From: Cindy Lu <lulu@redhat.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: "Michael S. Tsirkin" <mst@redhat.com>,
qemu-devel@nongnu.org, qemu-stable@nongnu.org,
Lei Yang <leiyang@redhat.com>, Jason Wang <jasowang@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [PULL 1/1] virtio-pci: fix use of a released vector
Date: Tue, 16 Apr 2024 21:06:02 +0800 [thread overview]
Message-ID: <CACLfguWfxarkB2qtn4Dt5JS01t-tFUsOfbX486exvNo8vOM1AA@mail.gmail.com> (raw)
In-Reply-To: <CAFEAcA_AcKdOXO3+ez6J+hQ4NmGoUa+fBUNK3XL_YSvRk09Gcg@mail.gmail.com>
On Tue, Apr 16, 2024 at 8:22 PM Peter Maydell <peter.maydell@linaro.org> wrote:
>
> On Tue, 16 Apr 2024 at 12:50, Peter Maydell <peter.maydell@linaro.org> wrote:
> >
> > On Tue, 16 Apr 2024 at 12:05, Cindy Lu <lulu@redhat.com> wrote:
> > >
> > > On Tue, Apr 16, 2024 at 6:01 PM Peter Maydell <peter.maydell@linaro.org> wrote:
> > > > Hi; Coverity points out what it thinks is a problem in
> > > > this commit (CID 1543938):
>
> > > > Here we pass that through to kvm_virtio_pci_vector_use_one().
> > > > In kvm_virtio_pci_vector_use_one()'s error-exit path ("undo")
> > > > it does
> > > > vector = virtio_queue_vector(vdev, queue_no);
> > > > and in virtio_queue_vector() it does:
> > > >
> > > > return n < VIRTIO_QUEUE_MAX ? vdev->vq[n].vector :
> > > > VIRTIO_NO_VECTOR;
> > > >
> > > > where 'n' is an int, so if we can get here with queue_no being
> > > > VIRTIO_CONFIG_IRQ_IDX then we'll index off the front of the
> > > > vdev->vq[] array.
> > > >
> > > > Maybe this is a "can't happen" case, but it does seem odd that
> > > > virtio_queue_vector() only bounds-checks the "too big" case
> > > > for its argument and not the "too small" case and/or it
> > > > doesn't have a special case for VIRTIO_CONFIG_IRQ_IDX.
> > > >
> > > > > + }
> > > > > +}
> > > > > +
> > > >
> > > hi peter
> > > I think we can simply remove the part
> > > vector = virtio_queue_vector(vdev, queue_no);
> > > the vector is get from virtio_pci_get_notifier() and don't need to get it again
> > > I will send the fix soon
> >
> > The error handling in kvm_virtio_pci_vector_use_one() looks
> > a bit odd in other ways, too. The only bit of "undoing"
> > it does as far as I can see is calling kvm_virtio_pci_irqfd_release(),
> > but there is no code path that gets to there where the
> > main codepath's call to kvm_virtio-pci_irqfd_use() succeeded
> > and needs to be undone. So perhaps the entire "undo" code
> > block should be deleted, and the "goto undo" lines
> > replaced by simple "return ret;" ? (The codepath
> > for "kvm_virtio_pci_irqfd_use() failed" already does the
> > "kvm_virtio_pci_vq_vector_release()" by hand there.)
>
> In any case since the error handling in kvm_virtio_pci_vector_use_one()
> isn't new in this commit (you can get the same problem via
> kvm_virtio_pci_vector_config_use(), which is CID 1468940
> first detected in 2022), I think this is not something we need
> to rush to fix before we release 9.0. If anybody disagrees now
> would be a good time to say so :-)
>
> Paolo's comment on CID 1468940 was to suggest "virtio_queue_vector
> should check VIRTIO_CONFIG_IRQ_IDX just like virtio_pci_get_notifier",
> incidentally.
>
Hi peter,
Really sorry all these mess, but I still have a stuipid question,
where can I get
this CID result ?maybe there are a mailing list?I just wonder maybe I can fix
these code earlier next time, Really thanks for your help
thanks
cindy
> thanks
> -- PMM
>
next prev parent reply other threads:[~2024-04-16 13:07 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-15 10:52 [PULL 0/1] virtio: bugfix Michael S. Tsirkin
2024-04-15 10:52 ` [PULL 1/1] virtio-pci: fix use of a released vector Michael S. Tsirkin
2024-04-16 10:01 ` Peter Maydell
2024-04-16 11:04 ` Cindy Lu
2024-04-16 11:50 ` Peter Maydell
2024-04-16 12:22 ` Peter Maydell
2024-04-16 13:06 ` Cindy Lu [this message]
2024-04-16 13:11 ` Peter Maydell
2024-04-16 12:47 ` Cindy Lu
2024-04-15 14:24 ` [PULL 0/1] virtio: bugfix Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACLfguWfxarkB2qtn4Dt5JS01t-tFUsOfbX486exvNo8vOM1AA@mail.gmail.com \
--to=lulu@redhat.com \
--cc=jasowang@redhat.com \
--cc=leiyang@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).