[Qemu-devel] [Bug 1219207] [NEW] QMP (32 bit only) segfaults in query-tpm-types when compiled with --enable-tpm

[Qemu-devel] [Bug 1219207] [NEW] QMP (32 bit only) segfaults in query-tpm-types when compiled with --enable-tpm

[Richard Jones]

Public bug reported:

NB: This bug ONLY happens on i686.  When qemu is compiled for x86-64,
the bug does NOT happen.

$ ./configure --enable-tpm
$ make
$ (sleep 5; printf '{"execute":"qmp_capabilities"}\n{"execute":"query-tpm-types"}\n') | ./i386-softmmu/qemu-system-i386 -S -nodefaults -nographic -M none -qmp stdio
{"QMP": {"version": {"qemu": {"micro": 50, "minor": 6, "major": 1}, "package": ""}, "capabilities": []}}
{"return": {}}
Segmentation fault (core dumped)

The stack trace is:

#0  output_type_enum (v=0xb9938228, obj=0x5, 
    strings=0xb77f0320 <TpmType_lookup>, kind=0xb767f1d4 "TpmType", name=0x0, 
    errp=0xbfec4628) at qapi/qapi-visit-core.c:306
#1  0xb762b3b5 in visit_type_enum (v=v@entry=0xb9938228, obj=0x5, 
    strings=0xb77f0320 <TpmType_lookup>, kind=kind@entry=0xb767f1d4 "TpmType", 
    name=name@entry=0x0, errp=errp@entry=0xbfec4628)
    at qapi/qapi-visit-core.c:114
#2  0xb74a9ef4 in visit_type_TpmType (errp=0xbfec4628, name=0x0, 
    obj=<optimized out>, m=0xb9938228) at qapi-visit.c:5220
#3  visit_type_TpmTypeList (m=0xb9938228, obj=obj@entry=0xbfec4678, 
    name=name@entry=0xb76545a6 "unused", errp=errp@entry=0xbfec4674)
    at qapi-visit.c:5206
#4  0xb74c403e in qmp_marshal_output_query_tpm_types (errp=0xbfec4674, 
    ret_out=0xbfec46d8, ret_in=0xb993f490) at qmp-marshal.c:3795
#5  qmp_marshal_input_query_tpm_types (mon=0xb9937098, qdict=0xb99379a0, 
    ret=0xbfec46d8) at qmp-marshal.c:3817
#6  0xb7581d7a in qmp_call_cmd (cmd=<optimized out>, params=0xb99379a0, 
    mon=0xb9937098) at /home/rjones/d/qemu/monitor.c:4644
#7  handle_qmp_command (parser=0xb99370ec, tokens=0xb9941438)
    at /home/rjones/d/qemu/monitor.c:4710
#8  0xb7631d8f in json_message_process_token (lexer=0xb99370f0, 
    token=0xb993f3a8, type=JSON_OPERATOR, x=29, y=1)
    at qobject/json-streamer.c:87
#9  0xb764579b in json_lexer_feed_char (lexer=lexer@entry=0xb99370f0, 
    ch=<optimized out>, flush=flush@entry=false) at qobject/json-lexer.c:303
#10 0xb76458c8 in json_lexer_feed (lexer=lexer@entry=0xb99370f0, 
    buffer=buffer@entry=0xbfec486c "}\243\353S\351\364b\267/\327ⵀ\025}\267 \367b\267\315\372\223\271\065\023j\267\002", size=size@entry=1)
    at qobject/json-lexer.c:356
#11 0xb7631fab in json_message_parser_feed (parser=0xb99370ec, 
    buffer=buffer@entry=0xbfec486c "}\243\353S\351\364b\267/\327ⵀ\025}\267 \367b\267\315\372\223\271\065\023j\267\002", size=size@entry=1)
    at qobject/json-streamer.c:110
#12 0xb75803eb in monitor_control_read (opaque=0xb9937098, 
    buf=0xbfec486c "}\243\353S\351\364b\267/\327ⵀ\025}\267 \367b\267\315\372\223\271\065\023j\267\002", size=1) at /home/rjones/d/qemu/monitor.c:4731
#13 0xb74b191e in qemu_chr_be_write (len=<optimized out>, 
    buf=0xbfec486c "}\243\353S\351\364b\267/\327ⵀ\025}\267 \367b\267\315\372\223\271\065\023j\267\002", s=0xb9935800) at qemu-char.c:165
#14 fd_chr_read (chan=0xb9935870, cond=(G_IO_IN | G_IO_HUP), opaque=0xb9935800)
    at qemu-char.c:841
#15 0xb71f6876 in g_io_unix_dispatch () from /usr/lib/libglib-2.0.so.0
#16 0xb71b0286 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#17 0xb747a13e in glib_pollfds_poll () at main-loop.c:189
#18 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:234
#19 main_loop_wait (nonblocking=1) at main-loop.c:484
#20 0xb7309f11 in main_loop () at vl.c:2090
#21 main (argc=8, argv=0xbfec5c14, envp=0xbfec5c38) at vl.c:4435

** Affects: qemu
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1219207

Title:
  QMP (32 bit only) segfaults in query-tpm-types when compiled with
  --enable-tpm

Status in QEMU:
  New

Bug description:
  NB: This bug ONLY happens on i686.  When qemu is compiled for x86-64,
  the bug does NOT happen.

