virtio: update memory region cache when queue size changes

Commit Message

Konstantin Khlebnikov Feb. 10, 2022, 11:44 a.m. UTC

Fuzzing found that queue size could be changed after writing queue address.
Resulting cached regions might be shorter than that and cause assert later.

Let's update cached memory regions after changing queue size.
This is no-op if queue address isn't set yet.

Buglink: https://gitlab.com/qemu-project/qemu/-/issues/781
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
---
 hw/virtio/virtio.c |    1 +
 1 file changed, 1 insertion(+)

Patch

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 9e8f51dfb0..cd525a0f9a 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -2245,6 +2245,7 @@  void virtio_queue_set_num(VirtIODevice *vdev, int n, int num)
         return;
     }
     vdev->vq[n].vring.num = num;
+    virtio_init_region_cache(vdev, n);
 }
 
 VirtQueue *virtio_vector_first_queue(VirtIODevice *vdev, uint16_t vector)