Peter Maydell <peter.mayd...@linaro.org> 于2020年7月9日周四 下午11:15写道:
> On Sat, 4 Jul 2020 at 19:31, Michael S. Tsirkin <m...@redhat.com> wrote:
> >
> > From: Cindy Lu <l...@redhat.com>
> >
> > Currently we have 2 types of vhost backends in QEMU: vhost kernel and
> > vhost-user. The above patch provides a generic device for vDPA purpose,
> > this vDPA device exposes to user space a non-vendor-specific
> configuration
> > interface for setting up a vhost HW accelerator, this patch set
> introduces
> > a third vhost backend called vhost-vdpa based on the vDPA interface.
> >
> > Vhost-vdpa usage:
> >
> > qemu-system-x86_64 -cpu host -enable-kvm \
> > ......
> > -netdev type=vhost-vdpa,vhostdev=/dev/vhost-vdpa-id,id=vhost-vdpa0 \
> > -device virtio-net-pci,netdev=vhost-vdpa0,page-per-vq=on \
>
> Hi; Coverity reports some issues with this change:
>
>
> > +static int vhost_vdpa_dma_map(struct vhost_vdpa *v, hwaddr iova, hwaddr
> size,
> > + void *vaddr, bool readonly)
> > +{
> > + struct vhost_msg_v2 msg;
> > + int fd = v->device_fd;
> > + int ret = 0;
> > +
> > + msg.type = v->msg_type;
> > + msg.iotlb.iova = iova;
> > + msg.iotlb.size = size;
> > + msg.iotlb.uaddr = (uint64_t)vaddr;
> > + msg.iotlb.perm = readonly ? VHOST_ACCESS_RO : VHOST_ACCESS_RW;
> > + msg.iotlb.type = VHOST_IOTLB_UPDATE;
> > +
> > + if (write(fd, &msg, sizeof(msg)) != sizeof(msg)) {
>
> Here we write the contents of the struct down the pipe,
> but we have not initialized all its fields; specifically,
> msg.reserved is not initialized and so those bytes will
> be random. We'll also transfer random contents from the
> stack in the padding, potentially.
>
> This is CID 1420267.
>
> The easy fix is to zero-initialize the whole struct at the start:
>
> struct vhost_msg_v2 msg = {};
>
>
> > + error_report("failed to write, fd=%d, errno=%d (%s)",
> > + fd, errno, strerror(errno));
> > + return -EIO ;
> > + }
> > +
> > + return ret;
> > +}
> > +
> > +static int vhost_vdpa_dma_unmap(struct vhost_vdpa *v, hwaddr iova,
> > + hwaddr size)
> > +{
> > + struct vhost_msg_v2 msg;
> > + int fd = v->device_fd;
> > + int ret = 0;
> > +
> > + msg.type = v->msg_type;
> > + msg.iotlb.iova = iova;
> > + msg.iotlb.size = size;
> > + msg.iotlb.type = VHOST_IOTLB_INVALIDATE;
> > +
> > + if (write(fd, &msg, sizeof(msg)) != sizeof(msg)) {
> > + error_report("failed to write, fd=%d, errno=%d (%s)",
> > + fd, errno, strerror(errno));
> > + return -EIO ;
> > + }
>
> Same here (CID 1430270)
>
> > +
> > + return ret;
> > +}
> > +
>
> thanks
> -- PMM
>
> Thank you Peter, I will fix this soon
