Re: [PATCH] virtio-pci: Fix the use of an uninitialized irqfd.

qemu-stable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] virtio-pci: Fix the use of an uninitialized irqfd.

From:	Fiona Ebner
Subject:	Re: [PATCH] virtio-pci: Fix the use of an uninitialized irqfd.
Date:	Wed, 29 May 2024 15:54:05 +0200
User-agent:	Mozilla Thunderbird

Hi,

Am 22.05.24 um 07:10 schrieb Cindy Lu:
> The crash was reported in MAC OS and NixOS, here is the link for this bug
> https://gitlab.com/qemu-project/qemu/-/issues/2334
> https://gitlab.com/qemu-project/qemu/-/issues/2321
> 
> The root cause is that the function virtio_pci_set_guest_notifiers() only
> initializes the irqfd when the use_guest_notifier_mask and guest_notifier_mask
> are set.

Sorry, I'm just trying to understand the fix and I'm probably missing
something, but in virtio_pci_set_guest_notifiers() there is:

>     bool with_irqfd = msix_enabled(&proxy->pci_dev) &&
>         kvm_msi_via_irqfd_enabled();

and then:

>     if ((with_irqfd ||
>          (vdev->use_guest_notifier_mask && k->guest_notifier_mask)) &&
>         assign) {
>         if (with_irqfd) {
>             proxy->vector_irqfd =
>                 g_malloc0(sizeof(*proxy->vector_irqfd) *
>                           msix_nr_vectors_allocated(&proxy->pci_dev));
>             r = kvm_virtio_pci_vector_vq_use(proxy, nvqs);

Meaning proxy->vector_irqfd is allocated when with_irqfd is true (even
if vdev->use_guest_notifier_mask && k->guest_notifier_mask is false).

> However, this check is missing in virtio_pci_set_vector().
> So the fix is to add this check.
> 
> This fix is verified in vyatta,MacOS,NixOS,fedora system.
> 
> The bt tree for this bug is:
> Thread 6 "CPU 0/KVM" received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0x7c817be006c0 (LWP 1269146)]
> kvm_virtio_pci_vq_vector_use () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:817
> 817       if (irqfd->users == 0) {

The crash happens because the irqfd is NULL/invalid here, right?

proxy->vector_irqfd = NULL happens when virtio_pci_set_guest_notifiers()
is called with assign=false or for an unsuccessful call to
virtio_pci_set_guest_notifiers() with assign=true.

AFAIU, the issue is that virtio_pci_set_vector() is called between a
call to virtio_pci_set_guest_notifiers() with assign=false and a
successful virtio_pci_set_guest_notifiers() with assign=true (or before
the first such call).

So I'm trying to understand why adding the check for
vdev->use_guest_notifier_mask && k->guest_notifier_mask is sufficient to
fix the issue. Thanks!

Best Regards,
Fiona

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] virtio-pci: Fix the use of an uninitialized irqfd., Cindy Lu, 2024/05/22
- Re: [PATCH] virtio-pci: Fix the use of an uninitialized irqfd., Jason Wang, 2024/05/26
- Re: [PATCH] virtio-pci: Fix the use of an uninitialized irqfd., Fiona Ebner <=

Prev by Date: Re: [PULL 6/9] virtio-gpu: fix v2 migration
Next by Date: Re: [PATCH v2] virtio-pci: Fix the failure process in kvm_virtio_pci_vector_use_one()
Previous by thread: Re: [PATCH] virtio-pci: Fix the use of an uninitialized irqfd.
Next by thread: [PULL 02/10] target/loongarch/kvm: fpu save the vreg registers high 192bit
Index(es):
- Date
- Thread