Re: [Qemu-devel] [PATCH for-2.7] vnc: fix qemu crash because of SIGSEGV

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Gonglei <arei.gonglei@huawei.com>
To: "Marc-André Lureau" <marcandre.lureau@gmail.com>, qemu-devel@nongnu.org
Cc: weidong.huang@huawei.com, Gerd Hoffmann <kraxel@redhat.com>,
	berrange@redhat.com
Subject: Re: [Qemu-devel] [PATCH for-2.7] vnc: fix qemu crash because of SIGSEGV
Date: Fri, 2 Sep 2016 19:04:40 +0800	[thread overview]
Message-ID: <57C95CC8.9080801@huawei.com> (raw)
In-Reply-To: <CAJ+F1CLnGTgaZwa1U2Ds2w4yY084+ymq631V26mampjwNqu3UA@mail.gmail.com>



On 2016/9/2 16:38, Marc-André Lureau wrote:
> Hi
> 
> On Fri, Sep 2, 2016 at 8:00 AM Gonglei <arei.gonglei@huawei.com <mailto:arei.gonglei@huawei.com>> wrote:
> 
>     The backtrace is:
> 
>     0x00007f0b75cdf880 in pixman_image_get_stride () from /lib64/libpixman-1.so.0
>     0x00007f0b77bcb3cf in vnc_server_fb_stride (vd=0x7f0b7a1a2bb0) at ui/vnc.c:680
>     vnc_dpy_copy (dcl=0x7f0b7a1a2c00, src_x=224, src_y=263, dst_x=319, dst_y=363, w=1, h=1) at ui/vnc.c:915
>     0x00007f0b77bbcc35 in dpy_gfx_copy (con=0x7f0b7a146210, src_x=src_x@entry=224, src_y=src_y@entry=263, dst_x=dst_x@entry=319,
>     dst_y=dst_y@entry=363, w=1, h=1) at ui/console.c:1575
>     0x00007f0b77bbda4e in qemu_console_copy (con=<optimized out>, src_x=src_x@entry=224, src_y=src_y@entry=263, dst_x=dst_x@entry=319,
>     dst_y=dst_y@entry=363, w=<optimized out>, h=<optimized out>) at ui/console.c:2111
>     0x00007f0b77ac0980 in cirrus_do_copy (h=<optimized out>, w=<optimized out>, src=<optimized out>, dst=<optimized out>, s=0x7f0b7b086090) at hw/display/cirrus_vga.c:774
>     cirrus_bitblt_videotovideo_copy (s=0x7f0b7b086090) at hw/display/cirrus_vga.c:793
>     cirrus_bitblt_videotovideo (s=0x7f0b7b086090) at hw/display/cirrus_vga.c:915
>     cirrus_bitblt_start (s=0x7f0b7b086090) at hw/display/cirrus_vga.c:1056
>     0x00007f0b77965cfb in memory_region_write_accessor (mr=0x7f0b7b096e40, addr=320, value=<optimized out>, size=1, shift=<optimized out>,mask=<optimized out>, attrs=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:525
>     0x00007f0b77963f59 in access_with_adjusted_size (addr=addr@entry=320, value=value@entry=0x7f0b69a268d8, size=size@entry=4,
>     access_size_min=<optimized out>, access_size_max=<optimized out>, access=access@entry=0x7f0b77965c80 <memory_region_write_accessor>,
>     mr=mr@entry=0x7f0b7b096e40, attrs=attrs@entry=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:591
>     0x00007f0b77968315 in memory_region_dispatch_write (mr=mr@entry=0x7f0b7b096e40, addr=addr@entry=320, data=18446744073709551362,
>     size=size@entry=4, attrs=attrs@entry=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:1262
>     0x00007f0b779256a9 in address_space_write_continue (mr=0x7f0b7b096e40, l=4, addr1=320, len=4, buf=0x7f0b77713028 "\002\377\377\377",
>     attrs=..., addr=4273930560, as=0x7f0b7827d280 <address_space_memory>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2544
>     address_space_write (as=<optimized out>, addr=<optimized out>, attrs=..., buf=<optimized out>, len=<optimized out>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2601
>     0x00007f0b77925c1d in address_space_rw (as=<optimized out>, addr=<optimized out>, attrs=..., attrs@entry=...,
>     buf=buf@entry=0x7f0b77713028 "\002\377\377\377", len=<optimized out>, is_write=<optimized out>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2703
>     0x00007f0b77962f53 in kvm_cpu_exec (cpu=cpu@entry=0x7f0b79fcc2d0) at /root/rpmbuild/BUILD/master/qemu/kvm-all.c:1965
>     0x00007f0b77950cc6 in qemu_kvm_cpu_thread_fn (arg=0x7f0b79fcc2d0) at /root/rpmbuild/BUILD/master/qemu/cpus.c:1078
>     0x00007f0b744b3dc5 in start_thread (arg=0x7f0b69a27700) at pthread_create.c:308
>     0x00007f0b70d3d66d in clone () from /lib64/libc.so.6
> 
>     The code path while meeting segfault:
>      vnc_dpy_copy
>        vnc_update_client
>          vnc_disconnect_finish [while vnc_disconnect_start() is invoked because somethins wrong]
>            vnc_update_server_surface
>              vd->server = NULL;
>        vnc_server_fb_stride
>          pixman_image_get_stride(vd->server)
> 
>     Let's add a non-NULL check before calling vnc_server_fb_stride() to avoid segmentation fault.
> 
> 
> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> 
Thanks.

