From patchwork Mon Feb 24 06:42:17 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Longpeng (Mike, Cloud Infrastructure Service Product Dept.)" X-Patchwork-Id: 1242822 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=huawei.com Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 48Qsvn1x3Dz9sR4 for ; Mon, 24 Feb 2020 17:43:17 +1100 (AEDT) Received: from localhost ([::1]:60518 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1j67SV-0007CA-84 for incoming@patchwork.ozlabs.org; Mon, 24 Feb 2020 01:43:15 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:47384) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1j67SA-000793-10 for qemu-devel@nongnu.org; Mon, 24 Feb 2020 01:42:54 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1j67S9-0008W6-0f for qemu-devel@nongnu.org; Mon, 24 Feb 2020 01:42:53 -0500 Received: from szxga07-in.huawei.com ([45.249.212.35]:56948 helo=huawei.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1j67S8-0008V3-Lp for qemu-devel@nongnu.org; Mon, 24 Feb 2020 01:42:52 -0500 Received: from DGGEMS405-HUB.china.huawei.com (unknown [172.30.72.60]) by Forcepoint Email with ESMTP id 8754A4B616F13571ED7D; Mon, 24 Feb 2020 14:42:50 +0800 (CST) Received: from DESKTOP-27KDQMV.china.huawei.com (10.173.228.124) by DGGEMS405-HUB.china.huawei.com (10.3.19.205) with Microsoft SMTP Server id 14.3.439.0; Mon, 24 Feb 2020 14:42:39 +0800 From: "Longpeng(Mike)" To: , Subject: [PATCH RESEND 1/3] vfio/pci: fix a null pointer reference in vfio_rom_read Date: Mon, 24 Feb 2020 14:42:17 +0800 Message-ID: <20200224064219.1434-2-longpeng2@huawei.com> X-Mailer: git-send-email 2.25.0.windows.1 In-Reply-To: <20200224064219.1434-1-longpeng2@huawei.com> References: <20200224064219.1434-1-longpeng2@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.173.228.124] X-CFilter-Loop: Reflected X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 45.249.212.35 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: longpeng2@huawei.com, arei.gonglei@huawei.com, huangzhichao@huawei.com, qemu-devel@nongnu.org, weifuqiang@huawei.com Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" From: Longpeng vfio_pci_load_rom() maybe failed and then the vdev->rom is NULL in some situation (though I've not encountered yet), maybe we should avoid the VM abort. Signed-off-by: Longpeng Reviewed-by: Laszlo Ersek --- hw/vfio/pci.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c index 5e75a95..ed798ae 100644 --- a/hw/vfio/pci.c +++ b/hw/vfio/pci.c @@ -768,7 +768,7 @@ static void vfio_update_msi(VFIOPCIDevice *vdev) } } -static void vfio_pci_load_rom(VFIOPCIDevice *vdev) +static bool vfio_pci_load_rom(VFIOPCIDevice *vdev) { struct vfio_region_info *reg_info; uint64_t size; @@ -778,7 +778,7 @@ static void vfio_pci_load_rom(VFIOPCIDevice *vdev) if (vfio_get_region_info(&vdev->vbasedev, VFIO_PCI_ROM_REGION_INDEX, ®_info)) { error_report("vfio: Error getting ROM info: %m"); - return; + return false; } trace_vfio_pci_load_rom(vdev->vbasedev.name, (unsigned long)reg_info->size, @@ -797,7 +797,7 @@ static void vfio_pci_load_rom(VFIOPCIDevice *vdev) error_printf("Device option ROM contents are probably invalid " "(check dmesg).