virtio: order index/descriptor reads

virtio has the equivalent of: if (vq->last_avail_index != vring_avail_idx(vq)) { read descriptor head at vq->last_avail_index; } In theory, processor can reorder descriptor head read to happen speculatively before the index read. this would trigger the following race: host descriptor head read <- reads invalid head from ring guest writes valid descriptor head guest writes avail index host avail index read <- observes valid index as a result host will use an invalid head value. This was not observed in the field by me but after the experience with the previous two races I think it is prudent to address this theoretical race condition. Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2025-08-04 00:03:54 -06:00 · 2012-04-23 15:46:22 +03:00 · 2012-04-23 15:46:22 +03:00 · a821ce5933
commit a821ce5933
parent 92045d80ba
2 changed files with 17 additions and 2 deletions
--- a/hw/virtio.c
+++ b/hw/virtio.c
@ -287,6 +287,11 @@ static int virtqueue_num_heads(VirtQueue *vq, unsigned int idx)
                     idx, vring_avail_idx(vq));
        exit(1);
    }
+    /* On success, callers read a descriptor at vq->last_avail_idx.
+     * Make sure descriptor read does not bypass avail index read. */
+    if (num_heads) {
+        smp_rmb();
+    }

    return num_heads;
 }