From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Avihai Horon <avihaih@nvidia.com>
Cc: qemu-devel@nongnu.org,
Alex Williamson <alex.williamson@redhat.com>,
Halil Pasic <pasic@linux.ibm.com>,
Christian Borntraeger <borntraeger@linux.ibm.com>,
Eric Farman <farman@linux.ibm.com>,
Richard Henderson <richard.henderson@linaro.org>,
David Hildenbrand <david@redhat.com>,
Ilya Leoshkevich <iii@linux.ibm.com>,
Thomas Huth <thuth@redhat.com>,
Juan Quintela <quintela@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
Cornelia Huck <cohuck@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Stefan Hajnoczi <stefanha@redhat.com>, Fam Zheng <fam@euphon.net>,
Eric Blake <eblake@redhat.com>,
Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>,
John Snow <jsnow@redhat.com>,
qemu-s390x@nongnu.org, qemu-block@nongnu.org,
Yishai Hadas <yishaih@nvidia.com>,
Jason Gunthorpe <jgg@nvidia.com>,
Maor Gottlieb <maorg@nvidia.com>,
Kirti Wankhede <kwankhede@nvidia.com>,
Tarun Gupta <targupta@nvidia.com>,
Joao Martins <joao.m.martins@oracle.com>
Subject: Re: [PATCH v5 04/14] vfio/migration: Fix NULL pointer dereference bug
Date: Tue, 3 Jan 2023 11:13:21 +0000 [thread overview]
Message-ID: <Y7QN0fT6vI9AMU+3@work-vm> (raw)
In-Reply-To: <20221229110345.12480-5-avihaih@nvidia.com>
* Avihai Horon (avihaih@nvidia.com) wrote:
> As part of its error flow, vfio_vmstate_change() accesses
> MigrationState->to_dst_file without any checks. This can cause a NULL
> pointer dereference if the error flow is taken and
> MigrationState->to_dst_file is not set.
>
> For example, this can happen if VM is started or stopped not during
> migration and vfio_vmstate_change() error flow is taken, as
> MigrationState->to_dst_file is not set at that time.
>
> Fix it by checking that MigrationState->to_dst_file is set before using
> it.
>
> Fixes: 02a7e71b1e5b ("vfio: Add VM state change handler to know state of VM")
> Signed-off-by: Avihai Horon <avihaih@nvidia.com>
> Reviewed-by: Juan Quintela <quintela@redhat.com>
> Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
It might be worth posting this patch separately since it's a simple fix
and should go in sooner.
Dave
> ---
> hw/vfio/migration.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/hw/vfio/migration.c b/hw/vfio/migration.c
> index e1413ac90c..09fe7c1de2 100644
> --- a/hw/vfio/migration.c
> +++ b/hw/vfio/migration.c
> @@ -743,7 +743,9 @@ static void vfio_vmstate_change(void *opaque, bool running, RunState state)
> */
> error_report("%s: Failed to set device state 0x%x", vbasedev->name,
> (migration->device_state & mask) | value);
> - qemu_file_set_error(migrate_get_current()->to_dst_file, ret);
> + if (migrate_get_current()->to_dst_file) {
> + qemu_file_set_error(migrate_get_current()->to_dst_file, ret);
> + }
> }
> vbasedev->migration->vm_running = running;
> trace_vfio_vmstate_change(vbasedev->name, running, RunState_str(state),
> --
> 2.26.3
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2023-01-03 11:13 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-29 11:03 [PATCH v5 00/14] vfio/migration: Implement VFIO migration protocol v2 Avihai Horon
