From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43731) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YAh3A-0006g8-Qa for qemu-devel@nongnu.org; Mon, 12 Jan 2015 10:37:05 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YAh37-0003QJ-HM for qemu-devel@nongnu.org; Mon, 12 Jan 2015 10:37:04 -0500 Received: from mx1.redhat.com ([209.132.183.28]:57780) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YAh37-0003QC-8R for qemu-devel@nongnu.org; Mon, 12 Jan 2015 10:37:01 -0500 Message-ID: <1421077015.6130.18.camel@redhat.com> From: Alex Williamson Date: Mon, 12 Jan 2015 08:36:55 -0700 In-Reply-To: <1421068903-8981-3-git-send-email-b.reynal@virtualopensystems.com> References: <1421068903-8981-1-git-send-email-b.reynal@virtualopensystems.com> <1421068903-8981-3-git-send-email-b.reynal@virtualopensystems.com> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [RFC PATCH 2/4] hw/vfio/common.c : vfio_get_dev_property List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Baptiste Reynal Cc: eric.auger@linaro.org, tech@virtualopensystems.com, qemu-devel@nongnu.org, kvmarm@lists.cs.columbia.edu On Mon, 2015-01-12 at 14:21 +0100, Baptiste Reynal wrote: > Add a function to handle ioctl VFIO_DEVICE_GET_DEV_PROPERTY > to retrieve properties from a VFIO device. > > Signed-off-by: Baptiste Reynal > --- > hw/vfio/common.c | 33 +++++++++++++++++++++++++++++++++ > include/hw/vfio/vfio-common.h | 2 ++ > 2 files changed, 35 insertions(+) > > diff --git a/hw/vfio/common.c b/hw/vfio/common.c > index ba00ec9..698d2c4 100644 > --- a/hw/vfio/common.c > +++ b/hw/vfio/common.c > @@ -958,3 +958,36 @@ int vfio_container_ioctl(AddressSpace *as, int32_t groupid, > > return vfio_container_do_ioctl(as, groupid, req, param); > } > + > +struct vfio_dev_property *vfio_get_dev_property(int device, const char *name, > + unsigned int type) > +{ > + unsigned int length = 0; > + struct vfio_dev_property *property = NULL; > + int ret; > + > + length = strlen(name) + 1; > + > + while (1) { > + unsigned int argsz = sizeof(struct vfio_dev_property) + length; > + property = realloc(property, argsz); By my read, realloc() doesn't give zero'd memory, so property->length is uninitialized here. > + property->argsz = argsz; > + property->type = type; > + strcpy((char *) property->data, name); > + > + ret = ioctl(device, VFIO_DEVICE_GET_DEV_PROPERTY, property); This ioctl might not exit. > + if (length < property->length) { Which means this compares length to random memory and potentially causes a segfault when trying to realloc. What types of devices are going to have VFIO_DEVICE_GET_DEV_PROPERTY and is this appropriate for common? The error and return here leaves something to be desired. Maybe only return for a given error. > + length = property->length; > + } else { > + break; > + } > + } > + > + if (ret) { > + g_free(property); > + property = NULL; > + } > + > + return property; > +} > diff --git a/include/hw/vfio/vfio-common.h b/include/hw/vfio/vfio-common.h > index 2f1b09c..9c649cd 100644 > --- a/include/hw/vfio/vfio-common.h > +++ b/include/hw/vfio/vfio-common.h > @@ -149,6 +149,8 @@ VFIOGroup *vfio_get_group(int groupid, AddressSpace *as); > void vfio_put_group(VFIOGroup *group); > int vfio_get_device(VFIOGroup *group, const char *name, > VFIODevice *vbasedev); > +struct vfio_dev_property *vfio_get_dev_property(int device, const char *name, > + unsigned int type); > > extern const MemoryRegionOps vfio_region_ops; > extern const MemoryListener vfio_memory_listener;