From nobody Fri Nov 14 16:41:17 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1760680343; cv=none; d=zohomail.com; s=zohoarc; b=QNYiID+pCw+c0TYMWmVS44tf4sKbruHwFhIODtksoRxXRvSCUoW0RXv3sIyWT3hhOkGGgBeaKleoq7+oloEr+ONaILq38asHcWwvieezaafwSlM3Ge5ipywNDGuBSJft5fjz8c/wQXyOp3JN5MjfOWAIZnmUq4Kfh7Tg9mB2zrw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1760680343; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=ZZnYCSMiE2VS634K0Y/wCtbBcSCgp0pmS60LU0PsBuM=; b=g7oP2xNyBM1tvEAN2SDTImaplp2OCvHCJZofpmcJcVXaTXnfksK39EBb0wgsRVcBUTyuRgRQF7XVFGS/cWJckI/FmXKJKVcrsujvvnQ1HMYK4jrdj2wcQSwXkqpB0QXBeWmL7LyuqQTAE/I1ALrOyikfiEUNFi3edMoImD393AA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1760680343047135.10841992735322; Thu, 16 Oct 2025 22:52:23 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1v9dNs-0005UC-Bx; Fri, 17 Oct 2025 01:52:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1v9dNp-0005N1-NI for qemu-devel@nongnu.org; Fri, 17 Oct 2025 01:52:10 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1v9dNj-0004wE-T8 for qemu-devel@nongnu.org; Fri, 17 Oct 2025 01:52:09 -0400 Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-689-wYGejuLNPXWbDTdGai76aA-1; Fri, 17 Oct 2025 01:51:52 -0400 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id B01461954224; Fri, 17 Oct 2025 05:51:51 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.72.116.124]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 402681956056; Fri, 17 Oct 2025 05:51:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1760680316; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=ZZnYCSMiE2VS634K0Y/wCtbBcSCgp0pmS60LU0PsBuM=; b=ir+IWmd8MCJ2NKbeqM0/LRXvnLloq8bMz/YvD38Ywbo89Xhh+dfHlujE+JQkbx3tBZ9Qqv jllLoLhr1M89JR5st6UVZ7ukE+X0qyviWyklJ7+hcGKU3tiUqbUzYB+4jI3g53q0En8YV3 wb8evSezQC59Q+2RdA2Q+U34HbYySwg= X-MC-Unique: wYGejuLNPXWbDTdGai76aA-1 X-Mimecast-MFC-AGG-ID: wYGejuLNPXWbDTdGai76aA_1760680312 From: "Houqi (Nick) Zuo" To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Jason Wang , Cindy Lu , Michael Tsirkin , Lei Yang Subject: [PATCH v5] net/tap-linux.c: avoid abort when setting invalid fd Date: Fri, 17 Oct 2025 13:51:12 +0800 Message-ID: <20251017055112.837032-1-hzuo@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=hzuo@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1760680345563154100 Content-Type: text/plain; charset="utf-8" When QEMU creates a tap device automatically and the tap device is manually removed from the host while the guest is running, the tap device file descriptor becomes invalid. Later, when the guest executes shutdown, the tap_fd_set_vnet_hdr_len() function may be called and abort QEMU with a core dump when attempting to use the invalid fd. This patch removes many abort() calls in this file. If the fd is found to be in a bad state (e.g., EBADFD or ENODEV), the related function will print an error message. Additionally, the return type of the tap_fd_set_vnet_hdr_len function is changed to int. When an error occurs during the ioctl() call, the return value from ioctl() is now passed back to the caller, allowing the caller to handle the error appropriately. The expected behavior for this negative test case is that QEMU should report an error but continue running rather than aborting. Testing: - Start QEMU with automatically created tap device - Manually remove the tap device on the host - Execute shutdown in the guest - Verify QEMU reports an error but does not abort (gdb) bt full #0 __pthread_kill_implementation (threadid=3D, signo=3Dsign= o@entry=3D6, no_tid=3Dno_tid@entry=3D0) at pthread_kill.c:44 tid =3D ret =3D 0 pd =3D old_mask =3D {__val =3D {10}} ret =3D #1 0x00007f1710b6bff3 in __pthread_kill_internal (threadid=3D, signo=3D6) at pthread_kill.c:78 #2 0x00007f1710b15f56 in __GI_raise (sig=3Dsig@entry=3D6) at ../sysdeps/po= six/raise.c:26 ret =3D #3 0x00007f1710afd8fa in __GI_abort () at abort.c:79 save_stage =3D 1 act =3D {__sigaction_handler =3D {sa_handler =3D 0x20, sa_sigaction= =3D 0x20}, sa_mask =3D {__val =3D {16929458408262392576, 18446744073709550= 848, 139737042419943, 139737042419943, 0, 94049703655600, 139737042419943, = 139737042670528, 18446744073709550328, 77, 139705603579344, 184467440737095= 51615, 139737041472378, 139705595179568, 16929458408262392576, 940496797948= 64}}, sa_flags =3D 281695456, sa_restorer =3D 0xa} #4 0x000055899a71de58 in tap_fd_set_vnet_hdr_len (fd=3D, le= n=3D10) at ../net/tap-linux.c:204 #5 tap_set_vnet_hdr_len (nc=3D, len=3D10) at ../net/tap.c:2= 69 s =3D #6 0x000055899a8be67f in qemu_set_vnet_hdr_len (nc=3D0x2956, len=3D10588) = at ../net/net.c:573 #7 virtio_net_set_mrg_rx_bufs (n=3D0x5589a72cfa10, mergeable_rx_bufs=3D, version_1=3D, hash_report=3D) at ../hw/net/virtio-net.c:664 i =3D 0 nc =3D 0x5589a730ab28 #8 virtio_net_set_features (vdev=3D0x5589a72cfa10, features=3D0) at ../hw/= net/virtio-net.c:897 n =3D 0x5589a72cfa10 err =3D 0x0 i =3D 0 #9 0x000055899a8e4eaa in virtio_set_features_nocheck (vdev=3D0x5589a72cfa1= 0, val=3D0) at ../hw/virtio/virtio.c:3079 k =3D bad =3D #10 virtio_reset (opaque=3D0x5589a72cfa10) at ../hw/virtio/virtio.c:3184 vdev =3D 0x5589a72cfa10 k =3D 0x5589a5c162b0 i =3D 0 #11 0x000055899a630d2b in virtio_bus_reset (bus=3D0x5589a72cf990) at ../hw/= virtio/virtio-bus.c:109 vdev =3D #12 virtio_pci_reset (qdev=3D0x5589a72c7470) at ../hw/virtio/virtio-pci.c:2= 311 proxy =3D 0x5589a72c7470 i =3D 0 bus =3D 0x5589a72cf990 #13 0x000055899a686ded in memory_region_write_accessor (mr=3D, addr=3D, value=3D, size=3D,= shift=3D, mask=3D, attrs=3D...) at ../system= /memory.c:490 tmp =3D #14 0x000055899a686cbc in access_with_adjusted_size (addr=3D20, value=3D0x7= f0fbedfde00, size=3D1, access_size_min=3D, access_size_max= =3D, access_fn=3D0x55899a686d30 , mr=3D0x5589a72c8040, attrs=3D...) at ../system/memory.c:566 print_once_ =3D false access_mask =3D 255 access_size =3D 1 i =3D 0 r =3D 0 reentrancy_guard_applied =3D #15 0x000055899a686ac5 in memory_region_dispatch_write (mr=3D, addr=3D20, data=3D, op=3D, attrs=3D...) at= ../system/memory.c:1545 size =3D #16 0x000055899a69f7da in flatview_write_continue_step (attrs=3D..., buf=3D= 0x7f1711da6028 , len= =3D, mr_addr=3D20, l=3D0x7f0fbedfde28, mr=3D0x5589a72c8040) = at ../system/physmem.c:2972 val =3D 6 result =3D 0 release_lock =3D #17 0x000055899a697c15 in flatview_write_continue (fv=3D0x7f0f6c124d90, add= r=3D61675730370580, attrs=3D..., ptr=3D0x7f1711da6028, len=3D1, mr_addr=3D6= , l=3D1, mr=3D0x0) at ../system/physmem.c:3002 result =3D 0 buf =3D 0x7f1711da6028 #18 flatview_write (fv=3D0x7f0f6c124d90, addr=3D61675730370580, attrs=3D...