fix(balloon): make duplicate stats buffer visible to guest

kalyazin · kalyazin · commit 326fc46db257 · 2026-03-27T17:55:22.000Z
When a non-compliant driver submits more than one stats buffer,
process_stats_queue returns the previous descriptor via add_used but
never calls advance_used_ring_idx or signal_used_queue. The write to the
used ring is therefore invisible to the guest, which can never reclaim
the buffer.

Add the missing advance_used_ring_idx and signal_used_queue calls so the
guest actually sees the returned descriptor.

Signed-off-by: Nikita Kalyazin &lt;kalyazin@amazon.com&gt;
diff --git a/src/vmm/src/devices/virtio/balloon/device.rs b/src/vmm/src/devices/virtio/balloon/device.rs
@@ -498,6 +498,8 @@ impl Balloon {
                 // the protocol, but return it if we find one.
                 error!("balloon: driver is not compliant, more than one stats buffer received");
                 self.queues[STATS_INDEX].add_used(prev_stats_desc, 0)?;
+                self.queues[STATS_INDEX].advance_used_ring_idx();
+                self.signal_used_queue(STATS_INDEX)?;
             }
 
             // Reject oversized descriptors to prevent a guest from causing

Original file line number	Diff line number	Diff line change
`@@ -498,6 +498,8 @@ impl Balloon {`
`498`	`498`	`// the protocol, but return it if we find one.`
`499`	`499`	`error!("balloon: driver is not compliant, more than one stats buffer received");`
`500`	`500`	`self.queues[STATS_INDEX].add_used(prev_stats_desc, 0)?;`
	`501`	`+ self.queues[STATS_INDEX].advance_used_ring_idx();`
	`502`	`+ self.signal_used_queue(STATS_INDEX)?;`
`501`	`503`	`}`
`502`	`504`
`503`	`505`	`// Reject oversized descriptors to prevent a guest from causing`