[Qemu-devel] [PATCH 13/25] vnc: fix qemu crash because of SIGSEGV

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Gonglei <arei.gonglei@huawei.com>,
	Gerd Hoffmann <kraxel@redhat.com>,
	"Daniel P. Berrange" <berrange@redhat.com>
Subject: [Qemu-devel] [PATCH 13/25] vnc: fix qemu crash because of SIGSEGV
Date: Tue, 20 Sep 2016 12:05:29 -0500	[thread overview]
Message-ID: <1474391141-16623-14-git-send-email-mdroth@linux.vnet.ibm.com> (raw)
In-Reply-To: <1474391141-16623-1-git-send-email-mdroth@linux.vnet.ibm.com>

From: Gonglei <arei.gonglei@huawei.com>

The backtrace is:

0x00007f0b75cdf880 in pixman_image_get_stride () from /lib64/libpixman-1.so.0
0x00007f0b77bcb3cf in vnc_server_fb_stride (vd=0x7f0b7a1a2bb0) at ui/vnc.c:680
vnc_dpy_copy (dcl=0x7f0b7a1a2c00, src_x=224, src_y=263, dst_x=319, dst_y=363, w=1, h=1) at ui/vnc.c:915
0x00007f0b77bbcc35 in dpy_gfx_copy (con=0x7f0b7a146210, src_x=src_x@entry=224, src_y=src_y@entry=263, dst_x=dst_x@entry=319,
dst_y=dst_y@entry=363, w=1, h=1) at ui/console.c:1575
0x00007f0b77bbda4e in qemu_console_copy (con=<optimized out>, src_x=src_x@entry=224, src_y=src_y@entry=263, dst_x=dst_x@entry=319,
dst_y=dst_y@entry=363, w=<optimized out>, h=<optimized out>) at ui/console.c:2111
0x00007f0b77ac0980 in cirrus_do_copy (h=<optimized out>, w=<optimized out>, src=<optimized out>, dst=<optimized out>, s=0x7f0b7b086090) at hw/display/cirrus_vga.c:774
cirrus_bitblt_videotovideo_copy (s=0x7f0b7b086090) at hw/display/cirrus_vga.c:793
cirrus_bitblt_videotovideo (s=0x7f0b7b086090) at hw/display/cirrus_vga.c:915
cirrus_bitblt_start (s=0x7f0b7b086090) at hw/display/cirrus_vga.c:1056
0x00007f0b77965cfb in memory_region_write_accessor (mr=0x7f0b7b096e40, addr=320, value=<optimized out>, size=1, shift=<optimized out>,mask=<optimized out>, attrs=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:525
0x00007f0b77963f59 in access_with_adjusted_size (addr=addr@entry=320, value=value@entry=0x7f0b69a268d8, size=size@entry=4,
access_size_min=<optimized out>, access_size_max=<optimized out>, access=access@entry=0x7f0b77965c80 <memory_region_write_accessor>,
mr=mr@entry=0x7f0b7b096e40, attrs=attrs@entry=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:591
0x00007f0b77968315 in memory_region_dispatch_write (mr=mr@entry=0x7f0b7b096e40, addr=addr@entry=320, data=18446744073709551362,
size=size@entry=4, attrs=attrs@entry=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:1262
0x00007f0b779256a9 in address_space_write_continue (mr=0x7f0b7b096e40, l=4, addr1=320, len=4, buf=0x7f0b77713028 "\002\377\377\377",
attrs=..., addr=4273930560, as=0x7f0b7827d280 <address_space_memory>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2544
address_space_write (as=<optimized out>, addr=<optimized out>, attrs=..., buf=<optimized out>, len=<optimized out>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2601
0x00007f0b77925c1d in address_space_rw (as=<optimized out>, addr=<optimized out>, attrs=..., attrs@entry=...,
buf=buf@entry=0x7f0b77713028 "\002\377\377\377", len=<optimized out>, is_write=<optimized out>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2703
0x00007f0b77962f53 in kvm_cpu_exec (cpu=cpu@entry=0x7f0b79fcc2d0) at /root/rpmbuild/BUILD/master/qemu/kvm-all.c:1965
0x00007f0b77950cc6 in qemu_kvm_cpu_thread_fn (arg=0x7f0b79fcc2d0) at /root/rpmbuild/BUILD/master/qemu/cpus.c:1078
0x00007f0b744b3dc5 in start_thread (arg=0x7f0b69a27700) at pthread_create.c:308
0x00007f0b70d3d66d in clone () from /lib64/libc.so.6

