From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:56999)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <arei.gonglei@huawei.com>) id 1bfmHN-0007w3-4d
	for qemu-devel@nongnu.org; Fri, 02 Sep 2016 07:05:02 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <arei.gonglei@huawei.com>) id 1bfmHH-0001by-Vr
	for qemu-devel@nongnu.org; Fri, 02 Sep 2016 07:05:00 -0400
Received: from szxga02-in.huawei.com ([119.145.14.65]:51572)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <arei.gonglei@huawei.com>) id 1bfmHH-0001bH-0I
	for qemu-devel@nongnu.org; Fri, 02 Sep 2016 07:04:55 -0400
Message-ID: <57C95CC8.9080801@huawei.com>
Date: Fri, 2 Sep 2016 19:04:40 +0800
From: Gonglei <arei.gonglei@huawei.com>
MIME-Version: 1.0
References: <1472788698-120964-1-git-send-email-arei.gonglei@huawei.com>
	<CAJ+F1CLnGTgaZwa1U2Ds2w4yY084+ymq631V26mampjwNqu3UA@mail.gmail.com>
In-Reply-To: <CAJ+F1CLnGTgaZwa1U2Ds2w4yY084+ymq631V26mampjwNqu3UA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Subject: Re: [Qemu-devel] [PATCH for-2.7] vnc: fix qemu crash because of
 SIGSEGV
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: =?UTF-8?B?TWFyYy1BbmRyw6kgTHVyZWF1?= <marcandre.lureau@gmail.com>, qemu-devel@nongnu.org
Cc: weidong.huang@huawei.com, Gerd Hoffmann <kraxel@redhat.com>, berrange@redhat.com



On 2016/9/2 16:38, Marc-André Lureau wrote:
> Hi
> 
> On Fri, Sep 2, 2016 at 8:00 AM Gonglei <arei.gonglei@huawei.com <mailto:arei.gonglei@huawei.com>> wrote:
> 
>     The backtrace is:
> 
>     0x00007f0b75cdf880 in pixman_image_get_stride () from /lib64/libpixman-1.so.0
>     0x00007f0b77bcb3cf in vnc_server_fb_stride (vd=0x7f0b7a1a2bb0) at ui/vnc.c:680
>     vnc_dpy_copy (dcl=0x7f0b7a1a2c00, src_x=224, src_y=263, dst_x=319, dst_y=363, w=1, h=1) at ui/vnc.c:915
>     0x00007f0b77bbcc35 in dpy_gfx_copy (con=0x7f0b7a146210, src_x=src_x@entry=224, src_y=src_y@entry=263, dst_x=dst_x@entry=319,
>     dst_y=dst_y@entry=363, w=1, h=1) at ui/console.c:1575
>     0x00007f0b77bbda4e in qemu_console_copy (con=<optimized out>, src_x=src_x@entry=224, src_y=src_y@entry=263, dst_x=dst_x@entry=319,
>     dst_y=dst_y@entry=363, w=<optimized out>, h=<optimized out>) at ui/console.c:2111
>     0x00007f0b77ac0980 in cirrus_do_copy (h=<optimized out>, w=<optimized out>, src=<optimized out>, dst=<optimized out>, s=0x7f0b7b086090) at hw/display/cirrus_vga.c:774
>     cirrus_bitblt_videotovideo_copy (s=0x7f0b7b086090) at hw/display/cirrus_vga.c:793
>     cirrus_bitblt_videotovideo (s=0x7f0b7b086090) at hw/display/cirrus_vga.c:915
>     cirrus_bitblt_start (s=0x7f0b7b086090) at hw/display/cirrus_vga.c:1056
>     0x00007f0b77965cfb in memory_region_write_accessor (mr=0x7f0b7b096e40, addr=320, value=<optimized out>, size=1, shift=<optimized out>,mask=<optimized out>, attrs=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:525
>     0x00007f0b77963f59 in access_with_adjusted_size (addr=addr@entry=320, value=value@entry=0x7f0b69a268d8, size=size@entry=4,
>     access_size_min=<optimized out>, access_size_max=<optimized out>, access=access@entry=0x7f0b77965c80 <memory_region_write_accessor>,
>     mr=mr@entry=0x7f0b7b096e40, attrs=attrs@entry=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:591
>     0x00007f0b77968315 in memory_region_dispatch_write (mr=mr@entry=0x7f0b7b096e40, addr=addr@entry=320, data=18446744073709551362,
>     size=size@entry=4, attrs=attrs@entry=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:1262
>     0x00007f0b779256a9 in address_space_write_continue (mr=0x7f0b7b096e40, l=4, addr1=320, len=4, buf=0x7f0b77713028 "\002\377\377\377",
>     attrs=..., addr=4273930560, as=0x7f0b7827d280 <address_space_memory>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2544
>     address_space_write (as=<optimized out>, addr=<optimized out>, attrs=..., buf=<optimized out>, len=<optimized out>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2601
>     0x00007f0b77925c1d in address_space_rw (as=<optimized out>, addr=<optimized out>, attrs=..., attrs@entry=...,
>     buf=buf@entry=0x7f0b77713028 "\002\377\377\377", len=<optimized out>, is_write=<optimized out>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2703
>     0x00007f0b77962f53 in kvm_cpu_exec (cpu=cpu@entry=0x7f0b79fcc2d0) at /root/rpmbuild/BUILD/master/qemu/kvm-all.c:1965
>     0x00007f0b77950cc6 in qemu_kvm_cpu_thread_fn (arg=0x7f0b79fcc2d0) at /root/rpmbuild/BUILD/master/qemu/cpus.c:1078
>     0x00007f0b744b3dc5 in start_thread (arg=0x7f0b69a27700) at pthread_create.c:308
>     0x00007f0b70d3d66d in clone () from /lib64/libc.so.6
> 
>     The code path while meeting segfault:
>      vnc_dpy_copy
>        vnc_update_client
>          vnc_disconnect_finish [while vnc_disconnect_start() is invoked because somethins wrong]
>            vnc_update_server_surface
>              vd->server = NULL;
>        vnc_server_fb_stride
>          pixman_image_get_stride(vd->server)
> 
>     Let's add a non-NULL check before calling vnc_server_fb_stride() to avoid segmentation fault.
> 
> 
> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> 
Thanks.

