Re: [PATCH] hw/virtio/vhost-user: avoid using unitialized errp

From: Albert Esteve <aesteve@redhat.com>
To: qemu-devel@nongnu.org
Cc: alex.bennee@linaro.org, "Michael S. Tsirkin" <mst@redhat.com>
Subject: Re: [PATCH] hw/virtio/vhost-user: avoid using unitialized errp
Date: Thu, 2 Mar 2023 13:31:33 +0100	[thread overview]
Message-ID: <CADSE00KE_QAJVTAp2g1C7_Xuyh6e8C5NMU2rwLjD4K3NX8_7fg@mail.gmail.com> (raw)
In-Reply-To: <20230302121719.9390-1-aesteve@redhat.com>

[-- Attachment #1: Type: text/plain, Size: 3085 bytes --]

Hi,

I found the issue by chance, while working in not-yet-upstreamed virtio
code. I am not sure if there is any QEMU stub currently
upstreamed that does not support an F_CONFIG backend, to be able to trigger
the error. It may as well be that this branch
of the condition is never executed.

Nonetheless, the segfault can be triggered using the
tests/qtest/vhost-user-test, e.g., with the virtio-gpio device.
We can force the QEMU side to go into the else part of
the supports_f_config by applying this patch:

diff --git a/hw/virtio/vhost-user-gpio.c b/hw/virtio/vhost-user-gpio.c
index fe3da32c74..23634e74ce 100644
--- a/hw/virtio/vhost-user-gpio.c
+++ b/hw/virtio/vhost-user-gpio.c
@@ -226,8 +226,8 @@ static int vu_gpio_connect(DeviceState *dev, Error
**errp)
     }
     gpio->connected = true;

-    vhost_dev_set_config_notifier(vhost_dev, &gpio_ops);
-    gpio->vhost_user.supports_config = true;
+    //vhost_dev_set_config_notifier(vhost_dev, &gpio_ops);
+    gpio->vhost_user.supports_config = false;

     ret = vhost_dev_init(vhost_dev, &gpio->vhost_user,
                          VHOST_BACKEND_TYPE_USER, 0, errp);

Without the patch the test would cause the segfault. Otherwise, it prints
the warning and fails afterwards.

I couldn't find a good way to properly cover this in a test, but I can try,
and add it to this patch if anyone has a suggestion.

BR,
Albert Esteve

On Thu, Mar 2, 2023 at 1:17 PM Albert Esteve <aesteve@redhat.com> wrote:

> During protocol negotiation, when we the QEMU
> stub does not support a backend with F_CONFIG,
> it throws a warning and supresses the
> VHOST_USER_PROTOCOL_F_CONFIG bit.
>
> However, the warning uses warn_reportf_err macro
> and passes an unitialized errp pointer. However,
> the macro tries to edit the 'msg' member of the
> unitialized Error and segfaults.
>
> Instead, just use warn_report, which prints a
> warning message directly to the output.
>
> Fixes: 5653493 ("hw/virtio/vhost-user: don't suppress F_CONFIG when
> supported")
> Signed-off-by: Albert Esteve <aesteve@redhat.com>
> ---
>  hw/virtio/vhost-user.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
> index e68daa35d4..34c331b3ba 100644
> --- a/hw/virtio/vhost-user.c
> +++ b/hw/virtio/vhost-user.c
> @@ -2031,8 +2031,8 @@ static int vhost_user_backend_init(struct vhost_dev
> *dev, void *opaque,
>          } else {
>              if (virtio_has_feature(protocol_features,
>                                     VHOST_USER_PROTOCOL_F_CONFIG)) {
> -                warn_reportf_err(*errp, "vhost-user backend supports "
> -                                 "VHOST_USER_PROTOCOL_F_CONFIG but QEMU
> does not.");
> +                warn_report("vhost-user backend supports "
> +                            "VHOST_USER_PROTOCOL_F_CONFIG but QEMU does
> not.");
>                  protocol_features &= ~(1ULL <<
> VHOST_USER_PROTOCOL_F_CONFIG);
>              }
>          }
> --
> 2.39.1
>
>

[-- Attachment #2: Type: text/html, Size: 3900 bytes --]
