Message ID | 20230302121719.9390-1-aesteve@redhat.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | hw/virtio/vhost-user: avoid using unitialized errp | expand |
Hi, I found the issue by chance, while working in not-yet-upstreamed virtio code. I am not sure if there is any QEMU stub currently upstreamed that does not support an F_CONFIG backend, to be able to trigger the error. It may as well be that this branch of the condition is never executed. Nonetheless, the segfault can be triggered using the tests/qtest/vhost-user-test, e.g., with the virtio-gpio device. We can force the QEMU side to go into the else part of the supports_f_config by applying this patch: diff --git a/hw/virtio/vhost-user-gpio.c b/hw/virtio/vhost-user-gpio.c index fe3da32c74..23634e74ce 100644 --- a/hw/virtio/vhost-user-gpio.c +++ b/hw/virtio/vhost-user-gpio.c @@ -226,8 +226,8 @@ static int vu_gpio_connect(DeviceState *dev, Error **errp) } gpio->connected = true; - vhost_dev_set_config_notifier(vhost_dev, &gpio_ops); - gpio->vhost_user.supports_config = true; + //vhost_dev_set_config_notifier(vhost_dev, &gpio_ops); + gpio->vhost_user.supports_config = false; ret = vhost_dev_init(vhost_dev, &gpio->vhost_user, VHOST_BACKEND_TYPE_USER, 0, errp); Without the patch the test would cause the segfault. Otherwise, it prints the warning and fails afterwards. I couldn't find a good way to properly cover this in a test, but I can try, and add it to this patch if anyone has a suggestion. BR, Albert Esteve On Thu, Mar 2, 2023 at 1:17 PM Albert Esteve <aesteve@redhat.com> wrote: > During protocol negotiation, when we the QEMU > stub does not support a backend with F_CONFIG, > it throws a warning and supresses the > VHOST_USER_PROTOCOL_F_CONFIG bit. > > However, the warning uses warn_reportf_err macro > and passes an unitialized errp pointer. However, > the macro tries to edit the 'msg' member of the > unitialized Error and segfaults. > > Instead, just use warn_report, which prints a > warning message directly to the output. > > Fixes: 5653493 ("hw/virtio/vhost-user: don't suppress F_CONFIG when > supported") > Signed-off-by: Albert Esteve <aesteve@redhat.com> > --- > hw/virtio/vhost-user.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c > index e68daa35d4..34c331b3ba 100644 > --- a/hw/virtio/vhost-user.c > +++ b/hw/virtio/vhost-user.c > @@ -2031,8 +2031,8 @@ static int vhost_user_backend_init(struct vhost_dev > *dev, void *opaque, > } else { > if (virtio_has_feature(protocol_features, > VHOST_USER_PROTOCOL_F_CONFIG)) { > - warn_reportf_err(*errp, "vhost-user backend supports " > - "VHOST_USER_PROTOCOL_F_CONFIG but QEMU > does not."); > + warn_report("vhost-user backend supports " > + "VHOST_USER_PROTOCOL_F_CONFIG but QEMU does > not."); > protocol_features &= ~(1ULL << > VHOST_USER_PROTOCOL_F_CONFIG); > } > } > -- > 2.39.1 > >
On Thu, 2 Mar 2023 at 12:18, Albert Esteve <aesteve@redhat.com> wrote: > > During protocol negotiation, when we the QEMU > stub does not support a backend with F_CONFIG, > it throws a warning and supresses the > VHOST_USER_PROTOCOL_F_CONFIG bit. > > However, the warning uses warn_reportf_err macro > and passes an unitialized errp pointer. However, > the macro tries to edit the 'msg' member of the > unitialized Error and segfaults. > > Instead, just use warn_report, which prints a > warning message directly to the output. > > Fixes: 5653493 ("hw/virtio/vhost-user: don't suppress F_CONFIG when supported") > Signed-off-by: Albert Esteve <aesteve@redhat.com> > --- > hw/virtio/vhost-user.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c > index e68daa35d4..34c331b3ba 100644 > --- a/hw/virtio/vhost-user.c > +++ b/hw/virtio/vhost-user.c > @@ -2031,8 +2031,8 @@ static int vhost_user_backend_init(struct vhost_dev *dev, void *opaque, > } else { > if (virtio_has_feature(protocol_features, > VHOST_USER_PROTOCOL_F_CONFIG)) { > - warn_reportf_err(*errp, "vhost-user backend supports " > - "VHOST_USER_PROTOCOL_F_CONFIG but QEMU does not."); > + warn_report("vhost-user backend supports " > + "VHOST_USER_PROTOCOL_F_CONFIG but QEMU does not."); > protocol_features &= ~(1ULL << VHOST_USER_PROTOCOL_F_CONFIG); > } > } This looks like the right fix to me. warn_reportf_err() is for "print this message along with the information in the Error object". But in this code path we are not trying to handle an error that was reported to us by a function that sets up Error, so it's not the right function to use. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> thanks -- PMM
diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c index e68daa35d4..34c331b3ba 100644 --- a/hw/virtio/vhost-user.c +++ b/hw/virtio/vhost-user.c @@ -2031,8 +2031,8 @@ static int vhost_user_backend_init(struct vhost_dev *dev, void *opaque, } else { if (virtio_has_feature(protocol_features, VHOST_USER_PROTOCOL_F_CONFIG)) { - warn_reportf_err(*errp, "vhost-user backend supports " - "VHOST_USER_PROTOCOL_F_CONFIG but QEMU does not."); + warn_report("vhost-user backend supports " + "VHOST_USER_PROTOCOL_F_CONFIG but QEMU does not."); protocol_features &= ~(1ULL << VHOST_USER_PROTOCOL_F_CONFIG); } }
During protocol negotiation, when we the QEMU stub does not support a backend with F_CONFIG, it throws a warning and supresses the VHOST_USER_PROTOCOL_F_CONFIG bit. However, the warning uses warn_reportf_err macro and passes an unitialized errp pointer. However, the macro tries to edit the 'msg' member of the unitialized Error and segfaults. Instead, just use warn_report, which prints a warning message directly to the output. Fixes: 5653493 ("hw/virtio/vhost-user: don't suppress F_CONFIG when supported") Signed-off-by: Albert Esteve <aesteve@redhat.com> --- hw/virtio/vhost-user.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)