> (It would be great if you had a reproducer)
> 

1.using VNC Viewer client tool.
2.using SUSE 11.3 as guest VM with graphic console.
3.connecting vnc as soon as possible after starting the VM.

I get the below information before qemu crash.

[New Thread 0x7ffee93ff700 (LWP 18570)]
[Switching to Thread 0x7fffea305700 (LWP 17105)]

Breakpoint 1, vnc_client_io_error (vs=0x5555581025a0, ret=-2, errp=0x7fffea3045b0) at ui/vnc.c:1262
1262            vnc_disconnect_start(vs);
(gdb) bt
#0  vnc_client_io_error (vs=0x5555581025a0, ret=-2, errp=0x7fffea3045b0) at ui/vnc.c:1262
#1  0x00005555559fce2b in vnc_client_write_buf (vs=0x5555581025a0, data=<optimized out>, datalen=<optimized out>) at ui/vnc.c:1302
#2  0x00005555559fcee6 in vnc_client_write_plain (vs=<optimized out>) at ui/vnc.c:1333
#3  vnc_client_write_locked (vs=0x5555581025a0) at ui/vnc.c:1366
#4  0x00005555559fd901 in vnc_flush (vs=0x5555581025a0) at ui/vnc.c:1557
#5  0x00005555559fe6ea in vnc_copy (h=210, w=472, dst_y=261, dst_x=222, src_y=279, src_x=276, vs=0x5555581025a0) at ui/vnc.c:886
#6  vnc_dpy_copy (dcl=0x5555570b0c50, src_x=276, src_y=279, dst_x=222, dst_y=261, w=472, h=210) at ui/vnc.c:965
#7  0x00005555559efc35 in dpy_gfx_copy (con=0x5555570a6030, src_x=src_x@entry=276, src_y=src_y@entry=279, dst_x=dst_x@entry=222,
    dst_y=dst_y@entry=261, w=472, h=210) at ui/console.c:1575
#8  0x00005555559f0a4e in qemu_console_copy (con=<optimized out>, src_x=src_x@entry=276, src_y=src_y@entry=279, dst_x=dst_x@entry=222,
    dst_y=dst_y@entry=261, w=<optimized out>, h=<optimized out>) at ui/console.c:2111
#9  0x00005555558f3980 in cirrus_do_copy (h=<optimized out>, w=<optimized out>, src=<optimized out>, dst=<optimized out>, s=0x555557f94090)
    at hw/display/cirrus_vga.c:774
#10 cirrus_bitblt_videotovideo_copy (s=0x555557f94090) at hw/display/cirrus_vga.c:793
#11 cirrus_bitblt_videotovideo (s=0x555557f94090) at hw/display/cirrus_vga.c:915
#12 cirrus_bitblt_start (s=0x555557f94090) at hw/display/cirrus_vga.c:1056
#13 0x0000555555798cfb in memory_region_write_accessor (mr=0x555557fa4e40, addr=320, value=<optimized out>, size=1, shift=<optimized out>,
    mask=<optimized out>, attrs=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:525
#14 0x0000555555796f59 in access_with_adjusted_size (addr=addr@entry=320, value=value@entry=0x7fffea3048d8, size=size@entry=4,
    access_size_min=<optimized out>, access_size_max=<optimized out>, access=access@entry=0x555555798c80 <memory_region_write_accessor>,
    mr=mr@entry=0x555557fa4e40, attrs=attrs@entry=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:591
#15 0x000055555579b315 in memory_region_dispatch_write (mr=mr@entry=0x555557fa4e40, addr=addr@entry=320, data=18446744073709551362,
