[PATCH 0/6] [PATCH 0/6] Fix missing ERRP_GUARD() when dereference @errp

[PATCH 0/6] [PATCH 0/6] Fix missing ERRP_GUARD() when dereference @errp

[Zhao Liu]

From: Zhao Liu <zhao1.liu@intel.com>

Hi all,

Thanks to Markus's explanation about ERRP_GUARD() on my previsou
patch [1],

I realize that perhaps more @errp dereference cases need to be
double-checked to ensure that ERRP_GUARD() is being used correctly.

Therefore, there're the patches to add more missing ERRP_GUARD().

[1]: https://lore.kernel.org/qemu-devel/875xz0ojg7.fsf@pond.sub.org/

Thanks and Best Regards,
Zhao

---
Zhao Liu (6):
  hw/cxl/cxl-host: Fix missing ERRP_GUARD() in
    cxl_fixed_memory_window_config()
  hw/display/macfb: Fix missing ERRP_GUARD() in macfb_nubus_realize()
  hw/mem/cxl_type3: Fix missing ERRP_GUARD() in ct3_realize()
  hw/misc/xlnx-versal-trng: Fix missing ERRP_GUARD() in
    trng_prop_fault_event_set()
  hw/pci-bridge/cxl_upstream: Fix missing ERRP_GUARD() in
    cxl_usp_realize()
  hw/vfio/iommufd: Fix missing ERRP_GUARD() in iommufd_cdev_getfd()

 hw/cxl/cxl-host.c            | 1 +
 hw/display/macfb.c           | 1 +
 hw/mem/cxl_type3.c           | 1 +
 hw/misc/xlnx-versal-trng.c   | 2 ++
 hw/pci-bridge/cxl_upstream.c | 1 +
 hw/vfio/iommufd.c            | 1 +
 6 files changed, 7 insertions(+)

-- 
2.34.1

[PATCH 1/6] hw/cxl/cxl-host: Fix missing ERRP_GUARD() in cxl_fixed_memory_window_config()

[Zhao Liu]

From: Zhao Liu <zhao1.liu@intel.com>

As the comment in qapi/error, dereferencing @errp requires
ERRP_GUARD():

* = Why, when and how to use ERRP_GUARD() =
*
* Without ERRP_GUARD(), use of the @errp parameter is restricted:
* - It must not be dereferenced, because it may be null.
* - It should not be passed to error_prepend() or
*   error_append_hint(), because that doesn't work with &error_fatal.
* ERRP_GUARD() lifts these restrictions.
*
* To use ERRP_GUARD(), add it right at the beginning of the function.
* @errp can then be used without worrying about the argument being
* NULL or &error_fatal.
*
* Using it when it's not needed is safe, but please avoid cluttering
* the source with useless code.

Currently, since machine_set_cfmw() - the caller of
cxl_fixed_memory_window_config() - doesn't get the NULL errp parameter
as the "set" method of object property, cxl_fixed_memory_window_config()
doesn't trigger the dereference issue.

To follow the requirement of errp, add missing ERRP_GUARD() in
cxl_fixed_memory_window_config().

Suggested-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
---
Suggested by credit:
 Markus: Referred his explanation about ERRP_GUARD().
---
 hw/cxl/cxl-host.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/cxl/cxl-host.c b/hw/cxl/cxl-host.c
index 2aa776c79c74..c5f5fcfd64d0 100644
--- a/hw/cxl/cxl-host.c
+++ b/hw/cxl/cxl-host.c
@@ -26,6 +26,7 @@ static void cxl_fixed_memory_window_config(CXLState *cxl_state,
                                            CXLFixedMemoryWindowOptions *object,
                                            Error **errp)
 {
+    ERRP_GUARD();
     g_autofree CXLFixedWindow *fw = g_malloc0(sizeof(*fw));
     strList *target;
     int i;
-- 
2.34.1

[PATCH 2/6] hw/display/macfb: Fix missing ERRP_GUARD() in macfb_nubus_realize()

[Zhao Liu]

From: Zhao Liu <zhao1.liu@intel.com>

As the comment in qapi/error, dereferencing @errp requires
ERRP_GUARD():

* = Why, when and how to use ERRP_GUARD() =
*
* Without ERRP_GUARD(), use of the @errp parameter is restricted:
* - It must not be dereferenced, because it may be null.
* - It should not be passed to error_prepend() or
*   error_append_hint(), because that doesn't work with &error_fatal.
* ERRP_GUARD() lifts these restrictions.
*
* To use ERRP_GUARD(), add it right at the beginning of the function.
* @errp can then be used without worrying about the argument being
* NULL or &error_fatal.
*
* Using it when it's not needed is safe, but please avoid cluttering
* the source with useless code.

Currently, since macfb_nubus_realize() - as a DeviceClass.realize()
method - doesn't get the NULL errp parameter, it doesn't trigger the
dereference issue.

To follow the requirement of errp, add missing ERRP_GUARD() in
macfb_nubus_realize().

Suggested-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
---
Suggested by credit:
 Markus: Referred his explanation about ERRP_GUARD().
---
 hw/display/macfb.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/display/macfb.c b/hw/display/macfb.c
index 418e99c8e18e..1ace341a0ff4 100644
--- a/hw/display/macfb.c
+++ b/hw/display/macfb.c
@@ -714,6 +714,7 @@ static void macfb_nubus_set_irq(void *opaque, int n, int level)
 
 static void macfb_nubus_realize(DeviceState *dev, Error **errp)
 {
+    ERRP_GUARD();
     NubusDevice *nd = NUBUS_DEVICE(dev);
     MacfbNubusState *s = NUBUS_MACFB(dev);
     MacfbNubusDeviceClass *ndc = NUBUS_MACFB_GET_CLASS(dev);
-- 
2.34.1

[PATCH 3/6] hw/mem/cxl_type3: Fix missing ERRP_GUARD() in ct3_realize()

[Zhao Liu]

From: Zhao Liu <zhao1.liu@intel.com>

As the comment in qapi/error, dereferencing @errp requires
ERRP_GUARD():

* = Why, when and how to use ERRP_GUARD() =
*
* Without ERRP_GUARD(), use of the @errp parameter is restricted:
* - It must not be dereferenced, because it may be null.
* - It should not be passed to error_prepend() or
*   error_append_hint(), because that doesn't work with &error_fatal.
* ERRP_GUARD() lifts these restrictions.
*
* To use ERRP_GUARD(), add it right at the beginning of the function.
* @errp can then be used without worrying about the argument being
* NULL or &error_fatal.
*
* Using it when it's not needed is safe, but please avoid cluttering
* the source with useless code.

Currently, since ct3_realize() - as a PCIDeviceClass.realize() method -
doesn't get the NULL errp parameter, it doesn't trigger the dereference
issue.

To follow the requirement of errp, add missing ERRP_GUARD() in
ct3_realize().

Suggested-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
---
Suggested by credit:
 Markus: Referred his explanation about ERRP_GUARD().
---
 hw/mem/cxl_type3.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/mem/cxl_type3.c b/hw/mem/cxl_type3.c
index e8801805b90f..a3b0761f843b 100644
--- a/hw/mem/cxl_type3.c
+++ b/hw/mem/cxl_type3.c
@@ -645,6 +645,7 @@ static DOEProtocol doe_cdat_prot[] = {
 
 static void ct3_realize(PCIDevice *pci_dev, Error **errp)
 {
+    ERRP_GUARD();
     CXLType3Dev *ct3d = CXL_TYPE3(pci_dev);
     CXLComponentState *cxl_cstate = &ct3d->cxl_cstate;
     ComponentRegisters *regs = &cxl_cstate->crb;
-- 
2.34.1

[PATCH 4/6] hw/misc/xlnx-versal-trng: Fix missing ERRP_GUARD() in trng_prop_fault_event_set()

[Zhao Liu]

From: Zhao Liu <zhao1.liu@intel.com>

As the comment in qapi/error, dereferencing @errp requires
ERRP_GUARD():

* = Why, when and how to use ERRP_GUARD() =
*
* Without ERRP_GUARD(), use of the @errp parameter is restricted:
* - It must not be dereferenced, because it may be null.
* - It should not be passed to error_prepend() or
*   error_append_hint(), because that doesn't work with &error_fatal.
* ERRP_GUARD() lifts these restrictions.
*
* To use ERRP_GUARD(), add it right at the beginning of the function.
* @errp can then be used without worrying about the argument being
* NULL or &error_fatal.
*
* Using it when it's not needed is safe, but please avoid cluttering
* the source with useless code.