\nSkip option ROM probe with rombar=0, " "or load from file with romfile=\n"); - return; + return false; } vdev->rom = g_malloc(size); @@ -849,6 +849,8 @@ static void vfio_pci_load_rom(VFIOPCIDevice *vdev) data[6] = -csum; } } + + return true; } static uint64_t vfio_rom_read(void *opaque, hwaddr addr, unsigned size) @@ -863,8 +865,9 @@ static uint64_t vfio_rom_read(void *opaque, hwaddr addr, unsigned size) uint64_t data = 0; /* Load the ROM lazily when the guest tries to read it */ - if (unlikely(!vdev->rom && !vdev->rom_read_failed)) { - vfio_pci_load_rom(vdev); + if (unlikely(!vdev->rom && !vdev->rom_read_failed) && + !vfio_pci_load_rom(vdev)) { + return 0; } memcpy(&val, vdev->rom + addr, From patchwork Mon Feb 24 06:42:18 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Longpeng (Mike, Cloud Infrastructure Service Product Dept.)" X-Patchwork-Id: 1242823 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=huawei.com Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 48Qswp3Z5nz9sR4 for ; Mon, 24 Feb 2020 17:44:10 +1100 (AEDT) Received: from localhost ([::1]:60530 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1j67TM-0000GV-DC for incoming@patchwork.ozlabs.org; Mon, 24 Feb 2020 01:44:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:47383) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1j67S9-000792-WB for qemu-devel@nongnu.org; Mon, 24 Feb 2020 01:42:54 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1j67S9-0008WJ-1h for qemu-devel@nongnu.org; Mon, 24 Feb 2020 01:42:53 -0500 Received: from szxga07-in.huawei.com ([45.249.212.35]:56942 helo=huawei.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1j67S8-0008V1-MF for qemu-devel@nongnu.org; Mon, 24 Feb 2020 01:42:52 -0500 Received: from DGGEMS405-HUB.china.huawei.com (unknown [172.30.72.60]) by Forcepoint Email with ESMTP id 836BE7125658CEED0852; Mon, 24 Feb 2020 14:42:50 +0800 (CST) Received: from DESKTOP-27KDQMV.china.huawei.com (10.173.228.124) by DGGEMS405-HUB.china.huawei.com (10.3.19.205) with Microsoft SMTP Server id 14.3.439.0; Mon, 24 Feb 2020 14:42:43 +0800 From: "Longpeng(Mike)" To: , Subject: [PATCH RESEND 2/3] vhost: fix a null pointer reference of vhost_log Date: Mon, 24 Feb 2020 14:42:18 +0800 Message-ID: <20200224064219.1434-3-longpeng2@huawei.com> X-Mailer: git-send-email 2.25.0.windows.1 In-Reply-To: <20200224064219.1434-1-longpeng2@huawei.com> References: <20200224064219.1434-1-longpeng2@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.173.228.124] X-CFilter-Loop: Reflected X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 45.249.212.35 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: longpeng2@huawei.com, arei.gonglei@huawei.com, huangzhichao@huawei.com, qemu-devel@nongnu.org, weifuqiang@huawei.com Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" From: Longpeng vhost_log_alloc() may fails and returned pointer of log is null. However there're two places derefernce the return pointer without check. Signed-off-by: Longpeng --- hw/virtio/vhost.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c index 9edfadc..c7ad6e5 100644 --- a/hw/virtio/vhost.c +++ b/hw/virtio/vhost.c @@ -219,6 +219,10 @@ static struct vhost_log *vhost_log_get(uint64_t size, bool share) if (!log || log->size != size) { log = vhost_log_alloc(size, share); + if (!log) { + return NULL; + } + if (share) { vhost_log_shm = log; } else { @@ -270,10 +274,17 @@ static bool vhost_dev_log_is_shared(struct vhost_dev *dev) static inline void vhost_dev_log_resize(struct vhost_dev *dev, uint64_t size) { - struct vhost_log *log = vhost_log_get(size, vhost_dev_log_is_shared(dev)); - uint64_t log_base = (uintptr_t)log->log; + struct vhost_log *log; + uint64_t log_base; int r; + log = vhost_log_get(size, vhost_dev_log_is_shared(dev)); + if (!log) { + return; + } + + log_base = (uintptr_t)log->log; + /* inform backend of log switching, this must be done before releasing the current log, to ensure no logging