    size=size@entry=4, attrs=attrs@entry=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:1262
#16 0x00005555557586a9 in address_space_write_continue (mr=0x555557fa4e40, l=4, addr1=320, len=4, buf=0x7ffff7fef028 "\002\377\377\377",
    attrs=..., addr=4273930560, as=0x5555560b0280 <address_space_memory>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2544
#17 address_space_write (as=<optimized out>, addr=<optimized out>, attrs=..., buf=<optimized out>, len=<optimized out>)
    at /root/rpmbuild/BUILD/master/qemu/exec.c:2601
#18 0x0000555555758c1d in address_space_rw (as=<optimized out>, addr=<optimized out>, attrs=..., attrs@entry=...,
    buf=buf@entry=0x7ffff7fef028 "\002\377\377\377", len=<optimized out>, is_write=<optimized out>)
    at /root/rpmbuild/BUILD/master/qemu/exec.c:2703
#19 0x0000555555795f53 in kvm_cpu_exec (cpu=cpu@entry=0x555556eda340) at /root/rpmbuild/BUILD/master/qemu/kvm-all.c:1965
#20 0x0000555555783cc6 in qemu_kvm_cpu_thread_fn (arg=0x555556eda340) at /root/rpmbuild/BUILD/master/qemu/cpus.c:1078
#21 0x00007ffff4d91dc5 in start_thread (arg=0x7fffea305700) at pthread_create.c:308
#22 0x00007ffff161b66d in clone () from /lib64/libc.so.6
(gdb)

ssize_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
{
    Error *err = NULL;
    ssize_t ret;
    ret = qio_channel_write(
        vs->ioc, (const char *)data, datalen, &err);
    VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
    return vnc_client_io_error(vs, ret, &err);
}

Please notes that the qio_channel_write() return -2.

> It looks like this is not a regression from 2.7, perhaps it should be post-poned?
> 
Yes, it's not a regression from 2.7, but it indeed is a serious bug and the fix is harmless. :)

Regards,
-Gonglei

>     Cc: Gerd Hoffmann <kraxel@redhat.com <mailto:kraxel@redhat.com>>
>     Cc: Daniel P. Berrange <berrange@redhat.com <mailto:berrange@redhat.com>>
>     Reported-by: Yanying Zhuang <ann.zhuangyanying@huawei.com <mailto:ann.zhuangyanying@huawei.com>>
>     Signed-off-by: Gonglei <arei.gonglei@huawei.com <mailto:arei.gonglei@huawei.com>>
>     ---
>      ui/vnc.c | 4 ++++
>      1 file changed, 4 insertions(+)
> 
>     diff --git a/ui/vnc.c b/ui/vnc.c
>     index d1087c9..76a3273 100644
>     --- a/ui/vnc.c
>     +++ b/ui/vnc.c
>     @@ -911,6 +911,10 @@ static void vnc_dpy_copy(DisplayChangeListener *dcl,
>              }
>          }
> 
>     +    if (!vd->server) {
>     +        /* no client connected */
>     +        return;
>     +    }
>          /* do bitblit op on the local surface too */
>          pitch = vnc_server_fb_stride(vd);
>          src_row = vnc_server_fb_ptr(vd, src_x, src_y);
>     --
>     1.7.12.4
> 
> 
> 
> -- 
> Marc-André Lureau