Currently, since trng_prop_fault_event_set() doesn't get the NULL errp
parameter as a "set" method of object property, it doesn't trigger the
dereference issue.

To follow the requirement of errp, add missing ERRP_GUARD() in
trng_prop_fault_event_set().

Suggested-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
---
Suggested by credit:
 Markus: Referred his explanation about ERRP_GUARD().
---
 hw/misc/xlnx-versal-trng.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/misc/xlnx-versal-trng.c b/hw/misc/xlnx-versal-trng.c
index b8111b8b6626..3579348a9d17 100644
--- a/hw/misc/xlnx-versal-trng.c
+++ b/hw/misc/xlnx-versal-trng.c
@@ -33,6 +33,7 @@
 #include "qemu/error-report.h"
 #include "qemu/guest-random.h"
 #include "qemu/timer.h"
+#include "qapi/error.h"
 #include "qapi/visitor.h"
 #include "migration/vmstate.h"
 #include "hw/qdev-properties.h"
@@ -641,6 +642,7 @@ static void trng_prop_fault_event_set(Object *obj, Visitor *v,
                                       const char *name, void *opaque,
                                       Error **errp)
 {
+    ERRP_GUARD();
     Property *prop = opaque;
     uint32_t *events = object_field_prop_ptr(obj, prop);
 
-- 
2.34.1

[PATCH 5/6] hw/pci-bridge/cxl_upstream: Fix missing ERRP_GUARD() in cxl_usp_realize()

[Zhao Liu]

From: Zhao Liu <zhao1.liu@intel.com>

As the comment in qapi/error, dereferencing @errp requires
ERRP_GUARD():

* = Why, when and how to use ERRP_GUARD() =
*
* Without ERRP_GUARD(), use of the @errp parameter is restricted:
* - It must not be dereferenced, because it may be null.
* - It should not be passed to error_prepend() or
*   error_append_hint(), because that doesn't work with &error_fatal.
* ERRP_GUARD() lifts these restrictions.
*
* To use ERRP_GUARD(), add it right at the beginning of the function.
* @errp can then be used without worrying about the argument being
* NULL or &error_fatal.
*
* Using it when it's not needed is safe, but please avoid cluttering
* the source with useless code.

Currently, since cxl_usp_realize() - as a PCIDeviceClass.realize()
method - doesn't get the NULL errp parameter, it doesn't trigger the
dereference issue.

To follow the requirement of errp, add missing ERRP_GUARD() in
cxl_usp_realize()().

Suggested-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
---
Suggested by credit:
 Markus: Referred his explanation about ERRP_GUARD().
---
 hw/pci-bridge/cxl_upstream.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/pci-bridge/cxl_upstream.c b/hw/pci-bridge/cxl_upstream.c
index e87eb4017713..03d123cca0ef 100644
--- a/hw/pci-bridge/cxl_upstream.c
+++ b/hw/pci-bridge/cxl_upstream.c
@@ -289,6 +289,7 @@ static void free_default_cdat_table(CDATSubHeader **cdat_table, int num,
 
 static void cxl_usp_realize(PCIDevice *d, Error **errp)
 {
+    ERRP_GUARD();
     PCIEPort *p = PCIE_PORT(d);
     CXLUpstreamPort *usp = CXL_USP(d);
     CXLComponentState *cxl_cstate = &usp->cxl_cstate;
-- 
2.34.1

[PATCH 6/6] hw/vfio/iommufd: Fix missing ERRP_GUARD() in iommufd_cdev_getfd()

[Zhao Liu]

From: Zhao Liu <zhao1.liu@intel.com>

As the comment in qapi/error, dereferencing @errp requires
ERRP_GUARD():

* = Why, when and how to use ERRP_GUARD() =
*
* Without ERRP_GUARD(), use of the @errp parameter is restricted:
* - It must not be dereferenced, because it may be null.
* - It should not be passed to error_prepend() or
*   error_append_hint(), because that doesn't work with &error_fatal.
* ERRP_GUARD() lifts these restrictions.
*
* To use ERRP_GUARD(), add it right at the beginning of the function.
* @errp can then be used without worrying about the argument being
* NULL or &error_fatal.
*
* Using it when it's not needed is safe, but please avoid cluttering
* the source with useless code.

Currently, since vfio_attach_device() - the caller of
iommufd_cdev_getfd() - is always called in DeviceClass.realize() context
and won't get the NULL errp parameter, iommufd_cdev_getfd()
doesn't trigger the dereference issue.

To follow the requirement of errp, add missing ERRP_GUARD() in
iommufd_cdev_getfd().

Suggested-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
---
Suggested by credit:
 Markus: Referred his explanation about ERRP_GUARD().
---
 hw/vfio/iommufd.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/vfio/iommufd.c b/hw/vfio/iommufd.c
index 9bfddc136089..7baf49e6ee9e 100644
--- a/hw/vfio/iommufd.c
+++ b/hw/vfio/iommufd.c
@@ -116,6 +116,7 @@ static void iommufd_cdev_unbind_and_disconnect(VFIODevice *vbasedev)
 
 static int iommufd_cdev_getfd(const char *sysfs_path, Error **errp)
 {
+    ERRP_GUARD();
     long int ret = -ENOTTY;
     char *path, *vfio_dev_path = NULL, *vfio_path = NULL;
     DIR *dir = NULL;
-- 
2.34.1

Re: [PATCH 1/6] hw/cxl/cxl-host: Fix missing ERRP_GUARD() in cxl_fixed_memory_window_config()

[Markus Armbruster]

Zhao Liu <zhao1.liu@linux.intel.com> writes:

> From: Zhao Liu <zhao1.liu@intel.com>
>
> As the comment in qapi/error, dereferencing @errp requires
> ERRP_GUARD():
>
> * = Why, when and how to use ERRP_GUARD() =
> *
> * Without ERRP_GUARD(), use of the @errp parameter is restricted:
> * - It must not be dereferenced, because it may be null.
> * - It should not be passed to error_prepend() or
> *   error_append_hint(), because that doesn't work with &error_fatal.
> * ERRP_GUARD() lifts these restrictions.
> *
> * To use ERRP_GUARD(), add it right at the beginning of the function.
> * @errp can then be used without worrying about the argument being
> * NULL or &error_fatal.
> *
> * Using it when it's not needed is safe, but please avoid cluttering
> * the source with useless code.
>
> Currently, since machine_set_cfmw() - the caller of
> cxl_fixed_memory_window_config() - doesn't get the NULL errp parameter
> as the "set" method of object property, cxl_fixed_memory_window_config()
> doesn't trigger the dereference issue.
>
> To follow the requirement of errp, add missing ERRP_GUARD() in
> cxl_fixed_memory_window_config().
>
> Suggested-by: Markus Armbruster <armbru@redhat.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
> ---
> Suggested by credit:
>  Markus: Referred his explanation about ERRP_GUARD().
> ---
>  hw/cxl/cxl-host.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/hw/cxl/cxl-host.c b/hw/cxl/cxl-host.c
> index 2aa776c79c74..c5f5fcfd64d0 100644
> --- a/hw/cxl/cxl-host.c
> +++ b/hw/cxl/cxl-host.c
> @@ -26,6 +26,7 @@ static void cxl_fixed_memory_window_config(CXLState *cxl_state,
>                                             CXLFixedMemoryWindowOptions *object,
>                                             Error **errp)
>  {
> +    ERRP_GUARD();
>      g_autofree CXLFixedWindow *fw = g_malloc0(sizeof(*fw));
>      strList *target;
>      int i;

The dereferences are

       fw->enc_int_ways = cxl_interleave_ways_enc(fw->num_targets, errp);
       if (*errp) {
           return;
       }

and

           fw->enc_int_gran =
               cxl_interleave_granularity_enc(object->interleave_granularity,
                                              errp);
           if (*errp) {
               return;
           }

We check *errp, because neither function returns a suitable error code.

