vhost-user-v8 doesn't check whether memory regions fit in msg #1

blitz · 2014-03-02T01:47:18Z

Qemu smashes its stack if it has more than 8 memory regions. It's straightforward to fix. See last two commits in my fork: https://github.com/blitz/qemu/commits/vhost-user-v8

There are currently three types of object_property_add_link() callers: 1. The link property may be set at any time. 2. The link property of a DeviceState instance may only be set before realize. 3. The link property may never be set, it is read-only. Something similar can already be achieved with object_property_add_str()'s set() argument. Follow its example and add a check() argument to object_property_add_link(). Also provide default check() functions for case #1 and #2. Case #3 is covered by passing a NULL function pointer. Cc: Peter Crosthwaite <[email protected]> Cc: Alexander Graf <[email protected]> Cc: Anthony Liguori <[email protected]> Cc: "Michael S. Tsirkin" <[email protected]> Signed-off-by: Stefan Hajnoczi <[email protected]> Reviewed-by: Paolo Bonzini <[email protected]> [AF: Tweaked documentation comment] Signed-off-by: Andreas Färber <[email protected]>

The docs for glfs_init suggest that the function sets errno on every failure. In fact it doesn't. As other functions such as qemu_gluster_open() in the gluster block code report their errors based on this fact we need to make sure that errno is set on each failure. This fixes a crash of qemu-img/qemu when a gluster brick isn't accessible from given host while the server serving the volume description is. Thread 1 (Thread 0x7ffff7fba740 (LWP 203880)): #0 0x00007ffff77673f8 in glfs_lseek () from /usr/lib64/libgfapi.so.0 #1 0x0000555555574a68 in qemu_gluster_getlength () #2 0x0000555555565742 in refresh_total_sectors () #3 0x000055555556914f in bdrv_open_common () #4 0x000055555556e8e8 in bdrv_open () #5 0x000055555556f02f in bdrv_open_image () #6 0x000055555556e5f6 in bdrv_open () #7 0x00005555555c5775 in bdrv_new_open () #8 0x00005555555c5b91 in img_info () #9 0x00007ffff62c9c05 in __libc_start_main () from /lib64/libc.so.6 #10 0x00005555555648ad in _start () Signed-off-by: Stefan Hajnoczi <[email protected]>

If libusb_get_device_list() fails, the uninitialized local variable libusb_device would be passed to libusb_free_device_list(), that will cause a crash, like: (gdb) bt #0 0x00007fbbb4bafc10 in pthread_mutex_lock () from /lib64/libpthread.so.0 #1 0x00007fbbb233e653 in libusb_unref_device (dev=0x6275682d627375) at core.c:902 #2 0x00007fbbb233e739 in libusb_free_device_list (list=0x7fbbb6e8436e, unref_devices=<optimized out>) at core.c:653 #3 0x00007fbbb6cd80a4 in usb_host_auto_check (unused=unused@entry=0x0) at hw/usb/host-libusb.c:1446 #4 0x00007fbbb6cd8525 in usb_host_initfn (udev=0x7fbbbd3c5670) at hw/usb/host-libusb.c:912 #5 0x00007fbbb6cc123b in usb_device_init (dev=0x7fbbbd3c5670) at hw/usb/bus.c:106 ... So initialize libusb_device at the begin time. Signed-off-by: Jincheng Miao <[email protected]> Reviewed-by: Gonglei <[email protected]> Signed-off-by: Gerd Hoffmann <[email protected]>

VirtIOBlockReq is freed later by virtio_blk_free_request() in hw/block/virtio-blk.c. Remove this extraneous g_slice_free(). This patch fixes the following segfault: 0x00005555556373af in virtio_blk_rw_complete (opaque=0x5555565ff5e0, ret=0) at hw/block/virtio-blk.c:99 99 bdrv_acct_done(req->dev->bs, &req->acct); (gdb) print req $1 = (VirtIOBlockReq *) 0x5555565ff5e0 (gdb) print req->dev $2 = (VirtIOBlock *) 0x0 (gdb) bt #0 0x00005555556373af in virtio_blk_rw_complete (opaque=0x5555565ff5e0, ret=0) at hw/block/virtio-blk.c:99 #1 0x0000555555840ebe in bdrv_co_em_bh (opaque=0x5555566152d0) at block.c:4675 #2 0x000055555583de77 in aio_bh_poll (ctx=ctx@entry=0x5555563a8150) at async.c:81 #3 0x000055555584b7a7 in aio_poll (ctx=0x5555563a8150, blocking=blocking@entry=true) at aio-posix.c:188 #4 0x00005555556e520e in iothread_run (opaque=0x5555563a7fd8) at iothread.c:41 #5 0x00007ffff42ba124 in start_thread () from /usr/lib/libpthread.so.0 #6 0x00007ffff16d14bd in clone () from /usr/lib/libc.so.6 Reported-by: Max Reitz <[email protected]> Cc: Fam Zheng <[email protected]> Signed-off-by: Stefan Hajnoczi <[email protected]> Tested-by: Christian Borntraeger <[email protected]> Signed-off-by: Kevin Wolf <[email protected]>