is lost */ r = dev->vhost_ops->vhost_set_log_base(dev, log_base, log); @@ -1640,6 +1651,10 @@ int vhost_dev_start(struct vhost_dev *hdev, VirtIODevice *vdev) hdev->log_size = vhost_get_log_size(hdev); hdev->log = vhost_log_get(hdev->log_size, vhost_dev_log_is_shared(hdev)); + if (!hdev->log) { + goto fail_vq; + } + log_base = (uintptr_t)hdev->log->log; r = hdev->vhost_ops->vhost_set_log_base(hdev, hdev->log_size ? log_base : 0, From patchwork Mon Feb 24 06:42:19 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Longpeng (Mike, Cloud Infrastructure Service Product Dept.)" X-Patchwork-Id: 1242824 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=huawei.com Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 48Qsx067wqz9sRR for ; Mon, 24 Feb 2020 17:44:20 +1100 (AEDT) Received: from localhost ([::1]:60534 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1j67TW-0000VW-2X for incoming@patchwork.ozlabs.org; Mon, 24 Feb 2020 01:44:18 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:47402) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1j67SF-0007IH-SZ for qemu-devel@nongnu.org; Mon, 24 Feb 2020 01:43:00 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1j67SE-00009j-Rn for qemu-devel@nongnu.org; Mon, 24 Feb 2020 01:42:59 -0500 Received: from szxga04-in.huawei.com ([45.249.212.190]:2727 helo=huawei.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1j67SE-00008N-GR for qemu-devel@nongnu.org; Mon, 24 Feb 2020 01:42:58 -0500 Received: from DGGEMS405-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id E3474CB5AF64255614A3; Mon, 24 Feb 2020 14:42:54 +0800 (CST) Received: from DESKTOP-27KDQMV.china.huawei.com (10.173.228.124) by DGGEMS405-HUB.china.huawei.com (10.3.19.205) with Microsoft SMTP Server id 14.3.439.0; Mon, 24 Feb 2020 14:42:46 +0800 From: "Longpeng(Mike)" To: , Subject: [PATCH RESEND 3/3] util/pty: fix a null pointer reference in qemu_openpty_raw Date: Mon, 24 Feb 2020 14:42:19 +0800 Message-ID: <20200224064219.1434-4-longpeng2@huawei.com> X-Mailer: git-send-email 2.25.0.windows.1 In-Reply-To: <20200224064219.1434-1-longpeng2@huawei.com> References: <20200224064219.1434-1-longpeng2@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.173.228.124] X-CFilter-Loop: Reflected X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 45.249.212.190 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: longpeng2@huawei.com, arei.gonglei@huawei.com, huangzhichao@huawei.com, qemu-devel@nongnu.org, weifuqiang@huawei.com Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" From: Longpeng q_ptsname may failed ane return null, so use the returned pointer as the param of strcpy will cause null pointer deference. Use the return string of openpty instead of call ptsname. Signed-off-by: Longpeng --- util/qemu-openpty.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/util/qemu-openpty.c b/util/qemu-openpty.c index 2e8b43b..2bea4ba 100644 --- a/util/qemu-openpty.c +++ b/util/qemu-openpty.c @@ -112,13 +112,7 @@ int qemu_openpty_raw(int *aslave, char *pty_name) { int amaster; struct termios tty; -#if defined(__OpenBSD__) || defined(__DragonFly__) - char pty_buf[PATH_MAX]; -#define q_ptsname(x) pty_buf -#else - char *pty_buf = NULL; -#define q_ptsname(x) ptsname(x) -#endif + char pty_buf[PATH_MAX] = { 0 }; if (openpty(&amaster, aslave, pty_buf, NULL, NULL) < 0) { return -1; @@ -130,7 +124,7 @@ int qemu_openpty_raw(int *aslave, char *pty_name) tcsetattr(*aslave, TCSAFLUSH, &tty); if (pty_name) { - strcpy(pty_name, q_ptsname(amaster)); + strcpy(pty_name, pty_buf); } return amaster;