The code path while meeting segfault:
 vnc_dpy_copy
   vnc_update_client
     vnc_disconnect_finish [while vnc_disconnect_start() is invoked because somethins wrong]
       vnc_update_server_surface
         vd->server = NULL;
   vnc_server_fb_stride
     pixman_image_get_stride(vd->server)

Let's add a non-NULL check before calling vnc_server_fb_stride() to avoid segmentation fault.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Daniel P. Berrange <berrange@redhat.com>
Reported-by: Yanying Zhuang <ann.zhuangyanying@huawei.com>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1472788698-120964-1-git-send-email-arei.gonglei@huawei.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 3e10c3ecfcaf604d8b400d6e463e1a186ce97d9b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 ui/vnc.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ui/vnc.c b/ui/vnc.c
index 78a586f..bca352e 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -906,6 +906,10 @@ static void vnc_dpy_copy(DisplayChangeListener *dcl,
         }
     }
 
+    if (!vd->server) {
+        /* no client connected */
+        return;
+    }
     /* do bitblit op on the local surface too */
     pitch = vnc_server_fb_stride(vd);
     src_row = vnc_server_fb_ptr(vd, src_x, src_y);
-- 
1.9.1

next prev parent reply	other threads:[~2016-09-20 17:06 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-09-20 17:05 [Qemu-devel] [PATCH 00/25] Patch Round-up for stable 2.6.2, freeze on 2016-08-26 Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 01/25] net: check fragment length during fragmentation Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 02/25] ui: fix refresh of VNC server surface Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 03/25] virtio: recalculate vq->inuse after migration Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 04/25] virtio: decrement vq->inuse in virtqueue_discard() Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 05/25] iscsi: pass SCSI status back for SG_IO Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 06/25] net: vmxnet: check IP header length Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 07/25] net: vmxnet: use g_new for pkt initialisation Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 08/25] 9pfs: forbid illegal path names Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 09/25] 9pfs: forbid . and .. in file names Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 10/25] 9pfs: handle walk of ".." in the root directory Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 11/25] virtio: zero vq->inuse in virtio_reset() Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 12/25] virtio-balloon: discard virtqueue element on reset Michael Roth
2016-09-20 17:05 ` Michael Roth [this message]
2016-09-20 17:05 ` [Qemu-devel] [PATCH 14/25] 9pfs: fix potential segfault during walk Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 15/25] scsi: mptsas: use g_new0 to allocate MPTSASRequest object Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 16/25] scsi: pvscsi: limit process IO loop to ring size Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 17/25] qemu-char: avoid segfault if user lacks of permisson of a given logfile Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 18/25] scsi-disk: change disk serial length from 20 to 36 Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 19/25] vmw_pvscsi: check page count while initialising descriptor rings Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 20/25] scsi: mptconfig: fix an assert expression Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 21/25] scsi: mptconfig: fix misuse of MPTSAS_CONFIG_PACK Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 22/25] crypto: ensure XTS is only used with ciphers with 16 byte blocks Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 23/25] iothread: Stop threads before main() quits Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 24/25] scsi-disk: Cleaning up around tray open state Michael Roth
2016-09-20 17:05 ` [Qemu-devel] [PATCH 25/25] virtio-scsi: Don't abort when media is ejected Michael Roth
2016-09-20 17:41 ` [Qemu-devel] [PATCH 00/25] Patch Round-up for stable 2.6.2, freeze on 2016-08-26 Eric Blake
2016-09-20 19:26   ` Michael Roth
2016-09-20 19:44     ` Eric Blake
2016-09-20 19:27 ` [Qemu-devel] [Qemu-stable] " Michael Roth
2016-09-22 18:53 ` [Qemu-devel] " John Snow
2016-09-22 19:05   ` Michael Roth

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:78a586f dfblob:bca352e )
 OR (
bs:"[Qemu-devel] [PATCH 13/25] vnc: fix qemu crash because of SIGSEGV" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1474391141-16623-14-git-send-email-mdroth@linux.vnet.ibm.com \
    --to=mdroth@linux.vnet.ibm.com \
    --cc=arei.gonglei@huawei.com \
    --cc=berrange@redhat.com \
    --cc=kraxel@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu-stable@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).