Re: vhost-vdpa potential fd leak (coverity issue)

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: "Michael S. Tsirkin" <mst@redhat.com>
To: Stefano Garzarella <sgarzare@redhat.com>
Cc: "Peter Maydell" <peter.maydell@linaro.org>,
	"QEMU Developers" <qemu-devel@nongnu.org>,
	"Jason Wang" <jasowang@redhat.com>,
	"Eugenio Pérez" <eperezma@redhat.com>
Subject: Re: vhost-vdpa potential fd leak (coverity issue)
Date: Mon, 14 Jul 2025 05:57:46 -0400	[thread overview]
Message-ID: <20250714055556-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <rwmbufb2zk6grtmrksfthav6ntm7ddsodqfrpjwjt6njbacx62@7hikurlwh3kl>

On Mon, Jul 14, 2025 at 11:18:51AM +0200, Stefano Garzarella wrote:
> On Thu, Jul 10, 2025 at 12:40:43PM -0400, Michael S. Tsirkin wrote:
> > On Thu, Jul 10, 2025 at 04:46:34PM +0100, Peter Maydell wrote:
> > > Hi; Coverity complains about a potential filedescriptor leak in
> > > net/vhost-vdpa.c:net_init_vhost_vdpa(). This is CID 1490785.
> > > 
> > > Specifically, in this function we do:
> > >     queue_pairs = vhost_vdpa_get_max_queue_pairs(vdpa_device_fd, features,
> > >                                                  &has_cvq, errp);
> > >     if (queue_pairs < 0) {
> > >         [exit with failure]
> > >     }
> > >     ...
> > >     ncs = g_malloc0(sizeof(*ncs) * queue_pairs);
> > >     for (i = 0; i < queue_pairs; i++) {
> > >        ...
> > >        ncs[i] = net_vhost_vdpa_init(..., vdpa_device_fd, ...)
> > >        ...
> > >     }
> > >     if (has_cvq) {
> > >        ...
> > >        nc = net_host_vdpa_init(..., vdpa_device_fd, ...)
> > >        ...
> > >     }
> > > 
> > > So if queue_pairs is zero we will malloc(0) which seems dubious;
> > > and if queue_pairs is zero and has_cvq is false then the init
> > > function will exit success without ever calling net_vhost_vdpa_init()
> > > and it will leak the vdpa_device_fd.
> > > 
> > > My guess is that queue_pairs == 0 should be an error, or possibly
> > > that (queue_pairs == 0 && !has_cvq) should be an error.
> > > 
> > > Could somebody who knows more about this code tell me which, and
> > > perhaps produce a patch to make it handle that case?
> > 
> > Historically queue_pairs == 0 was always same as 1, IIRC.
> 
> Yep, also looking at vhost_vdpa_get_max_queue_pairs() it returns 1 if
> VIRTIO_NET_F_MQ is not negotiated, or what the device expose in the config
> space in the `max_virtqueue_pairs` field.
> 
> In the spec we have:
>     The device MUST set max_virtqueue_pairs to between 1 and 0x8000
> inclusive, if it offers VIRTIO_NET_F_MQ.
> 
> So, IMHO we can just change the error check in this way:
> diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c
> index 58d738945d..8f39e5a983 100644
> --- a/net/vhost-vdpa.c
> +++ b/net/vhost-vdpa.c
> @@ -1813,7 +1813,7 @@ int net_init_vhost_vdpa(const Netdev *netdev, const char *name,
>      queue_pairs = vhost_vdpa_get_max_queue_pairs(vdpa_device_fd, features,
>                                                   &has_cvq, errp);
> -    if (queue_pairs < 0) {
> +    if (queue_pairs <= 0) {
>          qemu_close(vdpa_device_fd);
>          return queue_pairs;
>      }
> 
> I'll send a patch if no one complain.
> 
> > 
> > > Q: should this file be listed in the "vhost" subcategory of
> > > MAINTAINERS?
> > > At the moment it only gets caught by "Network device backends".
> 
> Maybe yes, but it's really virtio-net specific.
> @Michael WDYT?
> 
> Thanks,
> Stefano


vhost kind of includes all vhost things. Not an issue if it's
in both places, I think.

next prev parent reply	other threads:[~2025-07-14 10:03 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-10 15:46 vhost-vdpa potential fd leak (coverity issue) Peter Maydell
2025-07-10 16:40 ` Michael S. Tsirkin
2025-07-14  9:18   ` Stefano Garzarella
2025-07-14  9:48     ` Peter Maydell
2025-07-14 10:33       ` Stefano Garzarella
2025-07-14  9:57     ` Michael S. Tsirkin [this message]
2025-07-14 10:20     ` Stefano Garzarella

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250714055556-mutt-send-email-mst@kernel.org \
    --to=mst@redhat.com \
    --cc=eperezma@redhat.com \
    --cc=jasowang@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    --cc=sgarzare@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).