From patchwork Mon Nov 18 18:46:40 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alex Williamson X-Patchwork-Id: 1196903 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.b="Br4rWfq9"; dkim-atps=neutral Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Gycx5yvfz9sPT for ; Tue, 19 Nov 2019 05:47:45 +1100 (AEDT) Received: from localhost ([::1]:38194 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iWm3r-0000YI-It for incoming@patchwork.ozlabs.org; Mon, 18 Nov 2019 13:47:43 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:40851) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iWm2z-0000Mb-Tc for qemu-devel@nongnu.org; Mon, 18 Nov 2019 13:46:51 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iWm2x-0002ZM-Ea for qemu-devel@nongnu.org; Mon, 18 Nov 2019 13:46:49 -0500 Received: from us-smtp-1.mimecast.com ([207.211.31.81]:47679 helo=us-smtp-delivery-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1iWm2x-0002Z7-AK for qemu-devel@nongnu.org; Mon, 18 Nov 2019 13:46:47 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1574102806; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mbzCWQhkAFYr3RWem9Ik6YNZkGt6jUdUsAYdYydrjPM=; b=Br4rWfq97SpS3AD9MZ1LWmr88RyeBLsrO8W6cJTEHMWIoV2abo4Bx6zrwYAIEYby/WF2Rz muUwuO7gnymo3DukdXNkZHIq98BV/eC/c7PreCaurmUuuLNhFGluEA8ZWr0vbZ7NgMSBrq Hf/Q8QimvIv1sQIzwXsCrAo6ub9Jkqg= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-171-3J8vg4KAOI21H6qa00wrIw-1; Mon, 18 Nov 2019 13:46:45 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 182A4800EBA for ; Mon, 18 Nov 2019 18:46:44 +0000 (UTC) Received: from gimli.home (ovpn-116-56.phx2.redhat.com [10.3.116.56]) by smtp.corp.redhat.com (Postfix) with ESMTP id D10891036C81; Mon, 18 Nov 2019 18:46:41 +0000 (UTC) Subject: [PULL 1/3] hw/vfio/pci: Fix double free of migration_blocker From: Alex Williamson To: qemu-devel@nongnu.org Date: Mon, 18 Nov 2019 11:46:40 -0700 Message-ID: <157410279325.24655.3627393451907566053.stgit@gimli.home> In-Reply-To: <157410270703.24655.9333886493163056872.stgit@gimli.home> References: <157410270703.24655.9333886493163056872.stgit@gimli.home> User-Agent: StGit/0.19-dirty MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-MC-Unique: 3J8vg4KAOI21H6qa00wrIw-1 X-Mimecast-Spam-Score: 0 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 207.211.31.81 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" From: Michal Privoznik When user tries to hotplug a VFIO device, but the operation fails somewhere in the middle (in my testing it failed because of RLIMIT_MEMLOCK forbidding more memory allocation), then a double free occurs. In vfio_realize() the vdev->migration_blocker is allocated, then something goes wrong which causes control to jump onto 'error' label where the error is freed. But the pointer is left pointing to invalid memory. Later, when vfio_instance_finalize() is called, the memory is freed again. In my testing the second hunk was sufficient to fix the bug, but I figured the first hunk doesn't hurt either. ==169952== Invalid read of size 8 ==169952== at 0xA47DCD: error_free (error.c:266) ==169952== by 0x4E0A18: vfio_instance_finalize (pci.c:3040) ==169952== by 0x8DF74C: object_deinit (object.c:606) ==169952== by 0x8DF7BE: object_finalize (object.c:620) ==169952== by 0x8E0757: object_unref (object.c:1074) ==169952== by 0x45079C: memory_region_unref (memory.c:1779) ==169952== by 0x45376B: do_address_space_destroy (memory.c:2793) ==169952== by 0xA5C600: call_rcu_thread (rcu.c:283) ==169952== by 0xA427CB: qemu_thread_start (qemu-thread-posix.c:519) ==169952== by 0x80A8457: start_thread (in /lib64/libpthread-2.29.so) ==169952== by 0x81C96EE: clone (in /lib64/libc-2.29.so) ==169952== Address 0x143137e0 is 0 bytes inside a block of size 48 free'd ==169952== at 0x4A342BB: free (vg_replace_malloc.c:530) ==169952== by 0xA47E05: error_free (error.c:270) ==169952== by 0x4E0945: vfio_realize (pci.c:3025) ==169952== by 0x76A4FF: pci_qdev_realize (pci.c:2099) ==169952== by 0x689B9A: device_set_realized (qdev.c:876) ==169952== by 0x8E2C80: property_set_bool (object.c:2080) ==169952== by 0x8E0EF6: object_property_set (object.c:1272) ==169952== by 0x8E3FC8: object_property_set_qobject (qom-qobject.c:26) ==169952== by 0x8E11DB: object_property_set_bool (object.c:1338) ==169952== by 0x5E7BDD: qdev_device_add (qdev-monitor.c:673) ==169952== by 0x5E81E5: qmp_device_add (qdev-monitor.c:798) ==169952== by 0x9E18A8: do_qmp_dispatch (qmp-dispatch.c:132) ==169952== Block was alloc'd at ==169952== at 0x4A35476: calloc (vg_replace_malloc.c:752) ==169952== by 0x51B1158: g_malloc0 (in /usr/lib64/libglib-2.0.so.0.6000.6) ==169952== by 0xA47357: error_setv (error.c:61) ==169952== by 0xA475D9: error_setg_internal (error.c:97) ==169952== by 0x4DF8C2: vfio_realize (pci.c:2737) ==169952== by 0x76A4FF: pci_qdev_realize (pci.c:2099) ==169952== by 0x689B9A: device_set_realized (qdev.c:876) ==169952== by 0x8E2C80: property_set_bool (object.c:2080) ==169952== by 0x8E0EF6: object_property_set (object.c:1272) ==169952== by 0x8E3FC8: object_property_set_qobject (qom-qobject.c:26) ==169952== by 0x8E11DB: object_property_set_bool (object.c:1338) ==169952== by 0x5E7BDD: qdev_device_add (qdev-monitor.c:673) Fixes: f045a0104c8c ("vfio: unplug failover primary device before migration") Signed-off-by: Michal Privoznik Reviewed-by: Cornelia Huck Signed-off-by: Alex Williamson --- hw/vfio/pci.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c index e6569a796850..9c165995df32 100644 --- a/hw/vfio/pci.c +++ b/hw/vfio/pci.c @@ -2740,6 +2740,7 @@ static void vfio_realize(PCIDevice *pdev, Error **errp) if (err) { error_propagate(errp, err); error_free(vdev->migration_blocker); + vdev->migration_blocker = NULL; return; } } @@ -3023,6 +3024,7 @@ error: if (vdev->migration_blocker) { migrate_del_blocker(vdev->migration_blocker); error_free(vdev->migration_blocker); + vdev->migration_blocker = NULL; } } From patchwork Mon Nov 18 18:46:53 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Alex Williamson X-Patchwork-Id: 1196905 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.b="CXZpwr+l"; dkim-atps=neutral Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47GyhM4TFLz9sPT for ; Tue, 19 Nov 2019 05:50:43 +1100 (AEDT) Received: from localhost ([::1]:38220 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iWm6i-0002XL-9Z for incoming@patchwork.ozlabs.org; Mon, 18 Nov 2019 13:50:40 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:40883) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iWm3A-0000Xv-1H for qemu-devel@nongnu.org; Mon, 18 Nov 2019 13:47:00 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iWm39-0002bi-1D for qemu-devel@nongnu.org; Mon, 18 Nov 2019 13:46:59 -0500 Received: from us-smtp-2.mimecast.com ([205.139.110.61]:60246 helo=us-smtp-delivery-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1iWm38-0002bb-TG for qemu-devel@nongnu.org; Mon, 18 Nov 2019 13:46:58 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1574102818; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vyxd0sp1/GjKH5UkyrvH4H0BnhF/R8eDGrWX2sUoNmo=; b=CXZpwr+lD38Nn0lZPKcDgie/WZ6kp2E9QVwLEnh4wMRuJ8SIVefqwPe3Dg+aps4by/kYEN UTWueARKvyGxRLyZ4HVzfoH8vRs+CpLs37qu52+WtgV2Lag9HOk7t1wKIcSA8gIlfgMZbg YHZv0Cpkh2s1F3as+CO9C58JXSGKnWM= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-376-AiK6UtM3PKudA5-okXXvbA-1; Mon, 18 Nov 2019 13:46:57 -0500 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8193A801FA1 for ; Mon, 18 Nov 2019 18:46:56 +0000 (UTC) Received: from gimli.home (ovpn-116-56.phx2.redhat.com [10.3.116.56]) by smtp.corp.redhat.com (Postfix) with ESMTP id 54CE719C4F; Mon, 18 Nov 2019 18:46:53 +0000 (UTC) Subject: [PULL 2/3] vfio: don't ignore return value of migrate_add_blocker From: Alex Williamson To: qemu-devel@nongnu.org Date: Mon, 18 Nov 2019 11:46:53 -0700 Message-ID: <157410280915.24655.2269183247539766479.stgit@gimli.home> In-Reply-To: <157410270703.24655.9333886493163056872.stgit@gimli.home> References: <157410270703.24655.9333886493163056872.stgit@gimli.home> User-Agent: StGit/0.19-dirty MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-MC-Unique: