qemu/virtio-pci-Fix-the-use-of-an-uninitialized-irqfd.patch

From 9cd544b83ccd37b9dd7977717a245437533830cd Mon Sep 17 00:00:00 2001
From: Cindy Lu <lulu@redhat.com>
Date: Tue, 6 Aug 2024 17:37:12 +0800
Subject: [PATCH] virtio-pci: Fix the use of an uninitialized irqfd

The crash was reported in MAC OS and NixOS, here is the link for this bug
https://gitlab.com/qemu-project/qemu/-/issues/2334
https://gitlab.com/qemu-project/qemu/-/issues/2321

In this bug, they are using the virtio_input device. The guest notifier was
not supported for this device, The function virtio_pci_set_guest_notifiers()
was not called, and the vector_irqfd was not initialized.

So the fix is adding the check for vector_irqfd in virtio_pci_get_notifier()

The function virtio_pci_get_notifier() can be used in various devices.
It could also be called when VIRTIO_CONFIG_S_DRIVER_OK is not set. In this situation,
the vector_irqfd being NULL is acceptable. We can allow the device continue to boot

If the vector_irqfd still hasn't been initialized after VIRTIO_CONFIG_S_DRIVER_OK
is set, it means that the function set_guest_notifiers was not called before the
driver started. This indicates that the device is not using the notifier.
At this point, we will let the check fail.

This fix is verified in vyatta,MacOS,NixOS,fedora system.

The bt tree for this bug is:
Thread 6 "CPU 0/KVM" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7c817be006c0 (LWP 1269146)]
kvm_virtio_pci_vq_vector_use () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:817
817         if (irqfd->users == 0) {
(gdb) thread apply all bt
...
Thread 6 (Thread 0x7c817be006c0 (LWP 1269146) "CPU 0/KVM"):
0  kvm_virtio_pci_vq_vector_use () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:817
1  kvm_virtio_pci_vector_use_one () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:893
2  0x00005983657045e2 in memory_region_write_accessor () at ../qemu-9.0.0/system/memory.c:497
3  0x0000598365704ba6 in access_with_adjusted_size () at ../qemu-9.0.0/system/memory.c:573
4  0x0000598365705059 in memory_region_dispatch_write () at ../qemu-9.0.0/system/memory.c:1528
5  0x00005983659b8e1f in flatview_write_continue_step.isra.0 () at ../qemu-9.0.0/system/physmem.c:2713
6  0x000059836570ba7d in flatview_write_continue () at ../qemu-9.0.0/system/physmem.c:2743
7  flatview_write () at ../qemu-9.0.0/system/physmem.c:2774
8  0x000059836570bb76 in address_space_write () at ../qemu-9.0.0/system/physmem.c:2894
9  0x0000598365763afe in address_space_rw () at ../qemu-9.0.0/system/physmem.c:2904
10 kvm_cpu_exec () at ../qemu-9.0.0/accel/kvm/kvm-all.c:2917
11 0x000059836576656e in kvm_vcpu_thread_fn () at ../qemu-9.0.0/accel/kvm/kvm-accel-ops.c:50
12 0x0000598365926ca8 in qemu_thread_start () at ../qemu-9.0.0/util/qemu-thread-posix.c:541
13 0x00007c8185bcd1cf in ??? () at /usr/lib/libc.so.6
14 0x00007c8185c4e504 in clone () at /usr/lib/libc.so.6

Fixes: 2ce6cff94d ("virtio-pci: fix use of a released vector")
Cc: qemu-stable@nongnu.org
Signed-off-by: Cindy Lu <lulu@redhat.com>
Message-Id: <20240806093715.65105-1-lulu@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit a8e63ff289d137197ad7a701a587cc432872d798)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
 hw/virtio/virtio-pci.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
index 3ad7487411..06b125ec62 100644
--- a/hw/virtio/virtio-pci.c
+++ b/hw/virtio/virtio-pci.c
@@ -860,6 +860,9 @@ static int virtio_pci_get_notifier(VirtIOPCIProxy *proxy, int queue_no,
     VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus);
     VirtQueue *vq;
 
