From: "Michael S. Tsirkin" <mst@redhat.com>
To: qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>,
Cindy Lu <lulu@redhat.com>,
qemu-stable@nongnu.org, Jason Wang <jasowang@redhat.com>
Subject: Re: [PULL 04/46] virtio-pci: Fix the use of an uninitialized irqfd.
Date: Wed, 5 Jun 2024 03:27:56 -0400 [thread overview]
Message-ID: <20240605032741-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <7eeb62b0ce3a8f64647bf53f93903abd1fbb0b94.1717527933.git.mst@redhat.com>
On Tue, Jun 04, 2024 at 03:06:15PM -0400, Michael S. Tsirkin wrote:
> From: Cindy Lu <lulu@redhat.com>
>
> The crash was reported in MAC OS and NixOS, here is the link for this bug
> https://gitlab.com/qemu-project/qemu/-/issues/2334
> https://gitlab.com/qemu-project/qemu/-/issues/2321
>
> The root cause is that the function virtio_pci_set_guest_notifiers() only
> initializes the irqfd when the use_guest_notifier_mask and guest_notifier_mask
> are set.
> However, this check is missing in virtio_pci_set_vector().
> So the fix is to add this check.
>
> This fix is verified in vyatta,MacOS,NixOS,fedora system.
>
> The bt tree for this bug is:
> Thread 6 "CPU 0/KVM" received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0x7c817be006c0 (LWP 1269146)]
> kvm_virtio_pci_vq_vector_use () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:817
> 817 if (irqfd->users == 0) {
> (gdb) thread apply all bt
> ...
> Thread 6 (Thread 0x7c817be006c0 (LWP 1269146) "CPU 0/KVM"):
> 0 kvm_virtio_pci_vq_vector_use () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:817
> 1 kvm_virtio_pci_vector_use_one () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:893
> 2 0x00005983657045e2 in memory_region_write_accessor () at ../qemu-9.0.0/system/memory.c:497
> 3 0x0000598365704ba6 in access_with_adjusted_size () at ../qemu-9.0.0/system/memory.c:573
> 4 0x0000598365705059 in memory_region_dispatch_write () at ../qemu-9.0.0/system/memory.c:1528
> 5 0x00005983659b8e1f in flatview_write_continue_step.isra.0 () at ../qemu-9.0.0/system/physmem.c:2713
> 6 0x000059836570ba7d in flatview_write_continue () at ../qemu-9.0.0/system/physmem.c:2743
> 7 flatview_write () at ../qemu-9.0.0/system/physmem.c:2774
> 8 0x000059836570bb76 in address_space_write () at ../qemu-9.0.0/system/physmem.c:2894
> 9 0x0000598365763afe in address_space_rw () at ../qemu-9.0.0/system/physmem.c:2904
> 10 kvm_cpu_exec () at ../qemu-9.0.0/accel/kvm/kvm-all.c:2917
> 11 0x000059836576656e in kvm_vcpu_thread_fn () at ../qemu-9.0.0/accel/kvm/kvm-accel-ops.c:50
> 12 0x0000598365926ca8 in qemu_thread_start () at ../qemu-9.0.0/util/qemu-thread-posix.c:541
> 13 0x00007c8185bcd1cf in ??? () at /usr/lib/libc.so.6
> 14 0x00007c8185c4e504 in clone () at /usr/lib/libc.so.6
>
> Fixes: 2ce6cff94d ("virtio-pci: fix use of a released vector")
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Cindy Lu <lulu@redhat.com>
> Message-Id: <20240522051042.985825-1-lulu@redhat.com>
> Acked-by: Jason Wang <jasowang@redhat.com>
> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Dropped now at author's request.
> ---
> hw/virtio/virtio-pci.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
> index b1d02f4b3d..a7faee5b33 100644
> --- a/hw/virtio/virtio-pci.c
> +++ b/hw/virtio/virtio-pci.c
> @@ -1431,6 +1431,7 @@ static void virtio_pci_set_vector(VirtIODevice *vdev,
> {
> bool kvm_irqfd = (vdev->status & VIRTIO_CONFIG_S_DRIVER_OK) &&
> msix_enabled(&proxy->pci_dev) && kvm_msi_via_irqfd_enabled();
> + VirtioDeviceClass *k = VIRTIO_DEVICE_GET_CLASS(vdev);
>
> if (new_vector == old_vector) {
> return;
> @@ -1441,7 +1442,8 @@ static void virtio_pci_set_vector(VirtIODevice *vdev,
> * set, we need to release the old vector and set up the new one.