> (It would be great if you had a reproducer)
> 

1.using VNC Viewer client tool.
2.using SUSE 11.3 as guest VM with graphic console.
3.connecting vnc as soon as possible after starting the VM.

I get the below information before qemu crash.

[New Thread 0x7ffee93ff700 (LWP 18570)]
[Switching to Thread 0x7fffea305700 (LWP 17105)]

Breakpoint 1, vnc_client_io_error (vs=0x5555581025a0, ret=-2, errp=0x7fffea3045b0) at ui/vnc.c:1262
1262            vnc_disconnect_start(vs);
(gdb) bt
#0  vnc_client_io_error (vs=0x5555581025a0, ret=-2, errp=0x7fffea3045b0) at ui/vnc.c:1262
#1  0x00005555559fce2b in vnc_client_write_buf (vs=0x5555581025a0, data=<optimized out>, datalen=<optimized out>) at ui/vnc.c:1302
#2  0x00005555559fcee6 in vnc_client_write_plain (vs=<optimized out>) at ui/vnc.c:1333
#3  vnc_client_write_locked (vs=0x5555581025a0) at ui/vnc.c:1366
#4  0x00005555559fd901 in vnc_flush (vs=0x5555581025a0) at ui/vnc.c:1557
#5  0x00005555559fe6ea in vnc_copy (h=210, w=472, dst_y=261, dst_x=222, src_y=279, src_x=276, vs=0x5555581025a0) at ui/vnc.c:886
#6  vnc_dpy_copy (dcl=0x5555570b0c50, src_x=276, src_y=279, dst_x=222, dst_y=261, w=472, h=210) at ui/vnc.c:965
#7  0x00005555559efc35 in dpy_gfx_copy (con=0x5555570a6030, src_x=src_x@entry=276, src_y=src_y@entry=279, dst_x=dst_x@entry=222,
    dst_y=dst_y@entry=261, w=472, h=210) at ui/console.c:1575
#8  0x00005555559f0a4e in qemu_console_copy (con=<optimized out>, src_x=src_x@entry=276, src_y=src_y@entry=279, dst_x=dst_x@entry=222,
    dst_y=dst_y@entry=261, w=<optimized out>, h=<optimized out>) at ui/console.c:2111
#9  0x00005555558f3980 in cirrus_do_copy (h=<optimized out>, w=<optimized out>, src=<optimized out>, dst=<optimized out>, s=0x555557f94090)
    at hw/display/cirrus_vga.c:774
#10 cirrus_bitblt_videotovideo_copy (s=0x555557f94090) at hw/display/cirrus_vga.c:793
#11 cirrus_bitblt_videotovideo (s=0x555557f94090) at hw/display/cirrus_vga.c:915
#12 cirrus_bitblt_start (s=0x555557f94090) at hw/display/cirrus_vga.c:1056
#13 0x0000555555798cfb in memory_region_write_accessor (mr=0x555557fa4e40, addr=320, value=<optimized out>, size=1, shift=<optimized out>,
    mask=<optimized out>, attrs=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:525
#14 0x0000555555796f59 in access_with_adjusted_size (addr=addr@entry=320, value=value@entry=0x7fffea3048d8, size=size@entry=4,
    access_size_min=<optimized out>, access_size_max=<optimized out>, access=access@entry=0x555555798c80 <memory_region_write_accessor>,
    mr=mr@entry=0x555557fa4e40, attrs=attrs@entry=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:591
#15 0x000055555579b315 in memory_region_dispatch_write (mr=mr@entry=0x555557fa4e40, addr=addr@entry=320, data=18446744073709551362,
    size=size@entry=4, attrs=attrs@entry=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:1262
#16 0x00005555557586a9 in address_space_write_continue (mr=0x555557fa4e40, l=4, addr1=320, len=4, buf=0x7ffff7fef028 "\002\377\377\377",
    attrs=..., addr=4273930560, as=0x5555560b0280 <address_space_memory>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2544
#17 address_space_write (as=<optimized out>, addr=<optimized out>, attrs=..., buf=<optimized out>, len=<optimized out>)
    at /root/rpmbuild/BUILD/master/qemu/exec.c:2601
#18 0x0000555555758c1d in address_space_rw (as=<optimized out>, addr=<optimized out>, attrs=..., attrs@entry=...,
    buf=buf@entry=0x7ffff7fef028 "\002\377\377\377", len=<optimized out>, is_write=<optimized out>)
    at /root/rpmbuild/BUILD/master/qemu/exec.c:2703
#19 0x0000555555795f53 in kvm_cpu_exec (cpu=cpu@entry=0x555556eda340) at /root/rpmbuild/BUILD/master/qemu/kvm-all.c:1965
#20 0x0000555555783cc6 in qemu_kvm_cpu_thread_fn (arg=0x555556eda340) at /root/rpmbuild/BUILD/master/qemu/cpus.c:1078
#21 0x00007ffff4d91dc5 in start_thread (arg=0x7fffea305700) at pthread_create.c:308
#22 0x00007ffff161b66d in clone () from /lib64/libc.so.6
(gdb)

