01, Junjie Cao wrote:
virtio_net_handle_rss() enforces that indirections_len is a non-zero power of two no larger than VIRTIO_NET_RSS_MAX_TABLE_LEN, but virtio_net_rss_post_load() applies none of these checks to values restored from the migration stream.A corrupted save file or crafted migration stream can set indirections_len to 0. Even if it also clears redirect, virtio_load() calls set_features_nocheck() after the device vmstate (including the RSS subsection and its post_load) has already been loaded, re-deriving redirect from the negotiated guest features. When VIRTIO_NET_F_RSS was negotiated, redirect is set back to true regardless of the migration stream value. The receive path then computes hash & (indirections_len - 1) /* wraps to 0xFFFFFFFF via int promotion */ and uses the result to index into indirections_table, which was not allocated by the VMState loader when the element count is zero (see vmstate_handle_alloc()), resulting in a NULL pointer dereference that crashes QEMU: #0 virtio_net_process_rss ../hw/net/virtio-net.c:1901 #1 virtio_net_receive_rcu ../hw/net/virtio-net.c:1921 #2 virtio_net_do_receive ../hw/net/virtio-net.c:2061 #3 nc_sendv_compat ../net/net.c:823 #4 qemu_deliver_packet_iov ../net/net.c:870 The RSS subsection is only loaded when rss_data.enabled is true (via virtio_net_rss_needed()), and the command path always produces indirections_len in {1, 2, 4, …, 128}, so an unconditional check cannot reject a legitimate migration stream. Factor the validation into virtio_net_rss_indirections_len_valid() and call it from both virtio_net_handle_rss() and virtio_net_rss_post_load(). Fixes: e41b711485e5 ("virtio-net: add migration support for RSS and hash report") Cc: [email protected] Signed-off-by: Junjie Cao <[email protected]>
Hi! Has this patch been forgotten, or is it not needed anymore? I'm preparing next set of the stable qemu releases, if it's needed, it would be nice if it lands in the master branch in the next 10 days. Thanks, /mjt