> * Otherwise just need to set the new vector on the device.
> */
> - if (kvm_irqfd && old_vector != VIRTIO_NO_VECTOR) {
> + if (kvm_irqfd && old_vector != VIRTIO_NO_VECTOR &&
> + vdev->use_guest_notifier_mask && k->guest_notifier_mask) {
> kvm_virtio_pci_vector_release_one(proxy, queue_no);
> }
> /* Set the new vector on the device. */
> @@ -1451,7 +1453,8 @@ static void virtio_pci_set_vector(VirtIODevice *vdev,
> virtio_queue_set_vector(vdev, queue_no, new_vector);
> }
> /* If the new vector changed need to set it up. */
> - if (kvm_irqfd && new_vector != VIRTIO_NO_VECTOR) {
> + if (kvm_irqfd && new_vector != VIRTIO_NO_VECTOR &&
> + vdev->use_guest_notifier_mask && k->guest_notifier_mask) {
> kvm_virtio_pci_vector_use_one(proxy, queue_no);
> }
> }
> --
> MST
>
next prev parent reply other threads:[~2024-06-05 7:28 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-04 19:05 [PULL 00/46] virtio: features,fixes Michael S. Tsirkin
2024-06-04 19:06 ` [PULL 01/46] vhost: dirty log should be per backend type Michael S. Tsirkin
2024-06-04 19:06 ` [PULL 02/46] vhost: Perform memory section dirty scans once per iteration Michael S. Tsirkin
2024-06-04 19:06 ` [PULL 03/46] vhost-vdpa: check vhost_vdpa_set_vring_ready() return value Michael S. Tsirkin
2024-06-04 19:06 ` [PULL 04/46] virtio-pci: Fix the use of an uninitialized irqfd Michael S. Tsirkin
2024-06-05 7:27 ` Michael S. Tsirkin [this message]
2024-06-04 19:06 ` [PULL 05/46] virtio/virtio-pci: Handle extra notification data Michael S. Tsirkin
2024-06-04 19:06 ` [PULL 06/46] virtio: Prevent creation of device using notification-data with ioeventfd Michael S. Tsirkin
2024-06-04 19:06 ` [PULL 07/46] virtio-mmio: Handle extra notification data Michael S. Tsirkin
2024-06-04 19:06 ` [PULL 08/46] virtio-ccw: " Michael S. Tsirkin
2024-06-04 19:06 ` [PULL 09/46] vhost/vhost-user: Add VIRTIO_F_NOTIFICATION_DATA to vhost feature bits Michael S. Tsirkin
2024-06-04 19:06 ` [PULL 10/46] Fix vhost user assertion when sending more than one fd Michael S. Tsirkin
2024-06-04 19:06 ` [PULL 11/46] vhost-vsock: add VIRTIO_F_RING_PACKED to feature_bits Michael S. Tsirkin
2024-06-04 19:06 ` [PULL 12/46] hw/virtio: Fix obtain the buffer id from the last descriptor Michael S. Tsirkin
2024-06-04 19:06 ` [PULL 13/46] virtio-pci: only reset pm state during resetting Michael S. Tsirkin
2024-06-04 19:06 ` [PULL 14/46] vhost-user-gpu: fix import of DMABUF Michael S. Tsirkin
2024-06-04 19:06 ` [PULL 15/46] Revert "vhost-user: fix lost reconnect" Michael S. Tsirkin
2024-06-04 19:06 ` [PULL 16/46] vhost-user: fix lost reconnect again Michael S. Tsirkin
2024-06-04 19:06 ` [PULL 17/46] hw/cxl/mailbox: change CCI cmd set structure to be a member, not a reference Michael S. Tsirkin
2024-06-04 19:06 ` [PULL 18/46] hw/cxl/mailbox: interface to add CCI commands to an existing CCI Michael S. Tsirkin
2024-06-04 19:07 ` [PULL 19/46] hw/cxl/cxl-mailbox-utils: Add dc_event_log_size field to output payload of identify memory device command Michael S. Tsirkin
2024-06-04 19:07 ` [PULL 20/46] hw/cxl/cxl-mailbox-utils: Add dynamic capacity region representative and mailbox command support Michael S. Tsirkin
2024-06-04 19:07 ` [PULL 21/46] include/hw/cxl/cxl_device: Rename mem_size as static_mem_size for type3 memory devices Michael S. Tsirkin
2024-06-04 19:07 ` [PULL 22/46] hw/mem/cxl_type3: Add support to create DC regions to " Michael S. Tsirkin
