Skip to content

vhost-device-snd does not report correctly the device conf size

Host environment

  • Operating system: Fedora 37
  • OS/kernel version: Linux fedora 6.5.12-100.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Nov 20 22:28:44 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
  • Architecture: x86
  • QEMU flavor: qemu-system-x86_64
  • QEMU version: 9.2.50 (v9.2.0-1537-gd922088eb4)
  • QEMU command line: 
    ./qemu-system-x86_64 \
     -m 4G \
     -machine q35 -M accel=kvm,memory-backend=mem0 \
     -smp 2 \
     -kernel ./arch/x86/boot/bzImage \
     -append "console=ttyS0 root=/dev/sda earlyprintk=serial net.ifnames=0 nokaslr" \
     -drive file=$../bullseye.img,format=raw \
     -nographic \
     -netdev user,id=net0,hostfwd=tcp::5556-:22,hostfwd=tcp::5557-:9999 \
     -device virtio-net,netdev=net0 \
     -pidfile vm.pid \
     -object memory-backend-file,id=mem0,size=4G,mem-path=/dev/shm,share=on \
     -device vhost-user-snd-pci,chardev=char0 \
     -chardev socket,id=char0,reconnect=0,path=/tmp/vhost-sound.socket

Emulated/Virtualized environment

  • Operating system: Linux
  • OS/kernel version: v6.11.4
  • Architecture: x86

Description of problem

The vhost-user-snd frontend is incorrectly reporting the size of the device configuration space, which should be based on the features exposed by the device. For example, the controls field in the virtio_snd_config structure is optional and should only be included in the configuration size if the VIRTIO_SND_F_CTLS feature has been negotiated.

This issue became apparent after commit ab0c7fb2, where virtio_snd_config was updated to include the controls field. The vhost-user-snd frontend, relying on this structure, started expecting sizeof(virtio_snd_config) when communicating with the backend, regardless of whether the VIRTIO_SND_F_CTLS feature was negotiated. As a result, any backend reporting a smaller configuration size—for example, one that does not support controls—cannot communicate with the frontend. We observed this problem in the vhost-device-sound rust-vmm device, which we partially fixed here.

This behavior is incorrect because the configuration size should depend on the negotiated features.

I am currently working on patch to fix this.

Steps to reproduce

  1. Run vhost-device-sound
 cargo run --bin vhost-device-sound -- --socket=/tmp/vhost-sound.socket --backend=pipewire
  1. Run QEMU with the parameters above
  2. In the guest run:
root@syzkaller:~# aplay /usr/share/sounds/alsa/Front_Left.wav 
aplay: main:830: audio open error: No such file or directory

Additional information

Edited by Matias Vara Lasen
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information