From: Tao Cui <cui.tao@linux.dev>
To: Bibo Mao <maobibo@loongson.cn>, qemu-devel@nongnu.org
Cc: cui.tao@linux.dev, "Song Gao" <gaosong@loongson.cn>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@mailo.com>,
"Qiang Ma" <maqianga@uniontech.com>,
"Tao Cui" <cuitao@kylinos.cn>
Subject: Re: [PATCH 1/4] target/loongarch/kvm: fix uninitialized val and unchecked GET in cpucfg2 check
Date: Thu, 25 Jun 2026 11:24:19 +0800 [thread overview]
Message-ID: <5f49b07a-972d-4e4d-87ab-2104b7cf941d@linux.dev> (raw)
In-Reply-To: <0cf985f8-f109-bc7b-3353-3432dc017e59@loongson.cn>
在 2026/6/25 10:48, Bibo Mao 写道:
>
>
> On 2026/6/25 上午9:58, Tao Cui wrote:
>> From: Tao Cui <cuitao@kylinos.cn>
>>
>> kvm_check_cpucfg2() discards the return value of KVM_GET_DEVICE_ATTR and
>> then uses the local val (the host cpucfg2 mask) without checking whether
>> the read succeeded. val is also declared without an initializer.
>>
>> If GET fails, env->cpucfg[2] &= val uses an uninitialized value and can
>> silently clear feature bits (FP / LLFTP / LSX / LASX), since bitwise-AND
>> can only turn bits off.
>>
>> Check the GET return value, report the failure with error_report(), and
>> initialize val to 0.
>>
>> Signed-off-by: Tao Cui <cuitao@kylinos.cn>
>> ---
>> target/loongarch/kvm/kvm.c | 8 ++++++--
>> 1 file changed, 6 insertions(+), 2 deletions(-)
>>
>> diff --git a/target/loongarch/kvm/kvm.c b/target/loongarch/kvm/kvm.c
>> index d6539c12ac..b7176ce53a 100644
>> --- a/target/loongarch/kvm/kvm.c
>> +++ b/target/loongarch/kvm/kvm.c
>> @@ -725,7 +725,7 @@ static int kvm_loongarch_get_cpucfg(CPUState *cs)
>> static int kvm_check_cpucfg2(CPUState *cs)
>> {
>> int ret;
>> - uint64_t val;
>> + uint64_t val = 0;
>> struct kvm_device_attr attr = {
>> .group = KVM_LOONGARCH_VCPU_CPUCFG,
>> .attr = 2,
>> @@ -736,7 +736,11 @@ static int kvm_check_cpucfg2(CPUState *cs)
>> ret = kvm_vcpu_ioctl(cs, KVM_HAS_DEVICE_ATTR, &attr);
>> if (!ret) {
>> - kvm_vcpu_ioctl(cs, KVM_GET_DEVICE_ATTR, &attr);
>> + ret = kvm_vcpu_ioctl(cs, KVM_GET_DEVICE_ATTR, &attr);
>> + if (ret) {
>> + error_report("CPUCFG2: KVM_GET_DEVICE_ATTR: %s", strerror(errno));
>> + return ret;
> if it is successful with KVM_HAS_DEVICE_ATTR, however error with KVM_GET_DEVICE_ATTR. There should be mempy_from/to_user problem, maybe VM can continue to run without the following logic and operation. How about something like this?
> - kvm_vcpu_ioctl(cs, KVM_GET_DEVICE_ATTR, &attr);
> - env->cpucfg[2] &= val;
> + ret = kvm_vcpu_ioctl(cs, KVM_GET_DEVICE_ATTR, &attr);
> + if (!ret)
> + env->cpucfg[2] &= val;
>
Right, the &= mask is best-effort negotiation, so failing the whole register
sync over it is heavier than needed. I'll rework 1/4 so a GET failure only
skips the mask, using a local variable so the GET error no longer propagates:
if (!ret) {
int r = kvm_vcpu_ioctl(cs, KVM_GET_DEVICE_ATTR, &attr);
if (r) {
warn_report("CPUCFG2: KVM_GET_DEVICE_ATTR: %s", strerror(errno));
} else {
env->cpucfg[2] &= val;
}
...
}
return ret;
The guest then keeps running with the cpucfg2 it already has. val is still
initialized to 0.
Thanks,
Tao
>
> sentence
> feature and operation env->cpucfg[2] &= val;
>> + }
>> env->cpucfg[2] &= val;
>> if (FIELD_EX32(env->cpucfg[2], CPUCFG2, FP)) {
>>
>
next prev parent reply other threads:[~2026-06-25 3:25 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-25 1:58 [PATCH 0/4] target/loongarch/kvm: cpucfg and device attr fixes Tao Cui
2026-06-25 1:58 ` [PATCH 1/4] target/loongarch/kvm: fix uninitialized val and unchecked GET in cpucfg2 check Tao Cui
2026-06-25 2:48 ` Bibo Mao
2026-06-25 3:24 ` Tao Cui [this message]
2026-06-25 1:58 ` [PATCH 2/4] target/loongarch/kvm: pass device attr by reference to kvm_vcpu_ioctl Tao Cui
2026-06-25 2:32 ` Bibo Mao
2026-06-25 1:58 ` [PATCH 3/4] target/loongarch/kvm: remove redundant cpucfg failure traces Tao Cui
2026-06-25 2:38 ` Bibo Mao
2026-06-25 3:33 ` Tao Cui
2026-06-25 3:58 ` Bibo Mao
2026-06-25 1:58 ` [PATCH 4/4] target/loongarch/kvm: fix cpucfg sync error handling Tao Cui
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5f49b07a-972d-4e4d-87ab-2104b7cf941d@linux.dev \
--to=cui.tao@linux.dev \
--cc=cuitao@kylinos.cn \
--cc=gaosong@loongson.cn \
--cc=maobibo@loongson.cn \
--cc=maqianga@uniontech.com \
--cc=pbonzini@redhat.com \
--cc=philmd@mailo.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.