+    if (!proxy->vector_irqfd && vdev->status & VIRTIO_CONFIG_S_DRIVER_OK)
+        return -1;
+
     if (queue_no == VIRTIO_CONFIG_IRQ_IDX) {
         *n = virtio_config_get_guest_notifier(vdev);
         *vector = vdev->config_vector;
-- 
2.41.0.windows.1
QEMU update to version 8.2.0-24: - ppc/xive: Fix ESB length overflow on 32-bit hosts - target/hppa: Fix PSW V-bit packaging in cpu_hppa_get for hppa64 - target/ppc: Fix migration of CPUs with TLB_EMB TLB type - target/arm: Clear high SVE elements in handle_vec_simd_wshli - module: Prevent crash by resetting local_err in module_load_qom_all() - tests/docker: update debian i686 and mipsel images to bookworm - target/arm: Fix SVE SDOT/UDOT/USDOT (4-way, indexed) - docs/sphinx/depfile.py: Handle env.doc2path() returning a Path not a str - block/blkio: use FUA flag on write zeroes only if supported - virtio-pci: Fix the use of an uninitialized irqfd - hw/cxl: Ensure there is enough data to read the input header in cmd_get_physical_port_state() - intel_iommu: Send IQE event when setting reserved bit in IQT_TAIL - virtio-net: Avoid indirection_table_mask overflow - Fix calculation of minimum in colo_compare_tcp - target/riscv/csr.c: Fix an access to VXSAT - linux-user: Clean up unused header - raw-format: Fix error message for invalid offset/size - hw/loongarch/virt: Remove unnecessary 'cpu.h' inclusion - tests: Wait for migration completion on destination QEMU to avoid failures - acpi: ged: Add macro for acpi sleep control register - hw/intc/openpic: Improve errors for out of bounds property values - hw/pci-bridge: Add a Kconfig switch for the normal PCI bridge - docs/tools/qemu-img.rst: fix typo (sumarizes) - audio/pw: Report more accurate error when connecting to PipeWire fails - audio/pw: Report more accurate error when connecting to PipeWire fails - dma: Fix function names in documentation Ensure the function names match. - edu: fix DMA range upper bound check - platform-bus: fix refcount leak - hw/net/can/sja1000: fix bug for single acceptance filter and standard frame - tests/avocado: fix typo in replay_linux - util/userfaultfd: Remove unused uffd_poll_events - Consider discard option when writing zeros - crypto: factor out conversion of QAPI to gcrypt constants - crypto: drop gnutls debug logging support - crypto: use consistent error reporting pattern for unsupported cipher modes - hw/gpio/aspeed_gpio: Avoid shift into sign bit Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> (cherry picked from commit b6e04df301d30895427ab41a1edff0f40149bdd9) 2024-11-30 08:36:49 +08:00			`From 9cd544b83ccd37b9dd7977717a245437533830cd Mon Sep 17 00:00:00 2001`
			`From: Cindy Lu <lulu@redhat.com>`
			`Date: Tue, 6 Aug 2024 17:37:12 +0800`
			`Subject: [PATCH] virtio-pci: Fix the use of an uninitialized irqfd`

			`The crash was reported in MAC OS and NixOS, here is the link for this bug`
			`https://gitlab.com/qemu-project/qemu/-/issues/2334`
			`https://gitlab.com/qemu-project/qemu/-/issues/2321`

			`In this bug, they are using the virtio_input device. The guest notifier was`
			`not supported for this device, The function virtio_pci_set_guest_notifiers()`
			`was not called, and the vector_irqfd was not initialized.`

			`So the fix is adding the check for vector_irqfd in virtio_pci_get_notifier()`

			`The function virtio_pci_get_notifier() can be used in various devices.`
			`It could also be called when VIRTIO_CONFIG_S_DRIVER_OK is not set. In this situation,`
			`the vector_irqfd being NULL is acceptable. We can allow the device continue to boot`

