From: David Gibson <david@gibson.dropbear.id.au>
To: Greg Kurz <groug@kaod.org>
Cc: qemu-ppc@nongnu.org, qemu-devel@nongnu.org,
Bharata B Rao <bharata@linux.vnet.ibm.com>
Subject: Re: [Qemu-devel] [PATCH] spapr: fix core unplug crash
Date: Mon, 11 Jul 2016 11:40:25 +1000 [thread overview]
Message-ID: <20160711014025.GD16355@voom.fritz.box> (raw)
In-Reply-To: <146798352770.17402.11063109294574588761.stgit@bahia.lan>
[-- Attachment #1: Type: text/plain, Size: 1941 bytes --]
On Fri, Jul 08, 2016 at 03:12:07PM +0200, Greg Kurz wrote:
> If the host has 8 threads/core and the guest is started with:
>
> -smp cores=1,threads=4,maxcpus=12
>
> It is possible to crash QEMU by doing:
>
> (qemu) device_add host-spapr-cpu-core,core-id=16,id=foo
> (qemu) device_del foo
> Segmentation fault
>
> This is caused because spapr_core_unplug() assumes cpu_dt_id == core_id.
> Even if it happens to be the case when the host and guest have the same
> number of threads per core, it is conceptually wrong and we may pass a
> bogus id to spapr_dr_connector_by_id() and spapr_core_release() crashes.
>
> Let's use cc->core_id, which is the id that was used to create th DR
> connector.
>
> Signed-off-by: Greg Kurz <groug@kaod.org>
Thanks, applied to ppc-for-2.7.
> ---
> hw/ppc/spapr_cpu_core.c | 6 ++----
> 1 file changed, 2 insertions(+), 4 deletions(-)
>
> diff --git a/hw/ppc/spapr_cpu_core.c b/hw/ppc/spapr_cpu_core.c
> index 70b6b0b5ee17..106eaf45b399 100644
> --- a/hw/ppc/spapr_cpu_core.c
> +++ b/hw/ppc/spapr_cpu_core.c
> @@ -126,11 +126,9 @@ static void spapr_core_release(DeviceState *dev, void *opaque)
> void spapr_core_unplug(HotplugHandler *hotplug_dev, DeviceState *dev,
> Error **errp)
> {
> - sPAPRCPUCore *core = SPAPR_CPU_CORE(OBJECT(dev));
> - PowerPCCPU *cpu = POWERPC_CPU(core->threads);
> - int id = ppc_get_vcpu_dt_id(cpu);
> + CPUCore *cc = CPU_CORE(dev);
> sPAPRDRConnector *drc =
> - spapr_dr_connector_by_id(SPAPR_DR_CONNECTOR_TYPE_CPU, id);
> + spapr_dr_connector_by_id(SPAPR_DR_CONNECTOR_TYPE_CPU, cc->core_id);
> sPAPRDRConnectorClass *drck;
> Error *local_err = NULL;
>
>
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
prev parent reply other threads:[~2016-07-11 2:19 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-08 13:12 [Qemu-devel] [PATCH] spapr: fix core unplug crash Greg Kurz
2016-07-08 15:47 ` [Qemu-devel] [Qemu-ppc] " Greg Kurz
2016-07-10 14:47 ` Bharata B Rao
2016-07-11 1:42 ` David Gibson
2016-07-11 1:40 ` David Gibson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160711014025.GD16355@voom.fritz.box \
--to=david@gibson.dropbear.id.au \
--cc=bharata@linux.vnet.ibm.com \
--cc=groug@kaod.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.