On 13/5/26 08:42, Michael Tokarev wrote:
On 24.03.2026 09:01, Junjie Cao wrote:
virtio_net_handle_rss() enforces that indirections_len is a non-zero
power of two no larger than VIRTIO_NET_RSS_MAX_TABLE_LEN, but
virtio_net_rss_post_load() applies none of these checks to values
restored from the migration stream.
A corrupted save file or crafted migration stream can set
indirections_len to 0. Even if it also clears redirect,
virtio_load() calls set_features_nocheck() after the device vmstate
(including the RSS subsection and its post_load) has already been
loaded, re-deriving redirect from the negotiated guest features.
When VIRTIO_NET_F_RSS was negotiated, redirect is set back to true
regardless of the migration stream value. The receive path then
computes
hash & (indirections_len - 1) /* wraps to 0xFFFFFFFF via int
promotion */
and uses the result to index into indirections_table, which was not
allocated by the VMState loader when the element count is zero (see
vmstate_handle_alloc()), resulting in a NULL pointer dereference that
crashes QEMU:
#0 virtio_net_process_rss ../hw/net/virtio-net.c:1901
#1 virtio_net_receive_rcu ../hw/net/virtio-net.c:1921
#2 virtio_net_do_receive ../hw/net/virtio-net.c:2061
#3 nc_sendv_compat ../net/net.c:823
#4 qemu_deliver_packet_iov ../net/net.c:870
The RSS subsection is only loaded when rss_data.enabled is true (via
virtio_net_rss_needed()), and the command path always produces
indirections_len in {1, 2, 4, …, 128}, so an unconditional check
cannot reject a legitimate migration stream.
Factor the validation into virtio_net_rss_indirections_len_valid()
and call it from both virtio_net_handle_rss() and
virtio_net_rss_post_load().
Fixes: e41b711485e5 ("virtio-net: add migration support for RSS and
hash report")
Cc: [email protected]
Signed-off-by: Junjie Cao <[email protected]>
Hi!
Has this patch been forgotten, or is it not needed anymore?
Jason went AWOL regarding net/ and hw/net/ related patches
(while net/ is 'Maintained', hw/net/ only supports 'Odd Fixes').
BTW eBPF is also listed as 'Maintained' by Jason.
I'm trying to help with hw/net/ when it isn't too specific.
This particular one is VirtIO so I'll let Michael have a look,
as per MAINTAINERS:
virtio
M: Michael S. Tsirkin <[email protected]>
S: Supported
F: hw/*/virtio*
I'm preparing next set of the stable qemu releases, if it's needed,
it would be nice if it lands in the master branch in the next 10
days.
Thanks,
/mjt