2024-06-04 19:07 ` [PULL 23/46] hw/mem/cxl-type3: Refactor ct3_build_cdat_entries_for_mr to take mr size instead of mr as argument Michael S. Tsirkin
2024-06-04 19:07 ` [PULL 24/46] hw/mem/cxl_type3: Add host backend and address space handling for DC regions Michael S. Tsirkin
2024-06-04 19:07 ` [PULL 25/46] hw/mem/cxl_type3: Add DC extent list representative and get DC extent list mailbox support Michael S. Tsirkin
2024-06-04 19:07 ` [PULL 26/46] hw/cxl/cxl-mailbox-utils: Add mailbox commands to support add/release dynamic capacity response Michael S. Tsirkin
2024-06-04 19:07 ` [PULL 27/46] hw/cxl/events: Add qmp interfaces to add/release dynamic capacity extents Michael S. Tsirkin
2024-06-04 19:07 ` [PULL 28/46] hw/mem/cxl_type3: Add DPA range validation for accesses to DC regions Michael S. Tsirkin
2024-06-04 19:07 ` [PULL 29/46] hw/cxl/cxl-mailbox-utils: Add superset extent release mailbox support Michael S. Tsirkin
2024-06-04 19:07 ` [PULL 30/46] hw/mem/cxl_type3: Allow to release extent superset in QMP interface Michael S. Tsirkin
2024-06-04 19:07 ` [PULL 31/46] hw/acpi/GI: Fix trivial parameter alignment issue Michael S. Tsirkin
2024-06-04 19:07 ` [PULL 32/46] hw/acpi: Insert an acpi-generic-node base under acpi-generic-initiator Michael S. Tsirkin
2024-06-04 19:07 ` [PULL 33/46] hw/acpi: Generic Port Affinity Structure support Michael S. Tsirkin
2024-06-04 19:08 ` [PULL 34/46] bios-tables-test: Allow for new acpihmat-generic-x test data Michael S. Tsirkin
2024-06-04 19:08 ` [PULL 35/46] bios-tables-test: Add complex SRAT / HMAT test for GI GP Michael S. Tsirkin
2024-06-04 19:08 ` [PULL 36/46] bios-tables-test: Add data for complex numa test (GI, GP etc) Michael S. Tsirkin
2024-06-05 14:39 ` Richard Henderson
2024-06-05 15:27 ` Jonathan Cameron via
2024-06-05 15:49 ` Jonathan Cameron via
2024-06-05 16:01 ` Richard Henderson
2024-06-05 16:08 ` Jonathan Cameron via
2024-06-05 16:11 ` Jonathan Cameron via
2024-06-05 16:54 ` Richard Henderson
2024-06-05 17:19 ` Jonathan Cameron via
2024-06-04 19:08 ` [PULL 37/46] scripts/update-linux-headers: Copy setup_data.h to correct directory Michael S. Tsirkin
2024-06-04 19:08 ` [PULL 38/46] linux-headers: update to 6.10-rc1 Michael S. Tsirkin
2024-06-04 19:08 ` [PULL 39/46] hw/misc/pvpanic: centralize definition of supported events Michael S. Tsirkin
2024-06-04 19:08 ` [PULL 40/46] tests/qtest/pvpanic: use centralized " Michael S. Tsirkin
2024-06-04 19:08 ` [PULL 41/46] hw/misc/pvpanic: add support for normal shutdowns Michael S. Tsirkin
2024-06-04 19:08 ` [PULL 42/46] pvpanic: Emit GUEST_PVSHUTDOWN QMP event on pvpanic shutdown signal Michael S. Tsirkin
2024-06-04 19:08 ` [PULL 43/46] tests/qtest/pvpanic: add tests for pvshutdown event Michael S. Tsirkin
2024-06-04 19:08 ` [PULL 44/46] Revert "docs/specs/pvpanic: mark shutdown event as not implemented" Michael S. Tsirkin
2024-06-04 19:08 ` [PULL 45/46] virtio-pci: Fix the failure process in kvm_virtio_pci_vector_use_one() Michael S. Tsirkin
2024-06-04 19:08 ` [PULL 46/46] hw/cxl: Fix read from bogus memory Michael S. Tsirkin
2024-06-05 7:27 ` [PULL 00/46] virtio: features,fixes Michael S. Tsirkin
2024-06-05 14:44 ` Richard Henderson
2024-06-25 13:06 ` Peter Maydell
2024-06-25 14:01 ` Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240605032741-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=jasowang@redhat.com \
--cc=lulu@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).