vhost: fix log base address

VHOST_SET_LOG_BASE got an incorrect address, causing
migration errors and potentially even memory corruption.

Cc: Peter Maydell <peter.maydell@linaro.org>
Reported-by: Wen Congyang <wency@cn.fujitsu.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---

Could you please confirm this fixes the problem for you?

 hw/virtio/vhost.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

On 2015/4/15 17:37, Michael S. Tsirkin wrote:
> VHOST_SET_LOG_BASE got an incorrect address, causing
> migration errors and potentially even memory corruption.
>
> Cc: Peter Maydell <peter.maydell@linaro.org>
> Reported-by: Wen Congyang <wency@cn.fujitsu.com>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> ---
>
> Could you please confirm this fixes the problem for you?
>
>   hw/virtio/vhost.c | 5 ++++-
>   1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
> index 8dd2f59..02c5604 100644
> --- a/hw/virtio/vhost.c
> +++ b/hw/virtio/vhost.c
> @@ -1016,10 +1016,13 @@ int vhost_dev_start(struct vhost_dev *hdev, VirtIODevice *vdev)
>       }
>
>       if (hdev->log_enabled) {
> +        uint64_t log_base;
> +
>           hdev->log_size = vhost_get_log_size(hdev);
>           hdev->log = hdev->log_size ?
>               g_malloc0(hdev->log_size * sizeof *hdev->log) : NULL;
> -        r = hdev->vhost_ops->vhost_call(hdev, VHOST_SET_LOG_BASE, hdev->log);
> +        log_base = (uint64_t)(unsigned long)log_base;
                                                ^^^^^^^^

s/log_base/hdev->log ?

> +        r = hdev->vhost_ops->vhost_call(hdev, VHOST_SET_LOG_BASE, &log_base);
>           if (r < 0) {
>               r = -errno;
>               goto fail_log;
>

On 04/15/2015 05:56 PM, zhanghailiang wrote:
> On 2015/4/15 17:37, Michael S. Tsirkin wrote:
>> VHOST_SET_LOG_BASE got an incorrect address, causing
>> migration errors and potentially even memory corruption.
>>
>> Cc: Peter Maydell <peter.maydell@linaro.org>
>> Reported-by: Wen Congyang <wency@cn.fujitsu.com>
>> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
>> ---
>>
>> Could you please confirm this fixes the problem for you?
>>
>>   hw/virtio/vhost.c | 5 ++++-
>>   1 file changed, 4 insertions(+), 1 deletion(-)
>>
>> diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
>> index 8dd2f59..02c5604 100644
>> --- a/hw/virtio/vhost.c
>> +++ b/hw/virtio/vhost.c
>> @@ -1016,10 +1016,13 @@ int vhost_dev_start(struct vhost_dev *hdev, VirtIODevice *vdev)
>>       }
>>
>>       if (hdev->log_enabled) {
>> +        uint64_t log_base;
>> +
>>           hdev->log_size = vhost_get_log_size(hdev);
>>           hdev->log = hdev->log_size ?
>>               g_malloc0(hdev->log_size * sizeof *hdev->log) : NULL;
>> -        r = hdev->vhost_ops->vhost_call(hdev, VHOST_SET_LOG_BASE, hdev->log);
>> +        log_base = (uint64_t)(unsigned long)log_base;
>                                                ^^^^^^^^
> 
> s/log_base/hdev->log ?

I test the patch with this modification. It works for me.

