fix undefined behavior in get_vring_base()

By using ioctl_with_ref() instead of ioctl_with_mut_ref(), we attempted
to mutate through an immutable reference, so rustc was well within its
rights to assume that `vring_state` does not change across the ioctl
call, and hence optimize the return value of the function to simply be
the value that `vring_state.num` was initialized to (which is 0).

Signed-off-by: Patrick Roy <[email protected]>

Author: roypat

vhost/src/vhost_kern/mod.rs

@@ -235,12 +235,12 @@ impl<T: VhostKernBackend> VhostBackend for T {
 
     /// Get a bitmask of supported virtio/vhost features.
     fn get_vring_base(&self, queue_index: usize) -> Result<u32> {
-        let vring_state = vhost_vring_state {
+        let mut vring_state = vhost_vring_state {
             index: queue_index as u32,
             num: 0,
         };
         // SAFETY: This ioctl is called on a valid vhost fd and has its return value checked.
-        let ret = unsafe { ioctl_with_ref(self, VHOST_GET_VRING_BASE(), &vring_state) };
+        let ret = unsafe { ioctl_with_mut_ref(self, VHOST_GET_VRING_BASE(), &mut vring_state) };
         ioctl_result(ret, vring_state.num)
     }