[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (VIRTIO-35) race condition with multi-dword config accesses
[ https://tools.oasis-open.org/issues/browse/VIRTIO-35?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michael Tsirkin updated VIRTIO-35:
----------------------------------
Affects Version/s: virtio 0.9.X legacy
Description:
on many architectures, accesses larger than 32 bit can not be atomic.
Thus access to a device config field of >4 bytes is inherently racy
in case field can change.
For example, virtio-blk has
u64 capacity;
The following race can trigger:
driver reads low 32 bit
both low and high 32 bit change
driver reads high 32 bit
as a result, capacity observed is composed of
old low bits and new high bits which does not
make sense.
For legacy devices, spec allowed byte by byte access,
making the race even more common.
was:
on many architectures, accesses larger than 32 bit can not be atomic.
Thus access to a device config field of >4 bytes is inherently racy
in case field can change.
For example, virtio-blk has
u64 capacity;
The following race can trigger:
driver reads low 32 bit
both low and high 32 bit change
driver reads high 32 bit
as a result, capacity observed is composed of
old low bits and new high bits which does not
make sense.
For legacy devices, spec allowed byte by byte access,
making the race even more common.
Proposal:
- for RW fields, document that devices should not make fields > 32 byte writeable
- add a way to detect configuration changes during access, driver
can re-read configuration
https://lists.oasis-open.org/archives/virtio/201310/msg00034.html
was:
- for RW fields, document that devices should not make fields > 32 byte writeable
- add a way to detect configuration changes during access, driver
can re-read configuration
https://lists.oasis-open.org/archives/virtio/201310/msg00034.html
> race condition with multi-dword config accesses
> -----------------------------------------------
>
> Key: VIRTIO-35
> URL: https://tools.oasis-open.org/issues/browse/VIRTIO-35
> Project: OASIS Virtual I/O Device (VIRTIO) TC
> Issue Type: Bug
> Affects Versions: virtio 0.9.X legacy
> Reporter: Michael Tsirkin
> Fix For: virtio 1.0 csprd01
>
>
> on many architectures, accesses larger than 32 bit can not be atomic.
> Thus access to a device config field of >4 bytes is inherently racy
> in case field can change.
> For example, virtio-blk has
> u64 capacity;
> The following race can trigger:
> driver reads low 32 bit
> both low and high 32 bit change
> driver reads high 32 bit
> as a result, capacity observed is composed of
> old low bits and new high bits which does not
> make sense.
> For legacy devices, spec allowed byte by byte access,
> making the race even more common.
--
This message was sent by Atlassian JIRA
(v6.1.1#6155)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]