Re: [PULL 1/1] virtio-pci: fix use of a released vector

Tue, 16 Apr 2024 05:23:05 -0700 

On Tue, 16 Apr 2024 at 12:50, Peter Maydell <peter.mayd...@linaro.org> wrote:
>
> On Tue, 16 Apr 2024 at 12:05, Cindy Lu <l...@redhat.com> wrote:
> >
> > On Tue, Apr 16, 2024 at 6:01 PM Peter Maydell <peter.mayd...@linaro.org> 
> > wrote:
> > > Hi; Coverity points out what it thinks is a problem in
> > > this commit (CID 1543938):

> > > Here we pass that through to kvm_virtio_pci_vector_use_one().
> > > In kvm_virtio_pci_vector_use_one()'s error-exit path ("undo")
> > > it does
> > >     vector = virtio_queue_vector(vdev, queue_no);
> > > and in virtio_queue_vector() it does:
> > >
> > >     return n < VIRTIO_QUEUE_MAX ? vdev->vq[n].vector :
> > >         VIRTIO_NO_VECTOR;
> > >
> > > where 'n' is an int, so if we can get here with queue_no being
> > > VIRTIO_CONFIG_IRQ_IDX then we'll index off the front of the
> > > vdev->vq[] array.
> > >
> > > Maybe this is a "can't happen" case, but it does seem odd that
> > > virtio_queue_vector() only bounds-checks the "too big" case
> > > for its argument and not the "too small" case and/or it
> > > doesn't have a special case for VIRTIO_CONFIG_IRQ_IDX.
> > >
> > > > +    }
> > > > +}
> > > > +
> > >
> > hi peter
> > I think we can simply remove the part
> >     vector = virtio_queue_vector(vdev, queue_no);
> > the vector is get from virtio_pci_get_notifier() and don't need to get it 
> > again
> > I will send the fix soon
>
> The error handling in kvm_virtio_pci_vector_use_one() looks
> a bit odd in other ways, too. The only bit of "undoing"
> it does as far as I can see is calling kvm_virtio_pci_irqfd_release(),
> but there is no code path that gets to there where the
> main codepath's call to kvm_virtio-pci_irqfd_use() succeeded
> and needs to be undone. So perhaps the entire "undo" code
> block should be deleted, and the "goto undo" lines
> replaced by simple "return ret;" ?  (The codepath
> for "kvm_virtio_pci_irqfd_use() failed" already does the
> "kvm_virtio_pci_vq_vector_release()" by hand there.)

In any case since the error handling in kvm_virtio_pci_vector_use_one()
isn't new in this commit (you can get the same problem via
kvm_virtio_pci_vector_config_use(), which is CID 1468940
first detected in 2022), I think this is not something we need
to rush to fix before we release 9.0. If anybody disagrees now
would be a good time to say so :-)

Paolo's comment on CID 1468940 was to suggest "virtio_queue_vector
should check VIRTIO_CONFIG_IRQ_IDX just like virtio_pci_get_notifier",
incidentally.

thanks
-- PMM

Reply via email to