[Qemu-devel] [PATCH] Fix crash after char device read returns 0

[Qemu-devel] [PATCH] Fix crash after char device read returns 0

[Ed Swierk]

[-- Attachment #1: Type: text/plain, Size: 689 bytes --]

qemu 0.9.0 on Linux crashes with SIGSEGV after read() on a char device
returns 0, which occurs if the char device is a fifo and the writer
closes the file.

In this case, fd_chr_read() and stdio_read() react by removing the IO
handler and freeing it. Unfortunately main_loop_wait() is unprepared
to deal with this (as the comment "XXX: better handling of removal"
suggests) and attempts to access the freed handler.

Even if main_loop_wait() were improved, it is not correct to remove
the IO handler just because read() returns 0: if the char device is a
fifo, a process may well reopen the fifo for writing at a later point.

The attached patch is a naive fix; feedback is welcome.

--Ed

[-- Attachment #2: qemu-chr-read-zero.patch --]
[-- Type: text/x-patch, Size: 952 bytes --]

Index: qemu-snapshot-2007-02-09_05/vl.c
===================================================================
--- qemu-snapshot-2007-02-09_05.orig/vl.c
+++ qemu-snapshot-2007-02-09_05/vl.c
@@ -1346,11 +1346,13 @@ static void fd_chr_read(void *opaque)
     if (len == 0)
         return;
     size = read(s->fd_in, buf, len);
+#if 0
     if (size == 0) {
         /* FD has been closed. Remove it from the active list.  */
         qemu_set_fd_handler2(s->fd_in, NULL, NULL, NULL, NULL);
         return;
     }
+#endif
     if (size > 0) {
         qemu_chr_read(chr, buf, size);
     }
@@ -1546,11 +1548,13 @@ static void stdio_read(void *opaque)
     uint8_t buf[1];
     
     size = read(0, buf, 1);
+#if 0
     if (size == 0) {
         /* stdin has been closed. Remove it from the active list.  */
         qemu_set_fd_handler2(0, NULL, NULL, NULL, NULL);
         return;
     }
+#endif
     if (size > 0)
         stdio_received_byte(buf[0]);
 }