Re: [Qemu-devel] [PATCH] qdev-monitor: fix segmentation fault on qdev_device_help()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Markus Armbruster <armbru@redhat.com>
To: "Gonglei (Arei)" <arei.gonglei@huawei.com>
Cc: "Huangweidong (C)" <weidong.huang@huawei.com>,
	"Huangpeng (Peter)" <peter.huangpeng@huawei.com>,
	"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
	"stefanha@redhat.com" <stefanha@redhat.com>,
	"imammedo@redhat.com" <imammedo@redhat.com>,
	"lcapitulino@redhat.com" <lcapitulino@redhat.com>,
	"afaerber@suse.de" <afaerber@suse.de>
Subject: Re: [Qemu-devel] [PATCH] qdev-monitor: fix segmentation fault on qdev_device_help()
Date: Tue, 16 Sep 2014 09:59:34 +0200	[thread overview]
Message-ID: <87sijst2qh.fsf@blackfin.pond.sub.org> (raw)
In-Reply-To: <33183CC9F5247A488A2544077AF1902086DD5209@SZXEMA503-MBS.china.huawei.com> (Gonglei's message of "Tue, 16 Sep 2014 07:38:07 +0000")

"Gonglei (Arei)" <arei.gonglei@huawei.com> writes:

>> From: Markus Armbruster [mailto:armbru@redhat.com]
>> Sent: Tuesday, September 16, 2014 3:28 PM
>> Subject: Re: [Qemu-devel] [PATCH] qdev-monitor: fix segmentation fault on
>> qdev_device_help()
>> 
>> <arei.gonglei@huawei.com> writes:
>> 
>> > From: Gonglei <arei.gonglei@huawei.com>
>> >
>> > Normally, qmp_device_list_properties() may return NULL when
>> > a device haven't special properties excpet Object and DeviceState
>> > properties, such as virtio-balloon-device.
>> >
>> > We just need check local_err instead of prop_list.
>> >
>> > Example:
>> >
>> > Segmentation fault (core dumped)
>> >
>> > The backtrace as below:
>> >
>> > Program received signal SIGSEGV, Segmentation fault.
>> > 0x00005555559af1a8 in error_get_pretty (err=0x0) at util/error.c:152
>> > 152         return err->msg;
>> > (gdb) bt
>> > #0  0x00005555559af1a8 in error_get_pretty (err=0x0) at util/error.c:152
>> > #1  0x000055555572fce9 in qdev_device_help (opts=0x5555562fdfe0) at
>> qdev-monitor.c:210
>> > #2  0x000055555574a6f2 in device_help_func (opts=0x5555562fdfe0,
>> opaque=0x0) at vl.c:2362
>> > #3  0x00005555559c0a33 in qemu_opts_foreach (list=0x555555dd0b40
>> <qemu_device_opts>,
>> >     func=0x55555574a6ca <device_help_func>, opaque=0x0,
>> abort_on_failure=0) at util/qemu-option.c:1072
>> > #4  0x000055555574f514 in main (argc=3, argv=0x7fffffffe218,
>> envp=0x7fffffffe238) at vl.c:4246
>> >
>> > Signed-off-by: Gonglei <arei.gonglei@huawei.com>
>> > ---
>> >  qdev-monitor.c | 2 +-
>> >  1 file changed, 1 insertion(+), 1 deletion(-)
>> >
>> > diff --git a/qdev-monitor.c b/qdev-monitor.c
>> > index fb9ee24..5ec6606 100644
>> > --- a/qdev-monitor.c
>> > +++ b/qdev-monitor.c
>> > @@ -206,7 +206,7 @@ int qdev_device_help(QemuOpts *opts)
>> >      }
>> >
>> >      prop_list = qmp_device_list_properties(driver, &local_err);
>> > -    if (!prop_list) {
>> > +    if (local_err) {
>> >          error_printf("%s\n", error_get_pretty(local_err));
>> >          error_free(local_err);
>> >          return 1;
>> 
>> Doesn't this leak prop_list when local_err && prop_list?
>> 
> No, it will not happen this situation.
>
>> Returning both a value in need of destruction and an error object is at
>> least highly unusual, and probably plain wrong.
>> 
>> Should qmp_device_list_properties() return NULL when it sets an error?
>
> Yes, it was.

I think I'm starting to understand now.

You backtrace shows qmp_device_list_properties() returned null without
setting an error.  But this is okay, because null means "empty list",
which is a valid return value.

A systematic search for this kind of incorrect error handling would be
nice: search for functions returning QAPI lists, then look for callers
interpreting a null value as error.  Would you be willing to do that?

Reviewed-by: Markus Armbruster <armbru@redhat.com>

next prev parent reply	other threads:[~2014-09-16  8:01 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-09-16  2:19 [Qemu-devel] [PATCH] qdev-monitor: fix segmentation fault on qdev_device_help() arei.gonglei
2014-09-16  7:28 ` Markus Armbruster
2014-09-16  7:38   ` Gonglei (Arei)
2014-09-16  7:59     ` Markus Armbruster [this message]
2014-09-16  8:06       ` Gonglei (Arei)
2014-09-17  9:17       ` Gonglei (Arei)
2014-09-17 10:06         ` Markus Armbruster
2014-09-16 10:25 ` Stefan Hajnoczi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87sijst2qh.fsf@blackfin.pond.sub.org \
    --to=armbru@redhat.com \
    --cc=afaerber@suse.de \
    --cc=arei.gonglei@huawei.com \
    --cc=imammedo@redhat.com \
    --cc=lcapitulino@redhat.com \
    --cc=peter.huangpeng@huawei.com \
    --cc=qemu-devel@nongnu.org \
    --cc=stefanha@redhat.com \
    --cc=weidong.huang@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.