When QEMU creates a tap device automatically and the tap device is
manually removed from the host while the guest is running, the tap
device file descriptor becomes invalid. Later, when the guest executes
shutdown, the tap_fd_set_vnet_hdr_len() function may be called and
abort QEMU with a core dump when attempting to use the invalid fd.
This patch removes many abort() calls in this file. If the fd is found
to be in a bad state (e.g., EBADFD or ENODEV), the related function
will print an error message.
The expected behavior for this negative test case is that QEMU should
report an error but continue running rather than aborting.
Testing:
- Start QEMU with automatically created tap device
- Manually remove the tap device on the host
- Execute shutdown in the guest
- Verify QEMU reports an error but does not abort
(gdb) bt full
#0 __pthread_kill_implementation (threadid=<optimized out>,
signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
tid = <optimized out>
ret = 0
pd = <optimized out>
old_mask = {__val = {10}}
ret = <optimized out>
#1 0x00007f1710b6bff3 in __pthread_kill_internal (threadid=<optimized out>,
signo=6) at pthread_kill.c:78
#2 0x00007f1710b15f56 in __GI_raise (sig=sig@entry=6) at
../sysdeps/posix/raise.c:26
ret = <optimized out>
#3 0x00007f1710afd8fa in __GI_abort () at abort.c:79
save_stage = 1
act = {__sigaction_handler = {sa_handler = 0x20, sa_sigaction = 0x20},
sa_mask = {__val = {16929458408262392576, 18446744073709550848,
139737042419943, 139737042419943, 0, 94049703655600, 139737042419943,
139737042670528, 18446744073709550328, 77, 139705603579344,
18446744073709551615, 139737041472378, 139705595179568, 16929458408262392576,
94049679794864}}, sa_flags = 281695456, sa_restorer = 0xa}
#4 0x000055899a71de58 in tap_fd_set_vnet_hdr_len (fd=<optimized out>, len=10)
at ../net/tap-linux.c:204
#5 tap_set_vnet_hdr_len (nc=<optimized out>, len=10) at ../net/tap.c:269
s = <optimized out>
#6 0x000055899a8be67f in qemu_set_vnet_hdr_len (nc=0x2956, len=10588) at
../net/net.c:573
#7 virtio_net_set_mrg_rx_bufs (n=0x5589a72cfa10, mergeable_rx_bufs=<optimized
out>, version_1=<error reading variable: Incompatible types on DWARF stack>,
hash_report=<optimized out>) at ../hw/net/virtio-net.c:664
i = 0
nc = 0x5589a730ab28
#8 virtio_net_set_features (vdev=0x5589a72cfa10, features=0) at
../hw/net/virtio-net.c:897
n = 0x5589a72cfa10
err = 0x0
i = 0
#9 0x000055899a8e4eaa in virtio_set_features_nocheck (vdev=0x5589a72cfa10,
val=0) at ../hw/virtio/virtio.c:3079
k = <optimized out>
bad = <optimized out>
#10 virtio_reset (opaque=0x5589a72cfa10) at ../hw/virtio/virtio.c:3184
vdev = 0x5589a72cfa10
k = 0x5589a5c162b0
i = 0
#11 0x000055899a630d2b in virtio_bus_reset (bus=0x5589a72cf990) at
../hw/virtio/virtio-bus.c:109
vdev = <optimized out>
#12 virtio_pci_reset (qdev=0x5589a72c7470) at ../hw/virtio/virtio-pci.c:2311
proxy = 0x5589a72c7470
i = 0
bus = 0x5589a72cf990
#13 0x000055899a686ded in memory_region_write_accessor (mr=<optimized out>,
addr=<optimized out>, value=<optimized out>, size=<optimized out>,
shift=<optimized out>, mask=<optimized out>, attrs=...) at
../system/memory.c:490
tmp = <optimized out>
#14 0x000055899a686cbc in access_with_adjusted_size (addr=20,
value=0x7f0fbedfde00, size=1, access_size_min=<optimized out>,
access_size_max=<optimized out>, access_fn=0x55899a686d30
<memory_region_write_accessor>, mr=0x5589a72c8040, attrs=...) at
../system/memory.c:566
print_once_ = false
access_mask = 255
access_size = 1
i = 0
r = 0
reentrancy_guard_applied = <optimized out>
#15 0x000055899a686ac5 in memory_region_dispatch_write (mr=<optimized out>,
addr=20, data=<optimized out>, op=<optimized out>, attrs=...) at
../system/memory.c:1545
size = <optimized out>