ssize_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
{
    Error *err = NULL;
    ssize_t ret;
    ret = qio_channel_write(
        vs->ioc, (const char *)data, datalen, &err);
    VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
    return vnc_client_io_error(vs, ret, &err);
}

Please notes that the qio_channel_write() return -2.

> It looks like this is not a regression from 2.7, perhaps it should be post-poned?
> 
Yes, it's not a regression from 2.7, but it indeed is a serious bug and the fix is harmless. :)

Regards,
-Gonglei

>     Cc: Gerd Hoffmann <kraxel@redhat.com <mailto:kraxel@redhat.com>>
>     Cc: Daniel P. Berrange <berrange@redhat.com <mailto:berrange@redhat.com>>
>     Reported-by: Yanying Zhuang <ann.zhuangyanying@huawei.com <mailto:ann.zhuangyanying@huawei.com>>
>     Signed-off-by: Gonglei <arei.gonglei@huawei.com <mailto:arei.gonglei@huawei.com>>
>     ---
>      ui/vnc.c | 4 ++++
>      1 file changed, 4 insertions(+)
> 
>     diff --git a/ui/vnc.c b/ui/vnc.c
>     index d1087c9..76a3273 100644
>     --- a/ui/vnc.c
>     +++ b/ui/vnc.c
>     @@ -911,6 +911,10 @@ static void vnc_dpy_copy(DisplayChangeListener *dcl,
>              }
>          }
> 
>     +    if (!vd->server) {
>     +        /* no client connected */
>     +        return;
>     +    }
>          /* do bitblit op on the local surface too */
>          pitch = vnc_server_fb_stride(vd);
>          src_row = vnc_server_fb_ptr(vd, src_x, src_y);
>     --
>     1.7.12.4
> 
> 
> 
> -- 
> Marc-André Lureau

next prev parent reply	other threads:[~2016-09-02 11:05 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-09-02  3:58 [Qemu-devel] [PATCH for-2.7] vnc: fix qemu crash because of SIGSEGV Gonglei
2016-09-02  8:38 ` Marc-André Lureau
2016-09-02 11:04   ` Gonglei [this message]
2016-09-02 12:34     ` Marc-André Lureau
2016-09-02 12:39       ` Peter Maydell
2016-09-02 13:15         ` Gonglei (Arei)
2016-09-09  7:13         ` Gonglei (Arei)
2016-09-09  8:18           ` Gerd Hoffmann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=57C95CC8.9080801@huawei.com \
    --to=arei.gonglei@huawei.com \
    --cc=berrange@redhat.com \
    --cc=kraxel@redhat.com \
    --cc=marcandre.lureau@gmail.com \
    --cc=qemu-devel@nongnu.org \
    --cc=weidong.huang@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.