Re: [Qemu-devel] [PATCH for-2.7] vnc: fix qemu crash because of SIGSEGV

Gonglei Fri, 02 Sep 2016 04:07:18 -0700


On 2016/9/2 16:38, Marc-André Lureau wrote:
> Hi
> 
> On Fri, Sep 2, 2016 at 8:00 AM Gonglei <arei.gong...@huawei.com 
> <mailto:arei.gong...@huawei.com>> wrote:
> 
>     The backtrace is:
> 
>     0x00007f0b75cdf880 in pixman_image_get_stride () from 
> /lib64/libpixman-1.so.0
>     0x00007f0b77bcb3cf in vnc_server_fb_stride (vd=0x7f0b7a1a2bb0) at 
> ui/vnc.c:680
>     vnc_dpy_copy (dcl=0x7f0b7a1a2c00, src_x=224, src_y=263, dst_x=319, 
> dst_y=363, w=1, h=1) at ui/vnc.c:915
>     0x00007f0b77bbcc35 in dpy_gfx_copy (con=0x7f0b7a146210, 
> src_x=src_x@entry=224, src_y=src_y@entry=263, dst_x=dst_x@entry=319,
>     dst_y=dst_y@entry=363, w=1, h=1) at ui/console.c:1575
>     0x00007f0b77bbda4e in qemu_console_copy (con=<optimized out>, 
> src_x=src_x@entry=224, src_y=src_y@entry=263, dst_x=dst_x@entry=319,
>     dst_y=dst_y@entry=363, w=<optimized out>, h=<optimized out>) at 
> ui/console.c:2111
>     0x00007f0b77ac0980 in cirrus_do_copy (h=<optimized out>, w=<optimized 
> out>, src=<optimized out>, dst=<optimized out>, s=0x7f0b7b086090) at 
> hw/display/cirrus_vga.c:774
>     cirrus_bitblt_videotovideo_copy (s=0x7f0b7b086090) at 
> hw/display/cirrus_vga.c:793
>     cirrus_bitblt_videotovideo (s=0x7f0b7b086090) at 
> hw/display/cirrus_vga.c:915
>     cirrus_bitblt_start (s=0x7f0b7b086090) at hw/display/cirrus_vga.c:1056
>     0x00007f0b77965cfb in memory_region_write_accessor (mr=0x7f0b7b096e40, 
> addr=320, value=<optimized out>, size=1, shift=<optimized 
> out>,mask=<optimized out>, attrs=...) at 
> /root/rpmbuild/BUILD/master/qemu/memory.c:525
>     0x00007f0b77963f59 in access_with_adjusted_size (addr=addr@entry=320, 
> value=value@entry=0x7f0b69a268d8, size=size@entry=4,
>     access_size_min=<optimized out>, access_size_max=<optimized out>, 
> access=access@entry=0x7f0b77965c80 <memory_region_write_accessor>,
>     mr=mr@entry=0x7f0b7b096e40, attrs=attrs@entry=...) at 
> /root/rpmbuild/BUILD/master/qemu/memory.c:591
>     0x00007f0b77968315 in memory_region_dispatch_write 
> (mr=mr@entry=0x7f0b7b096e40, addr=addr@entry=320, data=18446744073709551362,
>     size=size@entry=4, attrs=attrs@entry=...) at 
> /root/rpmbuild/BUILD/master/qemu/memory.c:1262
>     0x00007f0b779256a9 in address_space_write_continue (mr=0x7f0b7b096e40, 
> l=4, addr1=320, len=4, buf=0x7f0b77713028 "\002\377\377\377",
>     attrs=..., addr=4273930560, as=0x7f0b7827d280 <address_space_memory>) at 
> /root/rpmbuild/BUILD/master/qemu/exec.c:2544
>     address_space_write (as=<optimized out>, addr=<optimized out>, attrs=..., 
> buf=<optimized out>, len=<optimized out>) at 
> /root/rpmbuild/BUILD/master/qemu/exec.c:2601
>     0x00007f0b77925c1d in address_space_rw (as=<optimized out>, 
> addr=<optimized out>, attrs=..., attrs@entry=...,
>     buf=buf@entry=0x7f0b77713028 "\002\377\377\377", len=<optimized out>, 
> is_write=<optimized out>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2703
>     0x00007f0b77962f53 in kvm_cpu_exec (cpu=cpu@entry=0x7f0b79fcc2d0) at 
> /root/rpmbuild/BUILD/master/qemu/kvm-all.c:1965
>     0x00007f0b77950cc6 in qemu_kvm_cpu_thread_fn (arg=0x7f0b79fcc2d0) at 
> /root/rpmbuild/BUILD/master/qemu/cpus.c:1078
>     0x00007f0b744b3dc5 in start_thread (arg=0x7f0b69a27700) at 
> pthread_create.c:308
>     0x00007f0b70d3d66d in clone () from /lib64/libc.so.6
> 
>     The code path while meeting segfault:
>      vnc_dpy_copy
>        vnc_update_client
>          vnc_disconnect_finish [while vnc_disconnect_start() is invoked 
> because somethins wrong]
>            vnc_update_server_surface
>              vd->server = NULL;
>        vnc_server_fb_stride
>          pixman_image_get_stride(vd->server)
> 
>     Let's add a non-NULL check before calling vnc_server_fb_stride() to avoid 
> segmentation fault.
> 
> 
> Reviewed-by: Marc-André Lureau <marcandre.lur...@redhat.com>
> 
Thanks.