			`If the vector_irqfd still hasn't been initialized after VIRTIO_CONFIG_S_DRIVER_OK`
			`is set, it means that the function set_guest_notifiers was not called before the`
			`driver started. This indicates that the device is not using the notifier.`
			`At this point, we will let the check fail.`

			`This fix is verified in vyatta,MacOS,NixOS,fedora system.`

			`The bt tree for this bug is:`
			`Thread 6 "CPU 0/KVM" received signal SIGSEGV, Segmentation fault.`
			`[Switching to Thread 0x7c817be006c0 (LWP 1269146)]`
			`kvm_virtio_pci_vq_vector_use () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:817`
			`817 if (irqfd->users == 0) {`
			`(gdb) thread apply all bt`
			`...`
			`Thread 6 (Thread 0x7c817be006c0 (LWP 1269146) "CPU 0/KVM"):`
			`0 kvm_virtio_pci_vq_vector_use () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:817`
			`1 kvm_virtio_pci_vector_use_one () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:893`
			`2 0x00005983657045e2 in memory_region_write_accessor () at ../qemu-9.0.0/system/memory.c:497`
			`3 0x0000598365704ba6 in access_with_adjusted_size () at ../qemu-9.0.0/system/memory.c:573`
			`4 0x0000598365705059 in memory_region_dispatch_write () at ../qemu-9.0.0/system/memory.c:1528`
			`5 0x00005983659b8e1f in flatview_write_continue_step.isra.0 () at ../qemu-9.0.0/system/physmem.c:2713`
			`6 0x000059836570ba7d in flatview_write_continue () at ../qemu-9.0.0/system/physmem.c:2743`
			`7 flatview_write () at ../qemu-9.0.0/system/physmem.c:2774`
			`8 0x000059836570bb76 in address_space_write () at ../qemu-9.0.0/system/physmem.c:2894`
			`9 0x0000598365763afe in address_space_rw () at ../qemu-9.0.0/system/physmem.c:2904`
			`10 kvm_cpu_exec () at ../qemu-9.0.0/accel/kvm/kvm-all.c:2917`
			`11 0x000059836576656e in kvm_vcpu_thread_fn () at ../qemu-9.0.0/accel/kvm/kvm-accel-ops.c:50`
			`12 0x0000598365926ca8 in qemu_thread_start () at ../qemu-9.0.0/util/qemu-thread-posix.c:541`
			`13 0x00007c8185bcd1cf in ??? () at /usr/lib/libc.so.6`
			`14 0x00007c8185c4e504 in clone () at /usr/lib/libc.so.6`

			`Fixes: 2ce6cff94d ("virtio-pci: fix use of a released vector")`
			`Cc: qemu-stable@nongnu.org`
			`Signed-off-by: Cindy Lu <lulu@redhat.com>`
			`Message-Id: <20240806093715.65105-1-lulu@redhat.com>`
			`Acked-by: Jason Wang <jasowang@redhat.com>`
			`Reviewed-by: Michael S. Tsirkin <mst@redhat.com>`
			`Signed-off-by: Michael S. Tsirkin <mst@redhat.com>`
			`(cherry picked from commit a8e63ff289d137197ad7a701a587cc432872d798)`
			`Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>`
			`---`
			`hw/virtio/virtio-pci.c \| 3 +++`
			`1 file changed, 3 insertions(+)`

			`diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c`
			`index 3ad7487411..06b125ec62 100644`
			`--- a/hw/virtio/virtio-pci.c`
			`+++ b/hw/virtio/virtio-pci.c`
			`@@ -860,6 +860,9 @@ static int virtio_pci_get_notifier(VirtIOPCIProxy *proxy, int queue_no,`
			`VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus);`
			`VirtQueue *vq;`

			`+ if (!proxy->vector_irqfd && vdev->status & VIRTIO_CONFIG_S_DRIVER_OK)`
			`+ return -1;`
			`+`
			`if (queue_no == VIRTIO_CONFIG_IRQ_IDX) {`
			`*n = virtio_config_get_guest_notifier(vdev);`
			`*vector = vdev->config_vector;`
			`--`
			`2.41.0.windows.1`