From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:59693)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1RweFR-0001yA-Ih
	for qemu-devel@nongnu.org; Sun, 12 Feb 2012 13:34:06 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1RweFP-0003fN-AY
	for qemu-devel@nongnu.org; Sun, 12 Feb 2012 13:34:05 -0500
Received: from mx1.redhat.com ([209.132.183.28]:50108)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1RweFP-0003f2-3t
	for qemu-devel@nongnu.org; Sun, 12 Feb 2012 13:34:03 -0500
Received: from int-mx11.intmail.prod.int.phx2.redhat.com
	(int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q1CIY1eZ023648
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <qemu-devel@nongnu.org>; Sun, 12 Feb 2012 13:34:02 -0500
Received: from redhat.com (vpn-203-199.tlv.redhat.com [10.35.203.199])
	by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with SMTP
	id q1CIXxPK014996
	for <qemu-devel@nongnu.org>; Sun, 12 Feb 2012 13:34:01 -0500
Date: Sun, 12 Feb 2012 20:34:07 +0200
From: "Michael S. Tsirkin" <mst@redhat.com>
Message-ID: <20120212183407.GA4534@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Subject: [Qemu-devel] slirp-related crash
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

It seems somewhat easy to crash qemu with slirp if we queue multiple packets.
I didn't investigate further yet so I don't know if this
is a regression. Anyone knowledgeable about slirp wants to take a look?

/home/mst/qemu-test/bin/qemu-system-x86_64  -enable-kvm -m 1G -drive
file=/home/mst/rhel6.qcow2 -netdev user,id=bar -net
nic,netdev=bar,model=e1000,macaddr=52:54:00:12:34:57  -redir
tcp:8022::22  -vnc :1 -monitor stdio

While guest is booting, quickly do this

ssh localhost -p 8022
CTRL-C
ssh localhost -p 8022
CTRL-C
ssh localhost -p 8022
CTRL-C
ssh localhost -p 8022
CTRL-C

When guest triest to bring up link,
qemu crashes:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7e4f8a7 in slirp_insque (a=0x0, b=0x7ffff91681f0) at
slirp/misc.c:27
27              element->qh_link = head->qh_link;
(gdb) where
#0  0x00007ffff7e4f8a7 in slirp_insque (a=0x0, b=0x7ffff91681f0) at
slirp/misc.c:27
#1  0x00007ffff7e4ddd8 in if_start (slirp=0x7ffff8b0e4f0) at
slirp/if.c:194
#2  0x00007ffff7e51290 in slirp_select_poll (readfds=0x7fffffffdfe0,
writefds=
    0x7fffffffdf60, xfds=0x7fffffffdee0, select_error=0) at
slirp/slirp.c:588
#3  0x00007ffff7e114c3 in main_loop_wait (nonblocking=<value optimized
out>)
    at main-loop.c:466
#4  0x00007ffff7e09ed4 in main_loop (argc=<value optimized out>, 
    argv=<value optimized out>, envp=<value optimized out>)
    at /home/mst/scm/qemu/vl.c:1482
#5  main (argc=<value optimized out>, argv=<value optimized out>, 
    envp=<value optimized out>) at /home/mst/scm/qemu/vl.c:3525
(gdb) p element
$1 = (struct quehead *) 0x0


-- 
MST