> (It would be great if you had a reproducer)
> 

1.using VNC Viewer client tool.
2.using SUSE 11.3 as guest VM with graphic console.
3.connecting vnc as soon as possible after starting the VM.

I get the below information before qemu crash.

[New Thread 0x7ffee93ff700 (LWP 18570)]
[Switching to Thread 0x7fffea305700 (LWP 17105)]

Breakpoint 1, vnc_client_io_error (vs=0x5555581025a0, ret=-2, 
errp=0x7fffea3045b0) at ui/vnc.c:1262
1262            vnc_disconnect_start(vs);
(gdb) bt
#0  vnc_client_io_error (vs=0x5555581025a0, ret=-2, errp=0x7fffea3045b0) at 
ui/vnc.c:1262
#1  0x00005555559fce2b in vnc_client_write_buf (vs=0x5555581025a0, 
data=<optimized out>, datalen=<optimized out>) at ui/vnc.c:1302
#2  0x00005555559fcee6 in vnc_client_write_plain (vs=<optimized out>) at 
ui/vnc.c:1333
#3  vnc_client_write_locked (vs=0x5555581025a0) at ui/vnc.c:1366
#4  0x00005555559fd901 in vnc_flush (vs=0x5555581025a0) at ui/vnc.c:1557
#5  0x00005555559fe6ea in vnc_copy (h=210, w=472, dst_y=261, dst_x=222, 
src_y=279, src_x=276, vs=0x5555581025a0) at ui/vnc.c:886
#6  vnc_dpy_copy (dcl=0x5555570b0c50, src_x=276, src_y=279, dst_x=222, 
dst_y=261, w=472, h=210) at ui/vnc.c:965
#7  0x00005555559efc35 in dpy_gfx_copy (con=0x5555570a6030, 
src_x=src_x@entry=276, src_y=src_y@entry=279, dst_x=dst_x@entry=222,
    dst_y=dst_y@entry=261, w=472, h=210) at ui/console.c:1575
#8  0x00005555559f0a4e in qemu_console_copy (con=<optimized out>, 
src_x=src_x@entry=276, src_y=src_y@entry=279, dst_x=dst_x@entry=222,
    dst_y=dst_y@entry=261, w=<optimized out>, h=<optimized out>) at 
ui/console.c:2111
#9  0x00005555558f3980 in cirrus_do_copy (h=<optimized out>, w=<optimized out>, 
src=<optimized out>, dst=<optimized out>, s=0x555557f94090)
    at hw/display/cirrus_vga.c:774
#10 cirrus_bitblt_videotovideo_copy (s=0x555557f94090) at 
hw/display/cirrus_vga.c:793
#11 cirrus_bitblt_videotovideo (s=0x555557f94090) at hw/display/cirrus_vga.c:915
#12 cirrus_bitblt_start (s=0x555557f94090) at hw/display/cirrus_vga.c:1056
#13 0x0000555555798cfb in memory_region_write_accessor (mr=0x555557fa4e40, 
addr=320, value=<optimized out>, size=1, shift=<optimized out>,
    mask=<optimized out>, attrs=...) at 
/root/rpmbuild/BUILD/master/qemu/memory.c:525
#14 0x0000555555796f59 in access_with_adjusted_size (addr=addr@entry=320, 
value=value@entry=0x7fffea3048d8, size=size@entry=4,
    access_size_min=<optimized out>, access_size_max=<optimized out>, 
access=access@entry=0x555555798c80 <memory_region_write_accessor>,
    mr=mr@entry=0x555557fa4e40, attrs=attrs@entry=...) at 
/root/rpmbuild/BUILD/master/qemu/memory.c:591
#15 0x000055555579b315 in memory_region_dispatch_write 
(mr=mr@entry=0x555557fa4e40, addr=addr@entry=320, data=18446744073709551362,
    size=size@entry=4, attrs=attrs@entry=...) at 
/root/rpmbuild/BUILD/master/qemu/memory.c:1262
#16 0x00005555557586a9 in address_space_write_continue (mr=0x555557fa4e40, l=4, 
addr1=320, len=4, buf=0x7ffff7fef028 "\002\377\377\377",
    attrs=..., addr=4273930560, as=0x5555560b0280 <address_space_memory>) at 
/root/rpmbuild/BUILD/master/qemu/exec.c:2544
#17 address_space_write (as=<optimized out>, addr=<optimized out>, attrs=..., 
buf=<optimized out>, len=<optimized out>)
    at /root/rpmbuild/BUILD/master/qemu/exec.c:2601
#18 0x0000555555758c1d in address_space_rw (as=<optimized out>, addr=<optimized 
out>, attrs=..., attrs@entry=...,
    buf=buf@entry=0x7ffff7fef028 "\002\377\377\377", len=<optimized out>, 
is_write=<optimized out>)
    at /root/rpmbuild/BUILD/master/qemu/exec.c:2703
#19 0x0000555555795f53 in kvm_cpu_exec (cpu=cpu@entry=0x555556eda340) at 
/root/rpmbuild/BUILD/master/qemu/kvm-all.c:1965
#20 0x0000555555783cc6 in qemu_kvm_cpu_thread_fn (arg=0x555556eda340) at 
/root/rpmbuild/BUILD/master/qemu/cpus.c:1078
#21 0x00007ffff4d91dc5 in start_thread (arg=0x7fffea305700) at 
pthread_create.c:308
#22 0x00007ffff161b66d in clone () from /lib64/libc.so.6
(gdb)

