qemu/hw-display-macfb-Fix-missing-ERRP_GUARD-in-macfb_nub.patch

From c9ee283913cc9df8998a21544a68ac1d2f86aa49 Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Tue, 19 Mar 2024 15:07:51 +0800
Subject: [PATCH] hw/display/macfb: Fix missing ERRP_GUARD() in
 macfb_nubus_realize()

cheery-pick from 5aa4a6417b0f7acbfd7f4c21dca26293bc3d9348

As the comment in qapi/error, dereferencing @errp requires
ERRP_GUARD():

* = Why, when and how to use ERRP_GUARD() =
*
* Without ERRP_GUARD(), use of the @errp parameter is restricted:
* - It must not be dereferenced, because it may be null.
...
* ERRP_GUARD() lifts these restrictions.
*
* To use ERRP_GUARD(), add it right at the beginning of the function.
* @errp can then be used without worrying about the argument being
* NULL or &error_fatal.
*
* Using it when it's not needed is safe, but please avoid cluttering
* the source with useless code.

But in macfb_nubus_realize(), @errp is dereferenced without
ERRP_GUARD():

ndc->parent_realize(dev, errp);
if (*errp) {
    return;
}

Here we check *errp, because the ndc->parent_realize(), as a
DeviceClass.realize() callback, returns void. And since
macfb_nubus_realize(), also as a DeviceClass.realize(), doesn't get the
NULL @errp parameter, it hasn't triggered the bug that dereferencing the
NULL @errp.

To follow the requirement of @errp, add missing ERRP_GUARD() in
macfb_nubus_realize().

Suggested-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20240223085653.1255438-3-zhao1.liu@linux.intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
 hw/display/macfb.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/display/macfb.c b/hw/display/macfb.c
index d61541ccb5..170da35757 100644
--- a/hw/display/macfb.c
+++ b/hw/display/macfb.c
@@ -714,6 +714,7 @@ static void macfb_nubus_set_irq(void *opaque, int n, int level)
 
 static void macfb_nubus_realize(DeviceState *dev, Error **errp)
 {
+    ERRP_GUARD();
     NubusDevice *nd = NUBUS_DEVICE(dev);
     MacfbNubusState *s = NUBUS_MACFB(dev);
     MacfbNubusDeviceClass *ndc = NUBUS_MACFB_GET_CLASS(dev);
-- 
2.27.0
QEMU update to version 8.2.0-2 - block: bugfix: Don't pause vm when NOSPACE EIO happened - block: enable cache mode of empty cdrom - block/mirror: fix file-system went to read-only after block-mirror - scsi-bus: fix incorrect call for blk_error_retry_reset_timeout() - scsi-bus: fix unmatched object_unref() - block: Add sanity check when setting retry parameters - block-backend: Stop retrying when draining - scsi-disk: Add support for retry on errors - scsi-bus: Refactor the code that retries requests - virtio_blk: Add support for retry on errors - block: Add error retry param setting - block-backend: Add timeout support for retry - block-backend: Enable retry action on errors - block-backend: Add device specific retry callback - block-backend: Introduce retry timer - qapi/block-core: Add retry option for error action - scsi: bugfix: fix division by zero - scsi: cdrom: Fix crash after remote cdrom detached - qemu-pr: fixed ioctl failed for multipath disk - scsi-disk: define props in scsi_block_disk to avoid memleaks - bugfix: fix possible memory leak - bugfix: fix some illegal memory access and memory leak - util/log: add CONFIG_DISABLE_QEMU_LOG macro - log: Add some logs on VM runtime path - bugfix: fix eventfds may double free when vm_id reused in ivshmem - hw/display/macfb: Fix missing ERRP_GUARD() in macfb_nubus_realize() - hw/cxl/cxl-host: Fix missing ERRP_GUARD() in cxl_fixed_memory_window_config() - qemu-img create: 'cache' paramter only use for reg file image - qemu-img: add qemu-img direct create - qemu-img block: set zero flags only when discard_zeros of the block supported - Revert "file-posix: Remove unused s->discard_zeroes" - pcie_sriov: Validate NumVFs (CVE-2024-26327) - hw/nvme: Use pcie_sriov_num_vfs() (CVE-2024-26328) - hw/acpi/cpu: Use CPUState typedef - target/i386/sev: Fix missing ERRP_GUARD() for error_prepend() - virtio-gpu: remove needless condition - hw/i2c/smbus_slave: Add object path on error prints - vfio/pci: Ascend710 change to bar2 quirk - vfio/pci: Ascend910 need 4Bytes quirk in bar0 - vfio/pci: Ascend710 need 4Bytes quirk in bar0 - vfio/pci: Ascend310 need 4Bytes quirk in bar4 - chardev/char-socket: Fix TLS io channels sending too much data to the backend - i386/cpuid: Move leaf 7 to correct group - i386/cpuid: Decrease cpuid_i when skipping CPUID leaf 1F - i386/cpu: Mask with XCR0/XSS mask for FEAT_XSAVE_XCR0_HI and FEAT_XSAVE_XSS_HI leafs - i386/cpu: Clear FEAT_XSAVE_XSS_LO/HI leafs when CPUID_EXT_XSAVE is not available - blkio: Respect memory-alignment for bounce buffer allocations - virtio-gpu: Correct virgl_renderer_resource_get_info() error check - hw/usb: Style cleanup - tests/qemu-iotests: resolved the problem that the 108 test cases in the container fail Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> (cherry picked from commit 404d45bf9147058a475a8031c454a6c8e0acc123) 2024-03-23 09:20:40 +08:00			`From c9ee283913cc9df8998a21544a68ac1d2f86aa49 Mon Sep 17 00:00:00 2001`
			`From: qihao <qihao_yewu@cmss.chinamobile.com>`
			`Date: Tue, 19 Mar 2024 15:07:51 +0800`
			`Subject: [PATCH] hw/display/macfb: Fix missing ERRP_GUARD() in`
			`macfb_nubus_realize()`