Reviewed-by: Markus Armbruster <armbru@redhat.com>

Re: [PATCH 2/6] hw/display/macfb: Fix missing ERRP_GUARD() in macfb_nubus_realize()

[Markus Armbruster]

Zhao Liu <zhao1.liu@linux.intel.com> writes:

> From: Zhao Liu <zhao1.liu@intel.com>
>
> As the comment in qapi/error, dereferencing @errp requires
> ERRP_GUARD():
>
> * = Why, when and how to use ERRP_GUARD() =
> *
> * Without ERRP_GUARD(), use of the @errp parameter is restricted:
> * - It must not be dereferenced, because it may be null.
> * - It should not be passed to error_prepend() or
> *   error_append_hint(), because that doesn't work with &error_fatal.
> * ERRP_GUARD() lifts these restrictions.
> *
> * To use ERRP_GUARD(), add it right at the beginning of the function.
> * @errp can then be used without worrying about the argument being
> * NULL or &error_fatal.
> *
> * Using it when it's not needed is safe, but please avoid cluttering
> * the source with useless code.
>
> Currently, since macfb_nubus_realize() - as a DeviceClass.realize()
> method - doesn't get the NULL errp parameter, it doesn't trigger the
> dereference issue.
>
> To follow the requirement of errp, add missing ERRP_GUARD() in
> macfb_nubus_realize().
>
> Suggested-by: Markus Armbruster <armbru@redhat.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
> ---
> Suggested by credit:
>  Markus: Referred his explanation about ERRP_GUARD().
> ---
>  hw/display/macfb.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/hw/display/macfb.c b/hw/display/macfb.c
> index 418e99c8e18e..1ace341a0ff4 100644
> --- a/hw/display/macfb.c
> +++ b/hw/display/macfb.c
> @@ -714,6 +714,7 @@ static void macfb_nubus_set_irq(void *opaque, int n, int level)
>  
>  static void macfb_nubus_realize(DeviceState *dev, Error **errp)
>  {
> +    ERRP_GUARD();
>      NubusDevice *nd = NUBUS_DEVICE(dev);
>      MacfbNubusState *s = NUBUS_MACFB(dev);
>      MacfbNubusDeviceClass *ndc = NUBUS_MACFB_GET_CLASS(dev);

The dereference is

       ndc->parent_realize(dev, errp);
       if (*errp) {
           return;
       }

We check *errp, because neither the callback returns void.

Reviewed-by: Markus Armbruster <armbru@redhat.com>

Re: [PATCH 3/6] hw/mem/cxl_type3: Fix missing ERRP_GUARD() in ct3_realize()

[Markus Armbruster]

Zhao Liu <zhao1.liu@linux.intel.com> writes:

> From: Zhao Liu <zhao1.liu@intel.com>
>
> As the comment in qapi/error, dereferencing @errp requires
> ERRP_GUARD():
>
> * = Why, when and how to use ERRP_GUARD() =
> *
> * Without ERRP_GUARD(), use of the @errp parameter is restricted:
> * - It must not be dereferenced, because it may be null.
> * - It should not be passed to error_prepend() or
> *   error_append_hint(), because that doesn't work with &error_fatal.
> * ERRP_GUARD() lifts these restrictions.
> *
> * To use ERRP_GUARD(), add it right at the beginning of the function.
> * @errp can then be used without worrying about the argument being
> * NULL or &error_fatal.
> *
> * Using it when it's not needed is safe, but please avoid cluttering
> * the source with useless code.
>
> Currently, since ct3_realize() - as a PCIDeviceClass.realize() method -
> doesn't get the NULL errp parameter, it doesn't trigger the dereference
> issue.
>
> To follow the requirement of errp, add missing ERRP_GUARD() in
> ct3_realize().
>
> Suggested-by: Markus Armbruster <armbru@redhat.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
> ---
> Suggested by credit:
>  Markus: Referred his explanation about ERRP_GUARD().
> ---
>  hw/mem/cxl_type3.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/hw/mem/cxl_type3.c b/hw/mem/cxl_type3.c
> index e8801805b90f..a3b0761f843b 100644
> --- a/hw/mem/cxl_type3.c
> +++ b/hw/mem/cxl_type3.c
> @@ -645,6 +645,7 @@ static DOEProtocol doe_cdat_prot[] = {
>  
>  static void ct3_realize(PCIDevice *pci_dev, Error **errp)
>  {
> +    ERRP_GUARD();
>      CXLType3Dev *ct3d = CXL_TYPE3(pci_dev);
>      CXLComponentState *cxl_cstate = &ct3d->cxl_cstate;
>      ComponentRegisters *regs = &cxl_cstate->crb;

The dereference is

       cxl_doe_cdat_init(cxl_cstate, errp);
       if (*errp) {
           goto err_free_special_ops;
       }

We check *errp, because cxl_doe_cdat_init() returns void.  Could be
improved to return bool, along with its callees ct3_load_cdat() and
ct3_build_cdat(), but that's a slightly more ambitious cleanup, so

Reviewed-by: Markus Armbruster <armbru@redhat.com>

Re: [PATCH 4/6] hw/misc/xlnx-versal-trng: Fix missing ERRP_GUARD() in trng_prop_fault_event_set()

[Markus Armbruster]

Zhao Liu <zhao1.liu@linux.intel.com> writes:

> From: Zhao Liu <zhao1.liu@intel.com>
>
> As the comment in qapi/error, dereferencing @errp requires
> ERRP_GUARD():
>
> * = Why, when and how to use ERRP_GUARD() =
> *
> * Without ERRP_GUARD(), use of the @errp parameter is restricted:
> * - It must not be dereferenced, because it may be null.
> * - It should not be passed to error_prepend() or
> *   error_append_hint(), because that doesn't work with &error_fatal.
> * ERRP_GUARD() lifts these restrictions.
> *
> * To use ERRP_GUARD(), add it right at the beginning of the function.
> * @errp can then be used without worrying about the argument being
> * NULL or &error_fatal.
> *
> * Using it when it's not needed is safe, but please avoid cluttering
> * the source with useless code.
>
> Currently, since trng_prop_fault_event_set() doesn't get the NULL errp
> parameter as a "set" method of object property, it doesn't trigger the
> dereference issue.
>
> To follow the requirement of errp, add missing ERRP_GUARD() in
> trng_prop_fault_event_set().
>
> Suggested-by: Markus Armbruster <armbru@redhat.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
> ---
> Suggested by credit:
>  Markus: Referred his explanation about ERRP_GUARD().
> ---
>  hw/misc/xlnx-versal-trng.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/hw/misc/xlnx-versal-trng.c b/hw/misc/xlnx-versal-trng.c
> index b8111b8b6626..3579348a9d17 100644
> --- a/hw/misc/xlnx-versal-trng.c
> +++ b/hw/misc/xlnx-versal-trng.c
> @@ -33,6 +33,7 @@
>  #include "qemu/error-report.h"
>  #include "qemu/guest-random.h"
>  #include "qemu/timer.h"
> +#include "qapi/error.h"
>  #include "qapi/visitor.h"
>  #include "migration/vmstate.h"
>  #include "hw/qdev-properties.h"
> @@ -641,6 +642,7 @@ static void trng_prop_fault_event_set(Object *obj, Visitor *v,
>                                        const char *name, void *opaque,
>                                        Error **errp)
>  {
> +    ERRP_GUARD();
>      Property *prop = opaque;
>      uint32_t *events = object_field_prop_ptr(obj, prop);

       visit_type_uint32(v, name, events, errp);
       if (*errp) {
           return;
       }