= , buf=3D0x7f1711da6028, len=3D1) at ../system/physmem.c:3033 --Type for more, q to quit, c to continue without paging-- l =3D mr_addr =3D 6 mr =3D 0x0 #19 0x000055899a697a91 in address_space_write (as=3D0x55899bceeba0 , addr=3D61675730370580, attrs=3D..., buf=3D0x7f1711da6028, l= en=3D1) at ../system/physmem.c:3153 _rcu_read_auto =3D 0x1 result =3D 0 fv =3D 0x2956 #20 0x000055899a91159b in address_space_rw (addr=3D10588, attrs=3D..., buf= =3D0x7f1711da6028, len=3D0, as=3D, is_write=3D) at ../system/physmem.c:3163 #21 kvm_cpu_exec (cpu=3D0x5589a5d68b40) at ../accel/kvm/kvm-all.c:3255 attrs =3D {secure =3D 0, space =3D 0, user =3D 0, memory =3D 0, deb= ug =3D 0, requester_id =3D 0, pid =3D 0, address_type =3D 0, unspecified = =3D false, _reserved1 =3D 0 '\000', _reserved2 =3D 0} run =3D 0x7f1711da6000 ret =3D run_ret =3D #22 0x000055899a9189ca in kvm_vcpu_thread_fn (arg=3D0x5589a5d68b40) at ../a= ccel/kvm/kvm-accel-ops.c:51 r =3D cpu =3D #23 0x000055899aba817a in qemu_thread_start (args=3D0x5589a5d72580) at ../u= til/qemu-thread-posix.c:393 __clframe =3D {__cancel_routine =3D , __cancel_arg = =3D 0x0, __do_it =3D 1, __cancel_type =3D } qemu_thread_args =3D 0x5589a5d72580 start_routine =3D 0x55899a918850 arg =3D 0x5589a5d68b40 r =3D 0x0 #24 0x00007f1710b6a128 in start_thread (arg=3D) at pthread_c= reate.c:448 ret =3D pd =3D out =3D unwind_buf =3D {cancel_jmp_buf =3D {{jmp_buf =3D {32, 8894544057743= 421332, -1288, 0, 140726164742416, 140726164742679, -8831356496486092908, -= 8844535456800460908}, mask_was_saved =3D 0}}, priv =3D {pad =3D {0x0, 0x0, = 0x0, 0x0}, data =3D {prev =3D 0x0, cleanup =3D 0x0, canceltype =3D 0}}} not_first_call =3D #25 0x00007f1710bda924 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clo= ne.S:100 Fixes: 0caed25cd171c611781589b5402161d27d57229c ("virtio: Call set_features= during reset") Signed-off-by: Houqi (Nick) Zuo --- net/tap-linux.c | 25 ++++++++++++++++--------- net/tap_int.h | 2 +- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/net/tap-linux.c b/net/tap-linux.c index 2a90b58467..d6b7533cfd 100644 --- a/net/tap-linux.c +++ b/net/tap-linux.c @@ -212,20 +212,25 @@ bool tap_probe_has_tunnel(int fd) return true; } =20 -void tap_fd_set_vnet_hdr_len(int fd, int len) +int tap_fd_set_vnet_hdr_len(int fd, int len) { - if (ioctl(fd, TUNSETVNETHDRSZ, &len) =3D=3D -1) { - fprintf(stderr, "TUNSETVNETHDRSZ ioctl() failed: %s. Exiting.\n", - strerror(errno)); - abort(); + int ret; + + ret =3D ioctl(fd, TUNSETVNETHDRSZ, &len); + if (ret !=3D 0) { + error_report("TUNSETVNETHDRSZ ioctl() failed: %s.", strerror(errno= )); } + + return ret; } =20 int tap_fd_set_vnet_le(int fd, int is_le) { int arg =3D is_le ? 1 : 0; + int ret; =20 - if (!ioctl(fd, TUNSETVNETLE, &arg)) { + ret =3D ioctl(fd, TUNSETVNETLE, &arg); + if (!ret) { return 0; } =20 @@ -235,14 +240,16 @@ int tap_fd_set_vnet_le(int fd, int is_le) } =20 error_report("TUNSETVNETLE ioctl() failed: %s.", strerror(errno)); - abort(); + return ret; } =20 int tap_fd_set_vnet_be(int fd, int is_be) { int arg =3D is_be ? 1 : 0; + int ret; =20 - if (!ioctl(fd, TUNSETVNETBE, &arg)) { + ret =3D ioctl(fd, TUNSETVNETBE, &arg); + if (!ret) { return 0; } =20 @@ -252,7 +259,7 @@ int tap_fd_set_vnet_be(int fd, int is_be) } =20 error_report("TUNSETVNETBE ioctl() failed: %s.", strerror(errno)); - abort(); + return ret; } =20 void tap_fd_set_offload(int fd, const NetOffloads *ol) diff --git a/net/tap_int.h b/net/tap_int.h index b76a05044b..eed41fedc7 100644 --- a/net/tap_int.h +++ b/net/tap_int.h @@ -40,7 +40,7 @@ int tap_probe_has_ufo(int fd); int tap_probe_has_uso(int fd); bool tap_probe_has_tunnel(int fd); void tap_fd_set_offload(int fd, const NetOffloads *ol); -void tap_fd_set_vnet_hdr_len(int fd, int len); +int tap_fd_set_vnet_hdr_len(int fd, int len); int tap_fd_set_vnet_le(int fd, int vnet_is_le); int tap_fd_set_vnet_be(int fd, int vnet_is_be); int tap_fd_enable(int fd); --=20 2.47.3