Xorg server hangs when using xfig and typing a text with space: #0 qxl_wait_for_io_command (qxl=<value optimized out>) at qxl_io.c:47 #1 0x00007f826a49a299 in qxl_download_box (surface=0x221d030, x1=231, y1=259, x2=<value optimized out>, y2=<value optimized out>) at qxl_surface.c:143 while (!(ram_header->int_pending & QXL_INTERRUPT_IO_CMD)) usleep (1); The QXL driver is calling QXL_IO_UPDATE_AREA with an empty area. This is a guest bug. The call is async and no ack is sent back on guest bug, so the X server will hang. The driver should be improved to avoid this situation and also to abort on QXL_INTERRUPT_ERROR. This will be a different patch series for the driver. However, it is simple enough to keep qemu running on empty areas update, which is what this patch provides. https://bugzilla.redhat.com/show_bug.cgi?id=1151363 Signed-off-by: Gerd Hoffmann <[email protected]>

It seems "name" is not mandatory, and the following command line (based on one generated by current libvirt) will crash qemu at start: qemu-system-x86_64 \ -device virtio-serial-pci \ -device virtserialport,name=foo \ -device virtconsole Program received signal SIGSEGV, Segmentation fault. __strcmp_ssse3 () at ../sysdeps/x86_64/strcmp.S:210 210 movlpd (%rsi), %xmm2 Missing separate debuginfos, use: debuginfo-install python-libs-2.7.5-13.fc20.x86_64 (gdb) bt #0 __strcmp_ssse3 () at ../sysdeps/x86_64/strcmp.S:210 #1 0x000055555566bdc6 in find_port_by_name (name=0x0) at /home/elmarco/src/qemu/hw/char/virtio-serial-bus.c:67 Signed-off-by: Marc-André Lureau <[email protected]> Reviewed-by: Amos Kong <[email protected]> Signed-off-by: Amit Shah <[email protected]>

If the pci bridge enters in error flow as part of init process it will only delete the shpc mmio subregion but not remove it from the properties list, resulting in segmentation fault when the bridge runs the exit function. Example: add a pci bridge without specifing the chassis number: <qemu-bin> ... -device pci-bridge,id=p1 Result: (qemu) qemu-system-x86_64: -device pci-bridge,id=p1: Bridge chassis not specified. Each bridge is required to be assigned a unique chassis id > 0. qemu-system-x86_64: -device pci-bridge,id=p1: Device initialization failed. Segmentation fault (core dumped) if (child->class->unparent) { #0 0x00005555558d629b in object_finalize_child_property (obj=0x555556d2e830, name=0x555556d30630 "shpc-mmio[0]", opaque=0x555556a42fc8) at qom/object.c:1078 #1 0x00005555558d4b1f in object_property_del_all (obj=0x555556d2e830) at qom/object.c:367 #2 0x00005555558d4ca1 in object_finalize (data=0x555556d2e830) at qom/object.c:412 #3 0x00005555558d55a1 in object_unref (obj=0x555556d2e830) at qom/object.c:720 #4 0x000055555572c907 in qdev_device_add (opts=0x5555563544f0) at qdev-monitor.c:566 #5 0x0000555555744f16 in device_init_func (opts=0x5555563544f0, opaque=0x0) at vl.c:2213 #6 0x00005555559cf5f0 in qemu_opts_foreach (list=0x555555e0f8e0 <qemu_device_opts>, func=0x555555744efa <device_init_func>, opaque=0x0, abort_on_failure=1) at util/qemu-option.c:1057 #7 0x000055555574a11b in main (argc=16, argv=0x7fffffffdde8, envp=0x7fffffffde70) at vl.c:423 Unparent the shpc mmio region as part of shpc cleanup. Signed-off-by: Marcel Apfelbaum <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> Reviewed-by: Amos Kong <[email protected]>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

vhost-user-v8 doesn't check whether memory regions fit in msg #1

vhost-user-v8 doesn't check whether memory regions fit in msg #1

blitz commented Mar 2, 2014

vhost-user-v8 doesn't check whether memory regions fit in msg #1

vhost-user-v8 doesn't check whether memory regions fit in msg #1

Comments

blitz commented Mar 2, 2014