Please do this instead:

diff --git a/hw/misc/xlnx-versal-trng.c b/hw/misc/xlnx-versal-trng.c
index b8111b8b66..6495188dc7 100644
--- a/hw/misc/xlnx-versal-trng.c
+++ b/hw/misc/xlnx-versal-trng.c
@@ -644,8 +644,7 @@ static void trng_prop_fault_event_set(Object *obj, Visitor *v,
     Property *prop = opaque;
     uint32_t *events = object_field_prop_ptr(obj, prop);
 
-    visit_type_uint32(v, name, events, errp);
-    if (*errp) {
+    if (!visit_type_uint32(v, name, events, errp)) {
         return;
     }
 

Re: [PATCH 5/6] hw/pci-bridge/cxl_upstream: Fix missing ERRP_GUARD() in cxl_usp_realize()

[Markus Armbruster]

Zhao Liu <zhao1.liu@linux.intel.com> writes:

> From: Zhao Liu <zhao1.liu@intel.com>
>
> As the comment in qapi/error, dereferencing @errp requires
> ERRP_GUARD():
>
> * = Why, when and how to use ERRP_GUARD() =
> *
> * Without ERRP_GUARD(), use of the @errp parameter is restricted:
> * - It must not be dereferenced, because it may be null.
> * - It should not be passed to error_prepend() or
> *   error_append_hint(), because that doesn't work with &error_fatal.
> * ERRP_GUARD() lifts these restrictions.
> *
> * To use ERRP_GUARD(), add it right at the beginning of the function.
> * @errp can then be used without worrying about the argument being
> * NULL or &error_fatal.
> *
> * Using it when it's not needed is safe, but please avoid cluttering
> * the source with useless code.
>
> Currently, since cxl_usp_realize() - as a PCIDeviceClass.realize()
> method - doesn't get the NULL errp parameter, it doesn't trigger the
> dereference issue.
>
> To follow the requirement of errp, add missing ERRP_GUARD() in
> cxl_usp_realize()().
>
> Suggested-by: Markus Armbruster <armbru@redhat.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
> ---
> Suggested by credit:
>  Markus: Referred his explanation about ERRP_GUARD().
> ---
>  hw/pci-bridge/cxl_upstream.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/hw/pci-bridge/cxl_upstream.c b/hw/pci-bridge/cxl_upstream.c
> index e87eb4017713..03d123cca0ef 100644
> --- a/hw/pci-bridge/cxl_upstream.c
> +++ b/hw/pci-bridge/cxl_upstream.c
> @@ -289,6 +289,7 @@ static void free_default_cdat_table(CDATSubHeader **cdat_table, int num,
>  
>  static void cxl_usp_realize(PCIDevice *d, Error **errp)
>  {
> +    ERRP_GUARD();
>      PCIEPort *p = PCIE_PORT(d);
>      CXLUpstreamPort *usp = CXL_USP(d);
>      CXLComponentState *cxl_cstate = &usp->cxl_cstate;

The dereference is

       cxl_doe_cdat_init(cxl_cstate, errp);
       if (*errp) {
           goto err_cap;
       }

As noted in review of PATCH 3, we check *errp, because
cxl_doe_cdat_init() returns void.  Could be improved to return bool,
along with its callees ct3_load_cdat() and ct3_build_cdat(), but that's
a slightly more ambitious cleanup, so

Reviewed-by: Markus Armbruster <armbru@redhat.com>

Re: [PATCH 6/6] hw/vfio/iommufd: Fix missing ERRP_GUARD() in iommufd_cdev_getfd()

[Markus Armbruster]

Zhao Liu <zhao1.liu@linux.intel.com> writes:

> From: Zhao Liu <zhao1.liu@intel.com>
>
> As the comment in qapi/error, dereferencing @errp requires
> ERRP_GUARD():
>
> * = Why, when and how to use ERRP_GUARD() =
> *
> * Without ERRP_GUARD(), use of the @errp parameter is restricted:
> * - It must not be dereferenced, because it may be null.
> * - It should not be passed to error_prepend() or
> *   error_append_hint(), because that doesn't work with &error_fatal.
> * ERRP_GUARD() lifts these restrictions.
> *
> * To use ERRP_GUARD(), add it right at the beginning of the function.
> * @errp can then be used without worrying about the argument being
> * NULL or &error_fatal.
> *
> * Using it when it's not needed is safe, but please avoid cluttering
> * the source with useless code.
>
> Currently, since vfio_attach_device() - the caller of
> iommufd_cdev_getfd() - is always called in DeviceClass.realize() context
> and won't get the NULL errp parameter, iommufd_cdev_getfd()
> doesn't trigger the dereference issue.
>
> To follow the requirement of errp, add missing ERRP_GUARD() in
> iommufd_cdev_getfd().
>
> Suggested-by: Markus Armbruster <armbru@redhat.com>
> Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
> ---
> Suggested by credit:
>  Markus: Referred his explanation about ERRP_GUARD().
> ---
>  hw/vfio/iommufd.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/hw/vfio/iommufd.c b/hw/vfio/iommufd.c
> index 9bfddc136089..7baf49e6ee9e 100644
> --- a/hw/vfio/iommufd.c
> +++ b/hw/vfio/iommufd.c
> @@ -116,6 +116,7 @@ static void iommufd_cdev_unbind_and_disconnect(VFIODevice *vbasedev)
>  
>  static int iommufd_cdev_getfd(const char *sysfs_path, Error **errp)
>  {
> +    ERRP_GUARD();
>      long int ret = -ENOTTY;
>      char *path, *vfio_dev_path = NULL, *vfio_path = NULL;
>      DIR *dir = NULL;

The problematic use is

       if (*errp) {
           error_prepend(errp, VFIO_MSG_PREFIX, path);
       }

Reviewed-by: Markus Armbruster <armbru@redhat.com>

Re: [PATCH 1/6] hw/cxl/cxl-host: Fix missing ERRP_GUARD() in cxl_fixed_memory_window_config()

[Zhao Liu]

On Wed, Feb 21, 2024 at 12:31:06PM +0100, Markus Armbruster wrote:
> Date: Wed, 21 Feb 2024 12:31:06 +0100
> From: Markus Armbruster <armbru@redhat.com>
> Subject: Re: [PATCH 1/6] hw/cxl/cxl-host: Fix missing ERRP_GUARD() in
>  cxl_fixed_memory_window_config()
> 
> Zhao Liu <zhao1.liu@linux.intel.com> writes:
> 
> > From: Zhao Liu <zhao1.liu@intel.com>
> >
> > As the comment in qapi/error, dereferencing @errp requires
> > ERRP_GUARD():
> >
> > * = Why, when and how to use ERRP_GUARD() =
> > *
> > * Without ERRP_GUARD(), use of the @errp parameter is restricted:
> > * - It must not be dereferenced, because it may be null.
> > * - It should not be passed to error_prepend() or
> > *   error_append_hint(), because that doesn't work with &error_fatal.
> > * ERRP_GUARD() lifts these restrictions.
> > *
> > * To use ERRP_GUARD(), add it right at the beginning of the function.
> > * @errp can then be used without worrying about the argument being
> > * NULL or &error_fatal.
> > *
> > * Using it when it's not needed is safe, but please avoid cluttering
> > * the source with useless code.
> >
> > Currently, since machine_set_cfmw() - the caller of
> > cxl_fixed_memory_window_config() - doesn't get the NULL errp parameter
> > as the "set" method of object property, cxl_fixed_memory_window_config()
> > doesn't trigger the dereference issue.
> >
> > To follow the requirement of errp, add missing ERRP_GUARD() in
> > cxl_fixed_memory_window_config().
> >
> > Suggested-by: Markus Armbruster <armbru@redhat.com>
> > Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
> > ---
> > Suggested by credit:
> >  Markus: Referred his explanation about ERRP_GUARD().
> > ---
> >  hw/cxl/cxl-host.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/hw/cxl/cxl-host.c b/hw/cxl/cxl-host.c
> > index 2aa776c79c74..c5f5fcfd64d0 100644
> > --- a/hw/cxl/cxl-host.c
> > +++ b/hw/cxl/cxl-host.c
> > @@ -26,6 +26,7 @@ static void cxl_fixed_memory_window_config(CXLState *cxl_state,
> >                                             CXLFixedMemoryWindowOptions *object,
> >                                             Error **errp)
> >  {
> > +    ERRP_GUARD();
> >      g_autofree CXLFixedWindow *fw = g_malloc0(sizeof(*fw));
> >      strList *target;
> >      int i;
> 
> The dereferences are
> 
>        fw->enc_int_ways = cxl_interleave_ways_enc(fw->num_targets, errp);
>        if (*errp) {
>            return;
>        }
> 
> and
> 
>            fw->enc_int_gran =
>                cxl_interleave_granularity_enc(object->interleave_granularity,
>                                               errp);
>            if (*errp) {
>                return;
>            }
> 
> We check *errp, because neither function returns a suitable error code.
> 
> Reviewed-by: Markus Armbruster <armbru@redhat.com>
>

Thanks! I'll attach your description to the commit message.