  $ ./configure --enable-tpm
  $ make
  $ (sleep 5; printf '{"execute":"qmp_capabilities"}\n{"execute":"query-tpm-types"}\n') | ./i386-softmmu/qemu-system-i386 -S -nodefaults -nographic -M none -qmp stdio
  {"QMP": {"version": {"qemu": {"micro": 50, "minor": 6, "major": 1}, "package": ""}, "capabilities": []}}
  {"return": {}}
  Segmentation fault (core dumped)

  The stack trace is:

  #0  output_type_enum (v=0xb9938228, obj=0x5, 
      strings=0xb77f0320 <TpmType_lookup>, kind=0xb767f1d4 "TpmType", name=0x0, 
      errp=0xbfec4628) at qapi/qapi-visit-core.c:306
  #1  0xb762b3b5 in visit_type_enum (v=v@entry=0xb9938228, obj=0x5, 
      strings=0xb77f0320 <TpmType_lookup>, kind=kind@entry=0xb767f1d4 "TpmType", 
      name=name@entry=0x0, errp=errp@entry=0xbfec4628)
      at qapi/qapi-visit-core.c:114
  #2  0xb74a9ef4 in visit_type_TpmType (errp=0xbfec4628, name=0x0, 
      obj=<optimized out>, m=0xb9938228) at qapi-visit.c:5220
  #3  visit_type_TpmTypeList (m=0xb9938228, obj=obj@entry=0xbfec4678, 
      name=name@entry=0xb76545a6 "unused", errp=errp@entry=0xbfec4674)
      at qapi-visit.c:5206
  #4  0xb74c403e in qmp_marshal_output_query_tpm_types (errp=0xbfec4674, 
      ret_out=0xbfec46d8, ret_in=0xb993f490) at qmp-marshal.c:3795
  #5  qmp_marshal_input_query_tpm_types (mon=0xb9937098, qdict=0xb99379a0, 
      ret=0xbfec46d8) at qmp-marshal.c:3817
  #6  0xb7581d7a in qmp_call_cmd (cmd=<optimized out>, params=0xb99379a0, 
      mon=0xb9937098) at /home/rjones/d/qemu/monitor.c:4644
  #7  handle_qmp_command (parser=0xb99370ec, tokens=0xb9941438)
      at /home/rjones/d/qemu/monitor.c:4710
  #8  0xb7631d8f in json_message_process_token (lexer=0xb99370f0, 
      token=0xb993f3a8, type=JSON_OPERATOR, x=29, y=1)
      at qobject/json-streamer.c:87
  #9  0xb764579b in json_lexer_feed_char (lexer=lexer@entry=0xb99370f0, 
      ch=<optimized out>, flush=flush@entry=false) at qobject/json-lexer.c:303
  #10 0xb76458c8 in json_lexer_feed (lexer=lexer@entry=0xb99370f0, 
      buffer=buffer@entry=0xbfec486c "}\243\353S\351\364b\267/\327ⵀ\025}\267 \367b\267\315\372\223\271\065\023j\267\002", size=size@entry=1)
      at qobject/json-lexer.c:356
  #11 0xb7631fab in json_message_parser_feed (parser=0xb99370ec, 
      buffer=buffer@entry=0xbfec486c "}\243\353S\351\364b\267/\327ⵀ\025}\267 \367b\267\315\372\223\271\065\023j\267\002", size=size@entry=1)
      at qobject/json-streamer.c:110
  #12 0xb75803eb in monitor_control_read (opaque=0xb9937098, 
      buf=0xbfec486c "}\243\353S\351\364b\267/\327ⵀ\025}\267 \367b\267\315\372\223\271\065\023j\267\002", size=1) at /home/rjones/d/qemu/monitor.c:4731
  #13 0xb74b191e in qemu_chr_be_write (len=<optimized out>, 
      buf=0xbfec486c "}\243\353S\351\364b\267/\327ⵀ\025}\267 \367b\267\315\372\223\271\065\023j\267\002", s=0xb9935800) at qemu-char.c:165
  #14 fd_chr_read (chan=0xb9935870, cond=(G_IO_IN | G_IO_HUP), opaque=0xb9935800)
      at qemu-char.c:841
  #15 0xb71f6876 in g_io_unix_dispatch () from /usr/lib/libglib-2.0.so.0
  #16 0xb71b0286 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
  #17 0xb747a13e in glib_pollfds_poll () at main-loop.c:189
  #18 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:234
  #19 main_loop_wait (nonblocking=1) at main-loop.c:484
  #20 0xb7309f11 in main_loop () at vl.c:2090
  #21 main (argc=8, argv=0xbfec5c14, envp=0xbfec5c38) at vl.c:4435

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1219207/+subscriptions

[Qemu-devel] [Bug 1219207] Re: QMP (32 bit only) segfaults in query-tpm-types when compiled with --enable-tpm

[T. Huth]

Looks like the fix has been included here:
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=02dc4bf5684d3fb46786
... so closing this ticket now.

