From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36624) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bMQoG-0002zG-9l for qemu-devel@nongnu.org; Sun, 10 Jul 2016 22:19:01 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bMQoB-0002Fj-56 for qemu-devel@nongnu.org; Sun, 10 Jul 2016 22:18:59 -0400 Date: Mon, 11 Jul 2016 11:40:25 +1000 From: David Gibson Message-ID: <20160711014025.GD16355@voom.fritz.box> References: <146798352770.17402.11063109294574588761.stgit@bahia.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="x4pBfXISqBoDm8sr" Content-Disposition: inline In-Reply-To: <146798352770.17402.11063109294574588761.stgit@bahia.lan> Subject: Re: [Qemu-devel] [PATCH] spapr: fix core unplug crash List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Greg Kurz Cc: qemu-ppc@nongnu.org, qemu-devel@nongnu.org, Bharata B Rao --x4pBfXISqBoDm8sr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jul 08, 2016 at 03:12:07PM +0200, Greg Kurz wrote: > If the host has 8 threads/core and the guest is started with: >=20 > -smp cores=3D1,threads=3D4,maxcpus=3D12 >=20 > It is possible to crash QEMU by doing: >=20 > (qemu) device_add host-spapr-cpu-core,core-id=3D16,id=3Dfoo > (qemu) device_del foo > Segmentation fault >=20 > This is caused because spapr_core_unplug() assumes cpu_dt_id =3D=3D core_= id. > Even if it happens to be the case when the host and guest have the same > number of threads per core, it is conceptually wrong and we may pass a > bogus id to spapr_dr_connector_by_id() and spapr_core_release() crashes. >=20 > Let's use cc->core_id, which is the id that was used to create th DR > connector. >=20 > Signed-off-by: Greg Kurz Thanks, applied to ppc-for-2.7. > --- > hw/ppc/spapr_cpu_core.c | 6 ++---- > 1 file changed, 2 insertions(+), 4 deletions(-) >=20 > diff --git a/hw/ppc/spapr_cpu_core.c b/hw/ppc/spapr_cpu_core.c > index 70b6b0b5ee17..106eaf45b399 100644 > --- a/hw/ppc/spapr_cpu_core.c > +++ b/hw/ppc/spapr_cpu_core.c > @@ -126,11 +126,9 @@ static void spapr_core_release(DeviceState *dev, voi= d *opaque) > void spapr_core_unplug(HotplugHandler *hotplug_dev, DeviceState *dev, > Error **errp) > { > - sPAPRCPUCore *core =3D SPAPR_CPU_CORE(OBJECT(dev)); > - PowerPCCPU *cpu =3D POWERPC_CPU(core->threads); > - int id =3D ppc_get_vcpu_dt_id(cpu); > + CPUCore *cc =3D CPU_CORE(dev); > sPAPRDRConnector *drc =3D > - spapr_dr_connector_by_id(SPAPR_DR_CONNECTOR_TYPE_CPU, id); > + spapr_dr_connector_by_id(SPAPR_DR_CONNECTOR_TYPE_CPU, cc->core_i= d); > sPAPRDRConnectorClass *drck; > Error *local_err =3D NULL; > =20 >=20 --=20 David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson --x4pBfXISqBoDm8sr Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJXgvkJAAoJEGw4ysog2bOSXMgQAMfEMFcTCLMjOoiZC2yb4MIg UgRphjzyh4330QJ4uZUN4sADAf1Lw9HSG4u8fNlZ0KOfgEgmQX8Z6cae91nAWNb8 4qOBB/FaZdsmmDMsmkAQlDT6Lmm1NC34TL1rTzHkUwvzdNWvq50GZY4Ms3yUi2Qu WPRT70txeWlMo8eAEERyiYlGC6miBEa8TOjTM2mY7SE0VhZtRfk4G/1lg5VDEBuI hU73ca2O4sZ6mEKrK/Pb1pi6QEMP3PWAP7WM908yPIQCDTwTLN/WyQ+pz1OyapGE Wn57G4TvPZcjCaZ6cCvHmDZn95q+YG1GV6IXfhJznYEXjkUX4zefxBDJWnIudmzS HdusctvPc4WCBnWm/gMXJ0hpmeM/w10vo2le2Ahpxcd6GnDKEA2IQNXKRWs2QMBm zurBUPxLXlmvt+M5kLHb1HAJdoLS/JLLW8PJ0+iS9YU+MxX+O/enpQph+Efe6Jqi 50k15zOZ7PT94oCWc4zDGvCmD34ZB9HNaU9M3zGc8eC64thhfoShyr8Eb7MDpYjr 1/3P65VvOBK6OXVr7iE0/V8NLd6jsY8DjNieOQ2ogLEl9g5Oa7y0zzRQB8pI0EwN HGCYxcHB7RbYY63nNZxNwWAY3S0UgmlWqgGAyWH9XRJ7AB4aUhkk75RUJkaTeu8w ReWNG+70faGFdTV2rlE7 =KJIi -----END PGP SIGNATURE----- --x4pBfXISqBoDm8sr--