Regards,
Zhao

Re: [PATCH 2/6] hw/display/macfb: Fix missing ERRP_GUARD() in macfb_nubus_realize()

[Zhao Liu]

On Wed, Feb 21, 2024 at 12:32:43PM +0100, Markus Armbruster wrote:
> Date: Wed, 21 Feb 2024 12:32:43 +0100
> From: Markus Armbruster <armbru@redhat.com>
> Subject: Re: [PATCH 2/6] hw/display/macfb: Fix missing ERRP_GUARD() in
>  macfb_nubus_realize()
> 
> Zhao Liu <zhao1.liu@linux.intel.com> writes:
> 
> > From: Zhao Liu <zhao1.liu@intel.com>
> >
> > As the comment in qapi/error, dereferencing @errp requires
> > ERRP_GUARD():
> >
> > * = Why, when and how to use ERRP_GUARD() =
> > *
> > * Without ERRP_GUARD(), use of the @errp parameter is restricted:
> > * - It must not be dereferenced, because it may be null.
> > * - It should not be passed to error_prepend() or
> > *   error_append_hint(), because that doesn't work with &error_fatal.
> > * ERRP_GUARD() lifts these restrictions.
> > *
> > * To use ERRP_GUARD(), add it right at the beginning of the function.
> > * @errp can then be used without worrying about the argument being
> > * NULL or &error_fatal.
> > *
> > * Using it when it's not needed is safe, but please avoid cluttering
> > * the source with useless code.
> >
> > Currently, since macfb_nubus_realize() - as a DeviceClass.realize()
> > method - doesn't get the NULL errp parameter, it doesn't trigger the
> > dereference issue.
> >
> > To follow the requirement of errp, add missing ERRP_GUARD() in
> > macfb_nubus_realize().
> >
> > Suggested-by: Markus Armbruster <armbru@redhat.com>
> > Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
> > ---
> > Suggested by credit:
> >  Markus: Referred his explanation about ERRP_GUARD().
> > ---
> >  hw/display/macfb.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/hw/display/macfb.c b/hw/display/macfb.c
> > index 418e99c8e18e..1ace341a0ff4 100644
> > --- a/hw/display/macfb.c
> > +++ b/hw/display/macfb.c
> > @@ -714,6 +714,7 @@ static void macfb_nubus_set_irq(void *opaque, int n, int level)
> >  
> >  static void macfb_nubus_realize(DeviceState *dev, Error **errp)
> >  {
> > +    ERRP_GUARD();
> >      NubusDevice *nd = NUBUS_DEVICE(dev);
> >      MacfbNubusState *s = NUBUS_MACFB(dev);
> >      MacfbNubusDeviceClass *ndc = NUBUS_MACFB_GET_CLASS(dev);
> 
> The dereference is
> 
>        ndc->parent_realize(dev, errp);
>        if (*errp) {
>            return;
>        }
> 
> We check *errp, because neither the callback returns void.
> 
> Reviewed-by: Markus Armbruster <armbru@redhat.com>

Thanks! Will add more description in commit message as you suggested.

Regards,
Zhao

Re: [PATCH 4/6] hw/misc/xlnx-versal-trng: Fix missing ERRP_GUARD() in trng_prop_fault_event_set()

[Zhao Liu]

On Wed, Feb 21, 2024 at 12:47:33PM +0100, Markus Armbruster wrote:
> Date: Wed, 21 Feb 2024 12:47:33 +0100
> From: Markus Armbruster <armbru@redhat.com>
> Subject: Re: [PATCH 4/6] hw/misc/xlnx-versal-trng: Fix missing ERRP_GUARD()
>  in trng_prop_fault_event_set()
> 
> Zhao Liu <zhao1.liu@linux.intel.com> writes:
> 
> > From: Zhao Liu <zhao1.liu@intel.com>
> >
> > As the comment in qapi/error, dereferencing @errp requires
> > ERRP_GUARD():
> >
> > * = Why, when and how to use ERRP_GUARD() =
> > *
> > * Without ERRP_GUARD(), use of the @errp parameter is restricted:
> > * - It must not be dereferenced, because it may be null.
> > * - It should not be passed to error_prepend() or
> > *   error_append_hint(), because that doesn't work with &error_fatal.
> > * ERRP_GUARD() lifts these restrictions.
> > *
> > * To use ERRP_GUARD(), add it right at the beginning of the function.
> > * @errp can then be used without worrying about the argument being
> > * NULL or &error_fatal.
> > *
> > * Using it when it's not needed is safe, but please avoid cluttering
> > * the source with useless code.
> >
> > Currently, since trng_prop_fault_event_set() doesn't get the NULL errp
> > parameter as a "set" method of object property, it doesn't trigger the
> > dereference issue.
> >
> > To follow the requirement of errp, add missing ERRP_GUARD() in
> > trng_prop_fault_event_set().
> >
> > Suggested-by: Markus Armbruster <armbru@redhat.com>
> > Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
> > ---
> > Suggested by credit:
> >  Markus: Referred his explanation about ERRP_GUARD().
> > ---
> >  hw/misc/xlnx-versal-trng.c | 2 ++
> >  1 file changed, 2 insertions(+)
> >
> > diff --git a/hw/misc/xlnx-versal-trng.c b/hw/misc/xlnx-versal-trng.c
> > index b8111b8b6626..3579348a9d17 100644
> > --- a/hw/misc/xlnx-versal-trng.c
> > +++ b/hw/misc/xlnx-versal-trng.c
> > @@ -33,6 +33,7 @@
> >  #include "qemu/error-report.h"
> >  #include "qemu/guest-random.h"
> >  #include "qemu/timer.h"
> > +#include "qapi/error.h"
> >  #include "qapi/visitor.h"
> >  #include "migration/vmstate.h"
> >  #include "hw/qdev-properties.h"
> > @@ -641,6 +642,7 @@ static void trng_prop_fault_event_set(Object *obj, Visitor *v,
> >                                        const char *name, void *opaque,
> >                                        Error **errp)
> >  {
> > +    ERRP_GUARD();
> >      Property *prop = opaque;
> >      uint32_t *events = object_field_prop_ptr(obj, prop);
> 
>        visit_type_uint32(v, name, events, errp);
>        if (*errp) {
>            return;
>        }
> 
> Please do this instead:
> 
> diff --git a/hw/misc/xlnx-versal-trng.c b/hw/misc/xlnx-versal-trng.c
> index b8111b8b66..6495188dc7 100644
> --- a/hw/misc/xlnx-versal-trng.c
> +++ b/hw/misc/xlnx-versal-trng.c
> @@ -644,8 +644,7 @@ static void trng_prop_fault_event_set(Object *obj, Visitor *v,
>      Property *prop = opaque;
>      uint32_t *events = object_field_prop_ptr(obj, prop);
>  
> -    visit_type_uint32(v, name, events, errp);
> -    if (*errp) {
> +    if (!visit_type_uint32(v, name, events, errp)) {
>          return;
>      }
>  

Thanks! I didn't think of that. Will do this.