** Changed in: qemu
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1219207

Title:
  QMP (32 bit only) segfaults in query-tpm-types when compiled with
  --enable-tpm

Status in QEMU:
  Fix Released

Bug description:
  NB: This bug ONLY happens on i686.  When qemu is compiled for x86-64,
  the bug does NOT happen.

  $ ./configure --enable-tpm
  $ make
  $ (sleep 5; printf '{"execute":"qmp_capabilities"}\n{"execute":"query-tpm-types"}\n') | ./i386-softmmu/qemu-system-i386 -S -nodefaults -nographic -M none -qmp stdio
  {"QMP": {"version": {"qemu": {"micro": 50, "minor": 6, "major": 1}, "package": ""}, "capabilities": []}}
  {"return": {}}
  Segmentation fault (core dumped)

  The stack trace is:

  #0  output_type_enum (v=0xb9938228, obj=0x5, 
      strings=0xb77f0320 <TpmType_lookup>, kind=0xb767f1d4 "TpmType", name=0x0, 
      errp=0xbfec4628) at qapi/qapi-visit-core.c:306
  #1  0xb762b3b5 in visit_type_enum (v=v@entry=0xb9938228, obj=0x5, 
      strings=0xb77f0320 <TpmType_lookup>, kind=kind@entry=0xb767f1d4 "TpmType", 
      name=name@entry=0x0, errp=errp@entry=0xbfec4628)
      at qapi/qapi-visit-core.c:114
  #2  0xb74a9ef4 in visit_type_TpmType (errp=0xbfec4628, name=0x0, 
      obj=<optimized out>, m=0xb9938228) at qapi-visit.c:5220
  #3  visit_type_TpmTypeList (m=0xb9938228, obj=obj@entry=0xbfec4678, 
      name=name@entry=0xb76545a6 "unused", errp=errp@entry=0xbfec4674)
      at qapi-visit.c:5206
  #4  0xb74c403e in qmp_marshal_output_query_tpm_types (errp=0xbfec4674, 
      ret_out=0xbfec46d8, ret_in=0xb993f490) at qmp-marshal.c:3795
  #5  qmp_marshal_input_query_tpm_types (mon=0xb9937098, qdict=0xb99379a0, 
      ret=0xbfec46d8) at qmp-marshal.c:3817
  #6  0xb7581d7a in qmp_call_cmd (cmd=<optimized out>, params=0xb99379a0, 
      mon=0xb9937098) at /home/rjones/d/qemu/monitor.c:4644
  #7  handle_qmp_command (parser=0xb99370ec, tokens=0xb9941438)
      at /home/rjones/d/qemu/monitor.c:4710
  #8  0xb7631d8f in json_message_process_token (lexer=0xb99370f0, 
      token=0xb993f3a8, type=JSON_OPERATOR, x=29, y=1)
      at qobject/json-streamer.c:87
  #9  0xb764579b in json_lexer_feed_char (lexer=lexer@entry=0xb99370f0, 
      ch=<optimized out>, flush=flush@entry=false) at qobject/json-lexer.c:303
  #10 0xb76458c8 in json_lexer_feed (lexer=lexer@entry=0xb99370f0, 
      buffer=buffer@entry=0xbfec486c "}\243\353S\351\364b\267/\327ⵀ\025}\267 \367b\267\315\372\223\271\065\023j\267\002", size=size@entry=1)
      at qobject/json-lexer.c:356
  #11 0xb7631fab in json_message_parser_feed (parser=0xb99370ec, 
      buffer=buffer@entry=0xbfec486c "}\243\353S\351\364b\267/\327ⵀ\025}\267 \367b\267\315\372\223\271\065\023j\267\002", size=size@entry=1)
      at qobject/json-streamer.c:110
  #12 0xb75803eb in monitor_control_read (opaque=0xb9937098, 
      buf=0xbfec486c "}\243\353S\351\364b\267/\327ⵀ\025}\267 \367b\267\315\372\223\271\065\023j\267\002", size=1) at /home/rjones/d/qemu/monitor.c:4731
  #13 0xb74b191e in qemu_chr_be_write (len=<optimized out>, 
      buf=0xbfec486c "}\243\353S\351\364b\267/\327ⵀ\025}\267 \367b\267\315\372\223\271\065\023j\267\002", s=0xb9935800) at qemu-char.c:165
  #14 fd_chr_read (chan=0xb9935870, cond=(G_IO_IN | G_IO_HUP), opaque=0xb9935800)
      at qemu-char.c:841
  #15 0xb71f6876 in g_io_unix_dispatch () from /usr/lib/libglib-2.0.so.0
  #16 0xb71b0286 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
  #17 0xb747a13e in glib_pollfds_poll () at main-loop.c:189
  #18 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:234
  #19 main_loop_wait (nonblocking=1) at main-loop.c:484
  #20 0xb7309f11 in main_loop () at vl.c:2090
  #21 main (argc=8, argv=0xbfec5c14, envp=0xbfec5c38) at vl.c:4435

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1219207/+subscriptions