Thanks
Wen Congyang

> 
>> +        r = hdev->vhost_ops->vhost_call(hdev, VHOST_SET_LOG_BASE, &log_base);
>>           if (r < 0) {
>>               r = -errno;
>>               goto fail_log;
>>
> 
> 
> .
>

On 15/04/2015 11:56, zhanghailiang wrote:
> On 2015/4/15 17:37, Michael S. Tsirkin wrote:
>> VHOST_SET_LOG_BASE got an incorrect address, causing
>> migration errors and potentially even memory corruption.
>>
>> Cc: Peter Maydell <peter.maydell@linaro.org>
>> Reported-by: Wen Congyang <wency@cn.fujitsu.com>
>> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
>> ---
>>
>> Could you please confirm this fixes the problem for you?
>>
>>   hw/virtio/vhost.c | 5 ++++-
>>   1 file changed, 4 insertions(+), 1 deletion(-)
>>
>> diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
>> index 8dd2f59..02c5604 100644
>> --- a/hw/virtio/vhost.c
>> +++ b/hw/virtio/vhost.c
>> @@ -1016,10 +1016,13 @@ int vhost_dev_start(struct vhost_dev *hdev,
>> VirtIODevice *vdev)
>>       }
>>
>>       if (hdev->log_enabled) {
>> +        uint64_t log_base;
>> +
>>           hdev->log_size = vhost_get_log_size(hdev);
>>           hdev->log = hdev->log_size ?
>>               g_malloc0(hdev->log_size * sizeof *hdev->log) : NULL;
>> -        r = hdev->vhost_ops->vhost_call(hdev, VHOST_SET_LOG_BASE,
>> hdev->log);
>> +        log_base = (uint64_t)(unsigned long)log_base;
>                                                ^^^^^^^^
> 
> s/log_base/hdev->log ?

Also s/unsigned long/uintptr_t/ please.  The subsequent cast to uint64_t
is not necessary.

Paolo

>> +        r = hdev->vhost_ops->vhost_call(hdev, VHOST_SET_LOG_BASE,
>> &log_base);
>>           if (r < 0) {
>>               r = -errno;
>>               goto fail_log;
>>
> 
> 
> 
>

On 04/17/2015 05:26 AM, Paolo Bonzini wrote:
> 
> 
> On 15/04/2015 11:56, zhanghailiang wrote:
>> On 2015/4/15 17:37, Michael S. Tsirkin wrote:
>>> VHOST_SET_LOG_BASE got an incorrect address, causing
>>> migration errors and potentially even memory corruption.
>>>
>>> Cc: Peter Maydell <peter.maydell@linaro.org>
>>> Reported-by: Wen Congyang <wency@cn.fujitsu.com>
>>> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
>>> ---
>>>
>>> Could you please confirm this fixes the problem for you?
>>>
>>>   hw/virtio/vhost.c | 5 ++++-
>>>   1 file changed, 4 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
>>> index 8dd2f59..02c5604 100644
>>> --- a/hw/virtio/vhost.c
>>> +++ b/hw/virtio/vhost.c
>>> @@ -1016,10 +1016,13 @@ int vhost_dev_start(struct vhost_dev *hdev,
>>> VirtIODevice *vdev)
>>>       }
>>>
>>>       if (hdev->log_enabled) {
>>> +        uint64_t log_base;
>>> +
>>>           hdev->log_size = vhost_get_log_size(hdev);
>>>           hdev->log = hdev->log_size ?
>>>               g_malloc0(hdev->log_size * sizeof *hdev->log) : NULL;
>>> -        r = hdev->vhost_ops->vhost_call(hdev, VHOST_SET_LOG_BASE,
>>> hdev->log);
>>> +        log_base = (uint64_t)(unsigned long)log_base;
>>                                                ^^^^^^^^
>>
>> s/log_base/hdev->log ?
> 
> Also s/unsigned long/uintptr_t/ please.  The subsequent cast to uint64_t
> is not necessary.

Should we also update vhost_dev_log_resize()?