Regards,
Zhao

Re: [PATCH 5/6] hw/pci-bridge/cxl_upstream: Fix missing ERRP_GUARD() in cxl_usp_realize()

[Zhao Liu]

On Wed, Feb 21, 2024 at 12:49:46PM +0100, Markus Armbruster wrote:
> Date: Wed, 21 Feb 2024 12:49:46 +0100
> From: Markus Armbruster <armbru@redhat.com>
> Subject: Re: [PATCH 5/6] hw/pci-bridge/cxl_upstream: Fix missing
>  ERRP_GUARD() in cxl_usp_realize()
> 
> Zhao Liu <zhao1.liu@linux.intel.com> writes:
> 
> > From: Zhao Liu <zhao1.liu@intel.com>
> >
> > As the comment in qapi/error, dereferencing @errp requires
> > ERRP_GUARD():
> >
> > * = Why, when and how to use ERRP_GUARD() =
> > *
> > * Without ERRP_GUARD(), use of the @errp parameter is restricted:
> > * - It must not be dereferenced, because it may be null.
> > * - It should not be passed to error_prepend() or
> > *   error_append_hint(), because that doesn't work with &error_fatal.
> > * ERRP_GUARD() lifts these restrictions.
> > *
> > * To use ERRP_GUARD(), add it right at the beginning of the function.
> > * @errp can then be used without worrying about the argument being
> > * NULL or &error_fatal.
> > *
> > * Using it when it's not needed is safe, but please avoid cluttering
> > * the source with useless code.
> >
> > Currently, since cxl_usp_realize() - as a PCIDeviceClass.realize()
> > method - doesn't get the NULL errp parameter, it doesn't trigger the
> > dereference issue.
> >
> > To follow the requirement of errp, add missing ERRP_GUARD() in
> > cxl_usp_realize()().
> >
> > Suggested-by: Markus Armbruster <armbru@redhat.com>
> > Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
> > ---
> > Suggested by credit:
> >  Markus: Referred his explanation about ERRP_GUARD().
> > ---
> >  hw/pci-bridge/cxl_upstream.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/hw/pci-bridge/cxl_upstream.c b/hw/pci-bridge/cxl_upstream.c
> > index e87eb4017713..03d123cca0ef 100644
> > --- a/hw/pci-bridge/cxl_upstream.c
> > +++ b/hw/pci-bridge/cxl_upstream.c
> > @@ -289,6 +289,7 @@ static void free_default_cdat_table(CDATSubHeader **cdat_table, int num,
> >  
> >  static void cxl_usp_realize(PCIDevice *d, Error **errp)
> >  {
> > +    ERRP_GUARD();
> >      PCIEPort *p = PCIE_PORT(d);
> >      CXLUpstreamPort *usp = CXL_USP(d);
> >      CXLComponentState *cxl_cstate = &usp->cxl_cstate;
> 
> The dereference is
> 
>        cxl_doe_cdat_init(cxl_cstate, errp);
>        if (*errp) {
>            goto err_cap;
>        }
> 
> As noted in review of PATCH 3, we check *errp, because
> cxl_doe_cdat_init() returns void.  Could be improved to return bool,
> along with its callees ct3_load_cdat() and ct3_build_cdat(), but that's
> a slightly more ambitious cleanup, so
> 
> Reviewed-by: Markus Armbruster <armbru@redhat.com>
>

Thanks! It's a good idea and I can continue to consider such the cleanup
in the follow up.

Will also add the dereference description in commit message to make
review easier.

Regards,
Zhao

Re: [PATCH 3/6] hw/mem/cxl_type3: Fix missing ERRP_GUARD() in ct3_realize()

[Zhao Liu]

On Wed, Feb 21, 2024 at 12:35:47PM +0100, Markus Armbruster wrote:
> Date: Wed, 21 Feb 2024 12:35:47 +0100
> From: Markus Armbruster <armbru@redhat.com>
> Subject: Re: [PATCH 3/6] hw/mem/cxl_type3: Fix missing ERRP_GUARD() in
>  ct3_realize()
> 
> Zhao Liu <zhao1.liu@linux.intel.com> writes:
> 
> > From: Zhao Liu <zhao1.liu@intel.com>
> >
> > As the comment in qapi/error, dereferencing @errp requires
> > ERRP_GUARD():
> >
> > * = Why, when and how to use ERRP_GUARD() =
> > *
> > * Without ERRP_GUARD(), use of the @errp parameter is restricted:
> > * - It must not be dereferenced, because it may be null.
> > * - It should not be passed to error_prepend() or
> > *   error_append_hint(), because that doesn't work with &error_fatal.
> > * ERRP_GUARD() lifts these restrictions.
> > *
> > * To use ERRP_GUARD(), add it right at the beginning of the function.
> > * @errp can then be used without worrying about the argument being
> > * NULL or &error_fatal.
> > *
> > * Using it when it's not needed is safe, but please avoid cluttering
> > * the source with useless code.
> >
> > Currently, since ct3_realize() - as a PCIDeviceClass.realize() method -
> > doesn't get the NULL errp parameter, it doesn't trigger the dereference
> > issue.
> >
> > To follow the requirement of errp, add missing ERRP_GUARD() in
> > ct3_realize().
> >
> > Suggested-by: Markus Armbruster <armbru@redhat.com>
> > Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
> > ---
> > Suggested by credit:
> >  Markus: Referred his explanation about ERRP_GUARD().
> > ---
> >  hw/mem/cxl_type3.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/hw/mem/cxl_type3.c b/hw/mem/cxl_type3.c
> > index e8801805b90f..a3b0761f843b 100644
> > --- a/hw/mem/cxl_type3.c
> > +++ b/hw/mem/cxl_type3.c
> > @@ -645,6 +645,7 @@ static DOEProtocol doe_cdat_prot[] = {
> >  
> >  static void ct3_realize(PCIDevice *pci_dev, Error **errp)
> >  {
> > +    ERRP_GUARD();
> >      CXLType3Dev *ct3d = CXL_TYPE3(pci_dev);
> >      CXLComponentState *cxl_cstate = &ct3d->cxl_cstate;
> >      ComponentRegisters *regs = &cxl_cstate->crb;
> 
> The dereference is
> 
>        cxl_doe_cdat_init(cxl_cstate, errp);
>        if (*errp) {
>            goto err_free_special_ops;
>        }
> 
> We check *errp, because cxl_doe_cdat_init() returns void.  Could be
> improved to return bool, along with its callees ct3_load_cdat() and
> ct3_build_cdat(), but that's a slightly more ambitious cleanup, so
> 
> Reviewed-by: Markus Armbruster <armbru@redhat.com>
>

Thanks! I can continue to consider such the cleanup in the follow up.

Will also add the dereference description in commit message to make
review easier.