#16 0x000055899a69f7da in flatview_write_continue_step (attrs=...,
buf=0x7f1711da6028 <error: Cannot access memory at address 0x7f1711da6028>,
len=<optimized out>, mr_addr=20, l=0x7f0fbedfde28, mr=0x5589a72c8040) at
../system/physmem.c:2972
val = 6
result = 0
release_lock = <optimized out>
#17 0x000055899a697c15 in flatview_write_continue (fv=0x7f0f6c124d90,
addr=61675730370580, attrs=..., ptr=0x7f1711da6028, len=1, mr_addr=6, l=1,
mr=0x0) at ../system/physmem.c:3002
result = 0
buf = 0x7f1711da6028 <error: Cannot access memory at address
0x7f1711da6028>
#18 flatview_write (fv=0x7f0f6c124d90, addr=61675730370580, attrs=...,
buf=0x7f1711da6028, len=1) at ../system/physmem.c:3033
--Type <RET> for more, q to quit, c to continue without paging--
l = <optimized out>
mr_addr = 6
mr = 0x0
#19 0x000055899a697a91 in address_space_write (as=0x55899bceeba0
<address_space_memory>, addr=61675730370580, attrs=..., buf=0x7f1711da6028,
len=1) at ../system/physmem.c:3153
_rcu_read_auto = 0x1
result = 0
fv = 0x2956
#20 0x000055899a91159b in address_space_rw (addr=10588, attrs=...,
buf=0x7f1711da6028, len=0, as=<optimized out>, is_write=<optimized out>) at
../system/physmem.c:3163
#21 kvm_cpu_exec (cpu=0x5589a5d68b40) at ../accel/kvm/kvm-all.c:3255
attrs = {secure = 0, space = 0, user = 0, memory = 0, debug = 0,
requester_id = 0, pid = 0, address_type = 0, unspecified = false, _reserved1 =
0 '\000', _reserved2 = 0}
run = 0x7f1711da6000
ret = <optimized out>
run_ret = <optimized out>
#22 0x000055899a9189ca in kvm_vcpu_thread_fn (arg=0x5589a5d68b40) at
../accel/kvm/kvm-accel-ops.c:51
r = <optimized out>
cpu = <optimized out>
#23 0x000055899aba817a in qemu_thread_start (args=0x5589a5d72580) at
../util/qemu-thread-posix.c:393
__clframe = {__cancel_routine = <optimized out>, __cancel_arg = 0x0,
__do_it = 1, __cancel_type = <optimized out>}
qemu_thread_args = 0x5589a5d72580
start_routine = 0x55899a918850 <kvm_vcpu_thread_fn>
arg = 0x5589a5d68b40
r = 0x0
#24 0x00007f1710b6a128 in start_thread (arg=<optimized out>) at
pthread_create.c:448
ret = <optimized out>
pd = <optimized out>
out = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {32, 8894544057743421332,
-1288, 0, 140726164742416, 140726164742679, -8831356496486092908,
-8844535456800460908}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0,
0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <optimized out>
#25 0x00007f1710bda924 in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:100
Fixes: 0caed25cd171c611781589b5402161d27d57229c virtio: Call set_features
during reset
Signed-off-by: Houqi (Nick) Zuo <h...@redhat.com>
---
net/tap-linux.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/net/tap-linux.c b/net/tap-linux.c
index e832810665..24e63a0b54 100644
--- a/net/tap-linux.c
+++ b/net/tap-linux.c
@@ -206,15 +206,16 @@ void tap_fd_set_vnet_hdr_len(int fd, int len)
if (ioctl(fd, TUNSETVNETHDRSZ, &len) == -1) {
fprintf(stderr, "TUNSETVNETHDRSZ ioctl() failed: %s. Exiting.\n",
strerror(errno));
- abort();
}
}
int tap_fd_set_vnet_le(int fd, int is_le)
{
int arg = is_le ? 1 : 0;
+ int ret;
- if (!ioctl(fd, TUNSETVNETLE, &arg)) {
+ ret = ioctl(fd, TUNSETVNETLE, &arg);
+ if (!ret) {
return 0;
}
@@ -224,14 +225,16 @@ int tap_fd_set_vnet_le(int fd, int is_le)
}
error_report("TUNSETVNETLE ioctl() failed: %s.", strerror(errno));
- abort();
+ return ret;
}
int tap_fd_set_vnet_be(int fd, int is_be)
{
int arg = is_be ? 1 : 0;
+ int ret;
- if (!ioctl(fd, TUNSETVNETBE, &arg)) {
+ ret = ioctl(fd, TUNSETVNETBE, &arg);
+ if (!ret) {
return 0;
}
@@ -241,7 +244,7 @@ int tap_fd_set_vnet_be(int fd, int is_be)
}
error_report("TUNSETVNETBE ioctl() failed: %s.", strerror(errno));
- abort();
+ return ret;
}
void tap_fd_set_offload(int fd, int csum, int tso4,
--
2.47.3