Thanks
Wen Congyang

> 
> Paolo
> 
>>> +        r = hdev->vhost_ops->vhost_call(hdev, VHOST_SET_LOG_BASE,
>>> &log_base);
>>>           if (r < 0) {
>>>               r = -errno;
>>>               goto fail_log;
>>>
>>
>>
>>
>>
> 
>

On 16 April 2015 at 22:26, Paolo Bonzini <pbonzini@redhat.com> wrote:
>
>
> On 15/04/2015 11:56, zhanghailiang wrote:
>> On 2015/4/15 17:37, Michael S. Tsirkin wrote:
>>> VHOST_SET_LOG_BASE got an incorrect address, causing
>>> migration errors and potentially even memory corruption.
>>>
>>> Cc: Peter Maydell <peter.maydell@linaro.org>
>>> Reported-by: Wen Congyang <wency@cn.fujitsu.com>
>>> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
>>> ---
>>>
>>> Could you please confirm this fixes the problem for you?
>>>
>>>   hw/virtio/vhost.c | 5 ++++-
>>>   1 file changed, 4 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
>>> index 8dd2f59..02c5604 100644
>>> --- a/hw/virtio/vhost.c
>>> +++ b/hw/virtio/vhost.c
>>> @@ -1016,10 +1016,13 @@ int vhost_dev_start(struct vhost_dev *hdev,
>>> VirtIODevice *vdev)
>>>       }
>>>
>>>       if (hdev->log_enabled) {
>>> +        uint64_t log_base;
>>> +
>>>           hdev->log_size = vhost_get_log_size(hdev);
>>>           hdev->log = hdev->log_size ?
>>>               g_malloc0(hdev->log_size * sizeof *hdev->log) : NULL;
>>> -        r = hdev->vhost_ops->vhost_call(hdev, VHOST_SET_LOG_BASE,
>>> hdev->log);
>>> +        log_base = (uint64_t)(unsigned long)log_base;
>>                                                ^^^^^^^^
>>
>> s/log_base/hdev->log ?
>
> Also s/unsigned long/uintptr_t/ please.  The subsequent cast to uint64_t
> is not necessary.

I think this is our remaining for-2.3 bug; would somebody like
to produce and test a patch with all the fixes mentioned in
this thread?

thanks
-- PMM

On Fri, Apr 17, 2015 at 03:40:50PM +0100, Peter Maydell wrote:
> On 16 April 2015 at 22:26, Paolo Bonzini <pbonzini@redhat.com> wrote:
> >
> >
> > On 15/04/2015 11:56, zhanghailiang wrote:
> >> On 2015/4/15 17:37, Michael S. Tsirkin wrote:
> >>> VHOST_SET_LOG_BASE got an incorrect address, causing
> >>> migration errors and potentially even memory corruption.
> >>>
> >>> Cc: Peter Maydell <peter.maydell@linaro.org>
> >>> Reported-by: Wen Congyang <wency@cn.fujitsu.com>
> >>> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> >>> ---
> >>>
> >>> Could you please confirm this fixes the problem for you?
> >>>
> >>>   hw/virtio/vhost.c | 5 ++++-
> >>>   1 file changed, 4 insertions(+), 1 deletion(-)
> >>>
> >>> diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
> >>> index 8dd2f59..02c5604 100644
> >>> --- a/hw/virtio/vhost.c
> >>> +++ b/hw/virtio/vhost.c
> >>> @@ -1016,10 +1016,13 @@ int vhost_dev_start(struct vhost_dev *hdev,
> >>> VirtIODevice *vdev)
> >>>       }
> >>>
> >>>       if (hdev->log_enabled) {
> >>> +        uint64_t log_base;
> >>> +
> >>>           hdev->log_size = vhost_get_log_size(hdev);
> >>>           hdev->log = hdev->log_size ?
> >>>               g_malloc0(hdev->log_size * sizeof *hdev->log) : NULL;
> >>> -        r = hdev->vhost_ops->vhost_call(hdev, VHOST_SET_LOG_BASE,
> >>> hdev->log);
> >>> +        log_base = (uint64_t)(unsigned long)log_base;
> >>                                                ^^^^^^^^
> >>
> >> s/log_base/hdev->log ?
> >
> > Also s/unsigned long/uintptr_t/ please.  The subsequent cast to uint64_t
> > is not necessary.
> 
> I think this is our remaining for-2.3 bug; would somebody like
> to produce and test a patch with all the fixes mentioned in
> this thread?
> 
> thanks
> -- PMM

I just posted it but it's not tested yet.