Regards,
Zhao

Re: [PATCH 6/6] hw/vfio/iommufd: Fix missing ERRP_GUARD() in iommufd_cdev_getfd()

[Zhao Liu]

On Wed, Feb 21, 2024 at 12:53:10PM +0100, Markus Armbruster wrote:
> Date: Wed, 21 Feb 2024 12:53:10 +0100
> From: Markus Armbruster <armbru@redhat.com>
> Subject: Re: [PATCH 6/6] hw/vfio/iommufd: Fix missing ERRP_GUARD() in
>  iommufd_cdev_getfd()
> 
> Zhao Liu <zhao1.liu@linux.intel.com> writes:
> 
> > From: Zhao Liu <zhao1.liu@intel.com>
> >
> > As the comment in qapi/error, dereferencing @errp requires
> > ERRP_GUARD():
> >
> > * = Why, when and how to use ERRP_GUARD() =
> > *
> > * Without ERRP_GUARD(), use of the @errp parameter is restricted:
> > * - It must not be dereferenced, because it may be null.
> > * - It should not be passed to error_prepend() or
> > *   error_append_hint(), because that doesn't work with &error_fatal.
> > * ERRP_GUARD() lifts these restrictions.
> > *
> > * To use ERRP_GUARD(), add it right at the beginning of the function.
> > * @errp can then be used without worrying about the argument being
> > * NULL or &error_fatal.
> > *
> > * Using it when it's not needed is safe, but please avoid cluttering
> > * the source with useless code.
> >
> > Currently, since vfio_attach_device() - the caller of
> > iommufd_cdev_getfd() - is always called in DeviceClass.realize() context
> > and won't get the NULL errp parameter, iommufd_cdev_getfd()
> > doesn't trigger the dereference issue.
> >
> > To follow the requirement of errp, add missing ERRP_GUARD() in
> > iommufd_cdev_getfd().
> >
> > Suggested-by: Markus Armbruster <armbru@redhat.com>
> > Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
> > ---
> > Suggested by credit:
> >  Markus: Referred his explanation about ERRP_GUARD().
> > ---
> >  hw/vfio/iommufd.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/hw/vfio/iommufd.c b/hw/vfio/iommufd.c
> > index 9bfddc136089..7baf49e6ee9e 100644
> > --- a/hw/vfio/iommufd.c
> > +++ b/hw/vfio/iommufd.c
> > @@ -116,6 +116,7 @@ static void iommufd_cdev_unbind_and_disconnect(VFIODevice *vbasedev)
> >  
> >  static int iommufd_cdev_getfd(const char *sysfs_path, Error **errp)
> >  {
> > +    ERRP_GUARD();
> >      long int ret = -ENOTTY;
> >      char *path, *vfio_dev_path = NULL, *vfio_path = NULL;
> >      DIR *dir = NULL;
> 
> The problematic use is
> 
>        if (*errp) {
>            error_prepend(errp, VFIO_MSG_PREFIX, path);
>        }
> 
> Reviewed-by: Markus Armbruster <armbru@redhat.com>
>

Thanks! Will also add the description of problematic use in commit
message to make review easier. ;-)

Regards,
Zhao

Re: [PATCH 0/6] [PATCH 0/6] Fix missing ERRP_GUARD() when dereference @errp

[Michael Tokarev]

21.02.2024 12:43, Zhao Liu wrote:
> From: Zhao Liu <zhao1.liu@intel.com>
> 
> Hi all,
> 
> Thanks to Markus's explanation about ERRP_GUARD() on my previsou
> patch [1],
> 
> I realize that perhaps more @errp dereference cases need to be
> double-checked to ensure that ERRP_GUARD() is being used correctly.
> 
> Therefore, there're the patches to add more missing ERRP_GUARD().
> 
> [1]: https://lore.kernel.org/qemu-devel/875xz0ojg7.fsf@pond.sub.org/

Hi!

Since you're going to respin (it looks like), please include the initial
patch (hw/intc one) into the series as well, so it's all in one go.

I'm not sure this should come via trivial-patches tree though.  Looks
trivial enough :)

/mjt

Re: [PATCH 0/6] [PATCH 0/6] Fix missing ERRP_GUARD() when dereference @errp

[Zhao Liu]

On Thu, Feb 22, 2024 at 09:04:14AM +0300, Michael Tokarev wrote:
> Date: Thu, 22 Feb 2024 09:04:14 +0300
> From: Michael Tokarev <mjt@tls.msk.ru>
> Subject: Re: [PATCH 0/6] [PATCH 0/6] Fix missing ERRP_GUARD() when
>  dereference @errp
> 
> 21.02.2024 12:43, Zhao Liu wrote:
> > From: Zhao Liu <zhao1.liu@intel.com>
> > 
> > Hi all,
> > 
> > Thanks to Markus's explanation about ERRP_GUARD() on my previsou
> > patch [1],
> > 
> > I realize that perhaps more @errp dereference cases need to be
> > double-checked to ensure that ERRP_GUARD() is being used correctly.
> > 
> > Therefore, there're the patches to add more missing ERRP_GUARD().
> > 
> > [1]: https://lore.kernel.org/qemu-devel/875xz0ojg7.fsf@pond.sub.org/
> 
> Hi!
> 
> Since you're going to respin (it looks like), please include the initial
> patch (hw/intc one) into the series as well, so it's all in one go.
> 
> I'm not sure this should come via trivial-patches tree though.  Looks
> trivial enough :)
> 

Hi Michael,

Sure, I'll add that one into this series.
I understand that such small fixes across multiple parts are suited for
trivial-tree.

Thanks,
Zhao

Re: [PATCH 1/6] hw/cxl/cxl-host: Fix missing ERRP_GUARD() in cxl_fixed_memory_window_config()

[Jonathan Cameron via]

On Wed, 21 Feb 2024 23:04:23 +0800
Zhao Liu <zhao1.liu@linux.intel.com> wrote:

> On Wed, Feb 21, 2024 at 12:31:06PM +0100, Markus Armbruster wrote:
> > Date: Wed, 21 Feb 2024 12:31:06 +0100
> > From: Markus Armbruster <armbru@redhat.com>
> > Subject: Re: [PATCH 1/6] hw/cxl/cxl-host: Fix missing ERRP_GUARD() in
> >  cxl_fixed_memory_window_config()
> > 
> > Zhao Liu <zhao1.liu@linux.intel.com> writes:
> >   
> > > From: Zhao Liu <zhao1.liu@intel.com>
> > >
> > > As the comment in qapi/error, dereferencing @errp requires
> > > ERRP_GUARD():
> > >
> > > * = Why, when and how to use ERRP_GUARD() =
> > > *
> > > * Without ERRP_GUARD(), use of the @errp parameter is restricted:
> > > * - It must not be dereferenced, because it may be null.
> > > * - It should not be passed to error_prepend() or
> > > *   error_append_hint(), because that doesn't work with &error_fatal.
> > > * ERRP_GUARD() lifts these restrictions.
> > > *
> > > * To use ERRP_GUARD(), add it right at the beginning of the function.
> > > * @errp can then be used without worrying about the argument being
> > > * NULL or &error_fatal.
> > > *
> > > * Using it when it's not needed is safe, but please avoid cluttering
> > > * the source with useless code.
> > >
> > > Currently, since machine_set_cfmw() - the caller of
> > > cxl_fixed_memory_window_config() - doesn't get the NULL errp parameter
> > > as the "set" method of object property, cxl_fixed_memory_window_config()
> > > doesn't trigger the dereference issue.
> > >
> > > To follow the requirement of errp, add missing ERRP_GUARD() in
> > > cxl_fixed_memory_window_config().
> > >
> > > Suggested-by: Markus Armbruster <armbru@redhat.com>
> > > Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
> > > ---
> > > Suggested by credit:
> > >  Markus: Referred his explanation about ERRP_GUARD().
> > > ---
> > >  hw/cxl/cxl-host.c | 1 +
> > >  1 file changed, 1 insertion(+)
> > >
> > > diff --git a/hw/cxl/cxl-host.c b/hw/cxl/cxl-host.c
> > > index 2aa776c79c74..c5f5fcfd64d0 100644
> > > --- a/hw/cxl/cxl-host.c
> > > +++ b/hw/cxl/cxl-host.c
> > > @@ -26,6 +26,7 @@ static void cxl_fixed_memory_window_config(CXLState *cxl_state,
> > >                                             CXLFixedMemoryWindowOptions *object,
> > >                                             Error **errp)
> > >  {
> > > +    ERRP_GUARD();
> > >      g_autofree CXLFixedWindow *fw = g_malloc0(sizeof(*fw));
> > >      strList *target;
> > >      int i;  
> > 
> > The dereferences are
> > 
> >        fw->enc_int_ways = cxl_interleave_ways_enc(fw->num_targets, errp);
> >        if (*errp) {
> >            return;
> >        }
> > 
> > and
> > 
> >            fw->enc_int_gran =
> >                cxl_interleave_granularity_enc(object->interleave_granularity,
> >                                               errp);
> >            if (*errp) {
> >                return;
> >            }
> > 
> > We check *errp, because neither function returns a suitable error code.
> > 
> > Reviewed-by: Markus Armbruster <armbru@redhat.com>
> >  
> 
> Thanks! I'll attach your description to the commit message.
Thanks for the explanation in the commit message and to Markus for
the cases it affected.

