Patch "virtio: packed: fix unmap leak for indirect desc table" has been added to the 6.7-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 24 Mar 2024 14:19:16 -0400

This is a note to let you know that I've just added the patch titled

    virtio: packed: fix unmap leak for indirect desc table

to the 6.7-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     virtio-packed-fix-unmap-leak-for-indirect-desc-table.patch
and it can be found in the queue-6.7 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 4c99157e3edfd738f038c62d357a5f20023f7cbd
Author: Xuan Zhuo <xuanzhuo@xxxxxxxxxxxxxxxxx>
Date:   Fri Feb 23 15:18:33 2024 +0800

    virtio: packed: fix unmap leak for indirect desc table
    
    [ Upstream commit d5c0ed17fea60cca9bc3bf1278b49ba79242bbcd ]
    
    When use_dma_api and premapped are true, then the do_unmap is false.
    
    Because the do_unmap is false, vring_unmap_extra_packed is not called by
    detach_buf_packed.
    
      if (unlikely(vq->do_unmap)) {
                    curr = id;
                    for (i = 0; i < state->num; i++) {
                            vring_unmap_extra_packed(vq,
                                                     &vq->packed.desc_extra[curr]);
                            curr = vq->packed.desc_extra[curr].next;
                    }
      }
    
    So the indirect desc table is not unmapped. This causes the unmap leak.
    
    So here, we check vq->use_dma_api instead. Synchronously, dma info is
    updated based on use_dma_api judgment
    
    This bug does not occur, because no driver use the premapped with
    indirect.
    
    Fixes: b319940f83c2 ("virtio_ring: skip unmap for premapped")
    Signed-off-by: Xuan Zhuo <xuanzhuo@xxxxxxxxxxxxxxxxx>
    Message-Id: <20240223071833.26095-1-xuanzhuo@xxxxxxxxxxxxxxxxx>
    Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
index 49299b1f9ec74..6f7e5010a6735 100644
--- a/drivers/virtio/virtio_ring.c
+++ b/drivers/virtio/virtio_ring.c
@@ -1340,7 +1340,7 @@ static int virtqueue_add_indirect_packed(struct vring_virtqueue *vq,
 				sizeof(struct vring_packed_desc));
 	vq->packed.vring.desc[head].id = cpu_to_le16(id);
 
-	if (vq->do_unmap) {
+	if (vq->use_dma_api) {
 		vq->packed.desc_extra[id].addr = addr;
 		vq->packed.desc_extra[id].len = total_sg *
 				sizeof(struct vring_packed_desc);
@@ -1481,7 +1481,7 @@ static inline int virtqueue_add_packed(struct virtqueue *_vq,
 			desc[i].len = cpu_to_le32(sg->length);
 			desc[i].id = cpu_to_le16(id);
 
-			if (unlikely(vq->do_unmap)) {
+			if (unlikely(vq->use_dma_api)) {
 				vq->packed.desc_extra[curr].addr = addr;
 				vq->packed.desc_extra[curr].len = sg->length;
 				vq->packed.desc_extra[curr].flags =
@@ -1615,7 +1615,7 @@ static void detach_buf_packed(struct vring_virtqueue *vq,
 	vq->free_head = id;
 	vq->vq.num_free += state->num;
 
-	if (unlikely(vq->do_unmap)) {
+	if (unlikely(vq->use_dma_api)) {
 		curr = id;
 		for (i = 0; i < state->num; i++) {
 			vring_unmap_extra_packed(vq,