ssize_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
{
    Error *err = NULL;
    ssize_t ret;
    ret = qio_channel_write(
        vs->ioc, (const char *)data, datalen, &err);
    VNC_DEBUG("Wrote wire %p %zd -> %ld\n", data, datalen, ret);
    return vnc_client_io_error(vs, ret, &err);
}

Please notes that the qio_channel_write() return -2.

> It looks like this is not a regression from 2.7, perhaps it should be 
> post-poned?
> 
Yes, it's not a regression from 2.7, but it indeed is a serious bug and the fix 
is harmless. :)

Regards,
-Gonglei

>     Cc: Gerd Hoffmann <kra...@redhat.com <mailto:kra...@redhat.com>>
>     Cc: Daniel P. Berrange <berra...@redhat.com <mailto:berra...@redhat.com>>
>     Reported-by: Yanying Zhuang <ann.zhuangyany...@huawei.com 
> <mailto:ann.zhuangyany...@huawei.com>>
>     Signed-off-by: Gonglei <arei.gong...@huawei.com 
> <mailto:arei.gong...@huawei.com>>
>     ---
>      ui/vnc.c | 4 ++++
>      1 file changed, 4 insertions(+)
> 
>     diff --git a/ui/vnc.c b/ui/vnc.c
>     index d1087c9..76a3273 100644
>     --- a/ui/vnc.c
>     +++ b/ui/vnc.c
>     @@ -911,6 +911,10 @@ static void vnc_dpy_copy(DisplayChangeListener *dcl,
>              }
>          }
> 
>     +    if (!vd->server) {
>     +        /* no client connected */
>     +        return;
>     +    }
>          /* do bitblit op on the local surface too */
>          pitch = vnc_server_fb_stride(vd);
>          src_row = vnc_server_fb_ptr(vd, src_x, src_y);
>     --
>     1.7.12.4
> 
> 
> 
> -- 
> Marc-André Lureau

Re: [Qemu-devel] [PATCH for-2.7] vnc: fix qemu crash because of SIGSEGV

Reply via email to