Acked-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>

> 
> Regards,
> Zhao
> 

Re: [PATCH 3/6] hw/mem/cxl_type3: Fix missing ERRP_GUARD() in ct3_realize()

[Jonathan Cameron via]

On Wed, 21 Feb 2024 23:11:12 +0800
Zhao Liu <zhao1.liu@linux.intel.com> wrote:

> On Wed, Feb 21, 2024 at 12:35:47PM +0100, Markus Armbruster wrote:
> > Date: Wed, 21 Feb 2024 12:35:47 +0100
> > From: Markus Armbruster <armbru@redhat.com>
> > Subject: Re: [PATCH 3/6] hw/mem/cxl_type3: Fix missing ERRP_GUARD() in
> >  ct3_realize()
> > 
> > Zhao Liu <zhao1.liu@linux.intel.com> writes:
> >   
> > > From: Zhao Liu <zhao1.liu@intel.com>
> > >
> > > As the comment in qapi/error, dereferencing @errp requires
> > > ERRP_GUARD():
> > >
> > > * = Why, when and how to use ERRP_GUARD() =
> > > *
> > > * Without ERRP_GUARD(), use of the @errp parameter is restricted:
> > > * - It must not be dereferenced, because it may be null.
> > > * - It should not be passed to error_prepend() or
> > > *   error_append_hint(), because that doesn't work with &error_fatal.
> > > * ERRP_GUARD() lifts these restrictions.
> > > *
> > > * To use ERRP_GUARD(), add it right at the beginning of the function.
> > > * @errp can then be used without worrying about the argument being
> > > * NULL or &error_fatal.
> > > *
> > > * Using it when it's not needed is safe, but please avoid cluttering
> > > * the source with useless code.
> > >
> > > Currently, since ct3_realize() - as a PCIDeviceClass.realize() method -
> > > doesn't get the NULL errp parameter, it doesn't trigger the dereference
> > > issue.
> > >
> > > To follow the requirement of errp, add missing ERRP_GUARD() in
> > > ct3_realize().
> > >
> > > Suggested-by: Markus Armbruster <armbru@redhat.com>
> > > Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
> > > ---
> > > Suggested by credit:
> > >  Markus: Referred his explanation about ERRP_GUARD().
> > > ---
> > >  hw/mem/cxl_type3.c | 1 +
> > >  1 file changed, 1 insertion(+)
> > >
> > > diff --git a/hw/mem/cxl_type3.c b/hw/mem/cxl_type3.c
> > > index e8801805b90f..a3b0761f843b 100644
> > > --- a/hw/mem/cxl_type3.c
> > > +++ b/hw/mem/cxl_type3.c
> > > @@ -645,6 +645,7 @@ static DOEProtocol doe_cdat_prot[] = {
> > >  
> > >  static void ct3_realize(PCIDevice *pci_dev, Error **errp)
> > >  {
> > > +    ERRP_GUARD();
> > >      CXLType3Dev *ct3d = CXL_TYPE3(pci_dev);
> > >      CXLComponentState *cxl_cstate = &ct3d->cxl_cstate;
> > >      ComponentRegisters *regs = &cxl_cstate->crb;  
> > 
> > The dereference is
> > 
> >        cxl_doe_cdat_init(cxl_cstate, errp);
> >        if (*errp) {
> >            goto err_free_special_ops;
> >        }
> > 
> > We check *errp, because cxl_doe_cdat_init() returns void.  Could be
> > improved to return bool, along with its callees ct3_load_cdat() and
> > ct3_build_cdat(), but that's a slightly more ambitious cleanup, so
> > 
> > Reviewed-by: Markus Armbruster <armbru@redhat.com>
> >  
> 
> Thanks! I can continue to consider such the cleanup in the follow up.
> 
> Will also add the dereference description in commit message to make
> review easier.
> 
Agreed cleanup would be good, but this is fine if you don't want to
do that now.

Acked-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>

> Regards,
> Zhao
> 
> 

Re: [PATCH 5/6] hw/pci-bridge/cxl_upstream: Fix missing ERRP_GUARD() in cxl_usp_realize()

[Jonathan Cameron via]

On Wed, 21 Feb 2024 23:09:49 +0800
Zhao Liu <zhao1.liu@linux.intel.com> wrote:

> On Wed, Feb 21, 2024 at 12:49:46PM +0100, Markus Armbruster wrote:
> > Date: Wed, 21 Feb 2024 12:49:46 +0100
> > From: Markus Armbruster <armbru@redhat.com>
> > Subject: Re: [PATCH 5/6] hw/pci-bridge/cxl_upstream: Fix missing
> >  ERRP_GUARD() in cxl_usp_realize()
> > 
> > Zhao Liu <zhao1.liu@linux.intel.com> writes:
> >   
> > > From: Zhao Liu <zhao1.liu@intel.com>
> > >
> > > As the comment in qapi/error, dereferencing @errp requires
> > > ERRP_GUARD():
> > >
> > > * = Why, when and how to use ERRP_GUARD() =
> > > *
> > > * Without ERRP_GUARD(), use of the @errp parameter is restricted:
> > > * - It must not be dereferenced, because it may be null.
> > > * - It should not be passed to error_prepend() or
> > > *   error_append_hint(), because that doesn't work with &error_fatal.
> > > * ERRP_GUARD() lifts these restrictions.
> > > *
> > > * To use ERRP_GUARD(), add it right at the beginning of the function.
> > > * @errp can then be used without worrying about the argument being
> > > * NULL or &error_fatal.
> > > *
> > > * Using it when it's not needed is safe, but please avoid cluttering
> > > * the source with useless code.
> > >
> > > Currently, since cxl_usp_realize() - as a PCIDeviceClass.realize()
> > > method - doesn't get the NULL errp parameter, it doesn't trigger the
> > > dereference issue.
> > >
> > > To follow the requirement of errp, add missing ERRP_GUARD() in
> > > cxl_usp_realize()().
> > >
> > > Suggested-by: Markus Armbruster <armbru@redhat.com>
> > > Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
> > > ---
> > > Suggested by credit:
> > >  Markus: Referred his explanation about ERRP_GUARD().
> > > ---
> > >  hw/pci-bridge/cxl_upstream.c | 1 +
> > >  1 file changed, 1 insertion(+)
> > >
> > > diff --git a/hw/pci-bridge/cxl_upstream.c b/hw/pci-bridge/cxl_upstream.c
> > > index e87eb4017713..03d123cca0ef 100644
> > > --- a/hw/pci-bridge/cxl_upstream.c
> > > +++ b/hw/pci-bridge/cxl_upstream.c
> > > @@ -289,6 +289,7 @@ static void free_default_cdat_table(CDATSubHeader **cdat_table, int num,
> > >  
> > >  static void cxl_usp_realize(PCIDevice *d, Error **errp)
> > >  {
> > > +    ERRP_GUARD();
> > >      PCIEPort *p = PCIE_PORT(d);
> > >      CXLUpstreamPort *usp = CXL_USP(d);
> > >      CXLComponentState *cxl_cstate = &usp->cxl_cstate;  
> > 
> > The dereference is
> > 
> >        cxl_doe_cdat_init(cxl_cstate, errp);
> >        if (*errp) {
> >            goto err_cap;
> >        }
> > 
> > As noted in review of PATCH 3, we check *errp, because
> > cxl_doe_cdat_init() returns void.  Could be improved to return bool,
> > along with its callees ct3_load_cdat() and ct3_build_cdat(), but that's
> > a slightly more ambitious cleanup, so
> > 
> > Reviewed-by: Markus Armbruster <armbru@redhat.com>
> >  
Acked-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>


> 
> Thanks! It's a good idea and I can continue to consider such the cleanup
> in the follow up.
> 
> Will also add the dereference description in commit message to make
> review easier.
> 
> Regards,
> Zhao
>