From: Peter Maydell Date: Mon, 21 Jul 2025 09:07:53 +0000 (+0100) Subject: hw/misc/ivshmem-pci: Improve error handling X-Git-Tag: v10.1.0-rc0~5^2~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8ccd35f25cdf2e03f44585a11b7daf93d1d46a3a;p=thirdparty%2Fqemu.git hw/misc/ivshmem-pci: Improve error handling Coverity points out that the ivshmem-pci code has some error handling cases where it incorrectly tries to use an invalid filedescriptor. These generally happen because ivshmem_recv_msg() calls qemu_chr_fe_get_msgfd(), which might return -1, but the code in process_msg() generally assumes that the file descriptor was provided when it was supposed to be. In particular: * the error case in process_msg() only needs to close the fd if one was provided * process_msg_shmem() should fail if no fd was provided Coverity: CID 1508726 Signed-off-by: Peter Maydell Reviewed-by: Markus Armbruster Message-id: 20250711145012.1521936-1-peter.maydell@linaro.org --- diff --git a/hw/misc/ivshmem-pci.c b/hw/misc/ivshmem-pci.c index 5a10bca633..d47ae739d6 100644 --- a/hw/misc/ivshmem-pci.c +++ b/hw/misc/ivshmem-pci.c @@ -479,6 +479,11 @@ static void process_msg_shmem(IVShmemState *s, int fd, Error **errp) struct stat buf; size_t size; + if (fd < 0) { + error_setg(errp, "server didn't provide fd with shared memory message"); + return; + } + if (s->ivshmem_bar2) { error_setg(errp, "server sent unexpected shared memory message"); close(fd); @@ -553,7 +558,9 @@ static void process_msg(IVShmemState *s, int64_t msg, int fd, Error **errp) if (msg < -1 || msg > IVSHMEM_MAX_PEERS) { error_setg(errp, "server sent invalid message %" PRId64, msg); - close(fd); + if (fd >= 0) { + close(fd); + } return; }