2022-12-29 11:03 ` [PATCH v5 01/14] linux-headers: Update to v6.2-rc1 Avihai Horon
2022-12-29 11:03 ` [PATCH v5 02/14] migration: No save_live_pending() method uses the QEMUFile parameter Avihai Horon
2022-12-29 11:03 ` [PATCH v5 03/14] migration: Simplify migration_iteration_run() Avihai Horon
2023-01-06 17:56 ` Alex Williamson
2023-01-08 16:30 ` Avihai Horon
2023-01-09 10:24 ` Cédric Le Goater
2022-12-29 11:03 ` [PATCH v5 04/14] vfio/migration: Fix NULL pointer dereference bug Avihai Horon
2023-01-03 11:13 ` Dr. David Alan Gilbert [this message]
2023-01-03 15:54 ` Avihai Horon
2023-01-06 18:07 ` Alex Williamson
2022-12-29 11:03 ` [PATCH v5 05/14] vfio/migration: Allow migration without VFIO IOMMU dirty tracking support Avihai Horon
2023-01-06 21:56 ` Alex Williamson
2023-01-08 16:38 ` Avihai Horon
2022-12-29 11:03 ` [PATCH v5 06/14] migration/qemu-file: Add qemu_file_get_to_fd() Avihai Horon
2023-01-09 11:20 ` Cédric Le Goater
2023-01-09 15:18 ` Avihai Horon
2022-12-29 11:03 ` [PATCH v5 07/14] vfio/common: Change vfio_devices_all_running_and_saving() logic to equivalent one Avihai Horon
2022-12-29 11:03 ` [PATCH v5 08/14] vfio/migration: Move migration v1 logic to vfio_migration_init() Avihai Horon
2023-01-09 12:34 ` Cédric Le Goater
2022-12-29 11:03 ` [PATCH v5 09/14] vfio/migration: Rename functions/structs related to v1 protocol Avihai Horon
2023-01-09 12:43 ` Cédric Le Goater
2022-12-29 11:03 ` [PATCH v5 10/14] vfio/migration: Implement VFIO migration protocol v2 Avihai Horon
2023-01-09 10:20 ` Cédric Le Goater
2023-01-09 15:12 ` Avihai Horon
2023-01-09 17:27 ` Cédric Le Goater
2023-01-09 18:36 ` Jason Gunthorpe
2023-01-10 14:08 ` Avihai Horon
2023-01-10 16:19 ` Cédric Le Goater
2023-01-11 9:59 ` Avihai Horon
2022-12-29 11:03 ` [PATCH v5 11/14] vfio/migration: Optimize vfio_save_pending() Avihai Horon
2022-12-29 11:03 ` [PATCH v5 12/14] vfio/migration: Remove VFIO migration protocol v1 Avihai Horon
2022-12-29 11:03 ` [PATCH v5 13/14] vfio: Alphabetize migration section of VFIO trace-events file Avihai Horon
2022-12-29 11:03 ` [PATCH v5 14/14] docs/devel: Align VFIO migration docs to v2 protocol Avihai Horon
2023-01-06 23:36 ` [PATCH v5 00/14] vfio/migration: Implement VFIO migration protocol v2 Alex Williamson
2023-01-06 23:45 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y7QN0fT6vI9AMU+3@work-vm \
--to=dgilbert@redhat.com \
--cc=alex.williamson@redhat.com \
--cc=avihaih@nvidia.com \
--cc=borntraeger@linux.ibm.com \
--cc=cohuck@redhat.com \
--cc=david@redhat.com \
--cc=eblake@redhat.com \
--cc=fam@euphon.net \
--cc=farman@linux.ibm.com \
--cc=iii@linux.ibm.com \
--cc=jgg@nvidia.com \
--cc=joao.m.martins@oracle.com \
--cc=jsnow@redhat.com \
--cc=kwankhede@nvidia.com \
--cc=maorg@nvidia.com \
--cc=mst@redhat.com \
--cc=pasic@linux.ibm.com \
--cc=pbonzini@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=quintela@redhat.com \
--cc=richard.henderson@linaro.org \
--cc=stefanha@redhat.com \
--cc=targupta@nvidia.com \
--cc=thuth@redhat.com \
--cc=vsementsov@yandex-team.ru \
--cc=yishaih@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.