			`cheery-pick from 5aa4a6417b0f7acbfd7f4c21dca26293bc3d9348`

			`As the comment in qapi/error, dereferencing @errp requires`
			`ERRP_GUARD():`

			`* = Why, when and how to use ERRP_GUARD() =`
			`*`
			`* Without ERRP_GUARD(), use of the @errp parameter is restricted:`
			`* - It must not be dereferenced, because it may be null.`
			`...`
			`* ERRP_GUARD() lifts these restrictions.`
			`*`
			`* To use ERRP_GUARD(), add it right at the beginning of the function.`
			`* @errp can then be used without worrying about the argument being`
			`* NULL or &error_fatal.`
			`*`
			`* Using it when it's not needed is safe, but please avoid cluttering`
			`* the source with useless code.`

			`But in macfb_nubus_realize(), @errp is dereferenced without`
			`ERRP_GUARD():`

			`ndc->parent_realize(dev, errp);`
			`if (*errp) {`
			`return;`
			`}`

			`Here we check *errp, because the ndc->parent_realize(), as a`
			`DeviceClass.realize() callback, returns void. And since`
			`macfb_nubus_realize(), also as a DeviceClass.realize(), doesn't get the`
			`NULL @errp parameter, it hasn't triggered the bug that dereferencing the`
			`NULL @errp.`

			`To follow the requirement of @errp, add missing ERRP_GUARD() in`
			`macfb_nubus_realize().`

			`Suggested-by: Markus Armbruster <armbru@redhat.com>`
			`Signed-off-by: Zhao Liu <zhao1.liu@intel.com>`
			`Reviewed-by: Markus Armbruster <armbru@redhat.com>`
			`Message-Id: <20240223085653.1255438-3-zhao1.liu@linux.intel.com>`
			`Reviewed-by: Michael S. Tsirkin <mst@redhat.com>`
			`Signed-off-by: Michael S. Tsirkin <mst@redhat.com>`
			`Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>`
			`---`
			`hw/display/macfb.c \| 1 +`
			`1 file changed, 1 insertion(+)`

			`diff --git a/hw/display/macfb.c b/hw/display/macfb.c`
			`index d61541ccb5..170da35757 100644`
			`--- a/hw/display/macfb.c`
			`+++ b/hw/display/macfb.c`
			`@@ -714,6 +714,7 @@ static void macfb_nubus_set_irq(void *opaque, int n, int level)`

			`static void macfb_nubus_realize(DeviceState dev, Error *errp)`
			`{`
			`+ ERRP_GUARD();`
			`NubusDevice *nd = NUBUS_DEVICE(dev);`
			`MacfbNubusState *s = NUBUS_MACFB(dev);`
			`MacfbNubusDeviceClass *ndc = NUBUS_MACFB_GET_CLASS(dev);`
			`--`
			`2.27.0`