From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1L8iyR-0006sG-9F
	for qemu-devel@nongnu.org; Fri, 05 Dec 2008 17:16:35 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1L8iyP-0006rY-N9
	for qemu-devel@nongnu.org; Fri, 05 Dec 2008 17:16:34 -0500
Received: from [199.232.76.173] (port=43748 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1L8iyP-0006rU-Kj
	for qemu-devel@nongnu.org; Fri, 05 Dec 2008 17:16:33 -0500
Received: from moutng.kundenserver.de ([212.227.126.177]:49348)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <weil@mail.berlios.de>) id 1L8iyP-0007l0-2T
	for qemu-devel@nongnu.org; Fri, 05 Dec 2008 17:16:33 -0500
Received: from localhost ([127.0.0.1] ident=stefan)
	by flocke.weilnetz.de with esmtp (Exim 4.69)
	(envelope-from <weil@mail.berlios.de>) id 1L8iyH-0002gV-U5
	for qemu-devel@nongnu.org; Fri, 05 Dec 2008 23:16:29 +0100
Message-ID: <4939A81E.4020301@mail.berlios.de>
Date: Fri, 05 Dec 2008 23:15:58 +0100
From: Stefan Weil <weil@mail.berlios.de>
MIME-Version: 1.0
Subject: [Qemu-devel][BUG][PATCH] Fix crash in kvm.c
Content-Type: multipart/mixed; boundary="------------010701050001080409080300"
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: QEMU Developers <qemu-devel@nongnu.org>

This is a multi-part message in MIME format.
--------------010701050001080409080300
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit

I got a crash (array access out of bounds results in access fault)
with the current Qemu trunk when kvm is enabled:

qemu -fda fd.img -cdrom cdrom.img -hda hda.img -hdb raw.img -m 256 -boot
c -enable-kvm

Host is Debian x86_64, the crash occurs before any code is emulated.

With the patch, the emulation (Win 98) boots, but has problems with the
display of
icons and the mouse cursor. Qemu displays lots of
"BUG: kvm_physical_sync_dirty_bitmap: invalid parameters" messages.

Stefan


--------------010701050001080409080300
Content-Type: text/x-diff;
 name="kvm.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="kvm.patch"

Fix crash with kvm enabled.

Signed-off-by: Stefan Weil <weil@mail.berlios.de> 

Index: target-i386/kvm.c
===================================================================
--- target-i386/kvm.c	(Revision 5889)
+++ target-i386/kvm.c	(Arbeitskopie)
@@ -12,6 +12,7 @@
  *
  */
 
+#include <assert.h>
 #include <sys/types.h>
 #include <sys/ioctl.h>
 #include <sys/mman.h>
@@ -39,7 +40,8 @@
         struct kvm_cpuid cpuid;
         struct kvm_cpuid_entry entries[100];
     } __attribute__((packed)) cpuid_data;
-    int limit, i, cpuid_i;
+    int limit, cpuid_i;
+    unsigned i;
     uint32_t eax, ebx, ecx, edx;
 
     cpuid_i = 0;
@@ -49,6 +51,7 @@
 
     for (i = 0; i <= limit; i++) {
         struct kvm_cpuid_entry *c = &cpuid_data.entries[cpuid_i++];
+        assert(cpuid_i < 100);
 
         cpu_x86_cpuid(env, i, &eax, &ebx, &ecx, &edx);
         c->function = i;
@@ -63,6 +66,7 @@
 
     for (i = 0x80000000; i <= limit; i++) {
         struct kvm_cpuid_entry *c = &cpuid_data.entries[cpuid_i++];
+        assert(cpuid_i < 100);
 
         cpu_x86_cpuid(env, i, &eax, &ebx, &ecx, &edx);
         c->function = i;

--------------010701050001080409080300--