AiK6UtM3PKudA5-okXXvbA-1 X-Mimecast-Spam-Score: 0 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 205.139.110.61 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" From: Jens Freimann When an error occurs in migrate_add_blocker() it sets a negative return value and uses error pointer we pass in. Instead of just looking at the error pointer check for a negative return value and avoid a coverity error because the return value is set but never used. This fixes CID 1407219. Reported-by: Coverity (CID 1407219) Fixes: f045a0104c8c ("vfio: unplug failover primary device before migration") Signed-off-by: Jens Freimann Reviewed-by: Stefano Garzarella Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Alex Williamson --- hw/vfio/pci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c index 9c165995df32..0c55883bba77 100644 --- a/hw/vfio/pci.c +++ b/hw/vfio/pci.c @@ -2737,7 +2737,7 @@ static void vfio_realize(PCIDevice *pdev, Error **errp) error_setg(&vdev->migration_blocker, "VFIO device doesn't support migration"); ret = migrate_add_blocker(vdev->migration_blocker, &err); - if (err) { + if (ret) { error_propagate(errp, err); error_free(vdev->migration_blocker); vdev->migration_blocker = NULL; From patchwork Mon Nov 18 18:47:05 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alex Williamson X-Patchwork-Id: 1196904 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.b="YA/b3TsQ"; dkim-atps=neutral Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47GyhF589Wz9sPT for ; Tue, 19 Nov 2019 05:50:37 +1100 (AEDT) Received: from localhost ([::1]:38216 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iWm6d-0002Vw-Ce for incoming@patchwork.ozlabs.org; Mon, 18 Nov 2019 13:50:35 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:40943) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iWm3P-0000jR-Sm for qemu-devel@nongnu.org; Mon, 18 Nov 2019 13:47:16 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iWm3N-0002gp-Ul for qemu-devel@nongnu.org; Mon, 18 Nov 2019 13:47:15 -0500 Received: from us-smtp-2.mimecast.com ([205.139.110.61]:47288 helo=us-smtp-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1iWm3L-0002et-UO for qemu-devel@nongnu.org; Mon, 18 Nov 2019 13:47:13 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1574102831; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ySwRSgaVx3PPsIMtMoJQ4P/YomcbXMZ9gQlhSDXoP5w=; b=YA/b3TsQXMFZVeMrN6owJzuckw3fRogs4KwUKP/hSHfJGtEr7GwdZf802fSNM0BMplvlXn Niw6FqqzBzY8qoSd+A2Sm0tIM+thQyVD0QMaluZ8uGkzglwU4cHcgLy/D86Aj3nkHzmdJ0 rpDj0lpn4IXeMfzRwG8STL+/0jFrMig= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-12-Rx3j4rQ4Na6Khy5QJVeuZg-1; Mon, 18 Nov 2019 13:47:09 -0500 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 230A0107ACC4 for ; Mon, 18 Nov 2019 18:47:09 +0000 (UTC) Received: from gimli.home (ovpn-116-56.phx2.redhat.com [10.3.116.56]) by smtp.corp.redhat.com (Postfix) with ESMTP id E388760D7C; Mon, 18 Nov 2019 18:47:06 +0000 (UTC) Subject: [PULL 3/3] vfio: vfio-pci requires EDID From: Alex Williamson To: qemu-devel@nongnu.org Date: Mon, 18 Nov 2019 11:47:05 -0700 Message-ID: <157410282158.24655.5169563707493153404.stgit@gimli.home> In-Reply-To: <157410270703.24655.9333886493163056872.stgit@gimli.home> References: <157410270703.24655.9333886493163056872.stgit@gimli.home> User-Agent: StGit/0.19-dirty MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-MC-Unique: Rx3j4rQ4Na6Khy5QJVeuZg-1 X-Mimecast-Spam-Score: 0 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 205.139.110.61 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" From: Paolo Bonzini hw/vfio/display.c needs the EDID subsystem, select it. Cc: Alex Williamson Signed-off-by: Paolo Bonzini Signed-off-by: Alex Williamson --- hw/vfio/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/vfio/Kconfig b/hw/vfio/Kconfig index 34da2a3cfdd9..f0eaa75ce712 100644 --- a/hw/vfio/Kconfig +++ b/hw/vfio/Kconfig @@ -6,6 +6,7 @@ config VFIO_PCI bool default y select VFIO + select EDID depends on LINUX && PCI config VFIO_CCW