From: Zhenzhong Duan <zhenzhong.duan@intel.com>
Date: Wed, 22 May 2024 04:39:56 +0000 (+0800)
Subject: vfio/display: Fix error path in call site of ramfb_setup()
X-Git-Tag: v9.1.0-rc0~101^2~17
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9442d8af674c80a2f8a7358977e1fc7ed43d2776;p=thirdparty%2Fqemu.git

vfio/display: Fix error path in call site of ramfb_setup()

vfio_display_dmabuf_init() and vfio_display_region_init() calls
ramfb_setup() without checking its return value.

So we may run into a situation that vfio_display_probe() succeed
but errp is set. This is risky and may lead to assert failure in
error_setv().

Cc: Gerd Hoffmann <kraxel@redhat.com>
Fixes: b290659fc3d ("hw/vfio/display: add ramfb support")
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Cédric Le Goater <clg@redhat.com>
---

diff --git a/hw/vfio/display.c b/hw/vfio/display.c
index fe624a6c9b8..d28b724102d 100644
--- a/hw/vfio/display.c
+++ b/hw/vfio/display.c
@@ -361,6 +361,9 @@ static int vfio_display_dmabuf_init(VFIOPCIDevice *vdev, Error **errp)
                                           vdev);
     if (vdev->enable_ramfb) {
         vdev->dpy->ramfb = ramfb_setup(errp);
+        if (!vdev->dpy->ramfb) {
+            return -EINVAL;
+        }
     }
     vfio_display_edid_init(vdev);
     return 0;
@@ -488,6 +491,9 @@ static int vfio_display_region_init(VFIOPCIDevice *vdev, Error **errp)
                                           vdev);
     if (vdev->enable_ramfb) {
         vdev->dpy->ramfb = ramfb_setup(errp);
+        if (!vdev->dpy->ramfb) {
+            return -EINVAL;
+        }
     }
     return 0;
 }