* [Qemu-devel] [PULL 2/4] ui/curses.c: Clean up nextchr logic
2016-09-13 7:06 [Qemu-devel] [PULL 0/4] ui: misc small fixes for vnc, spice and curses Gerd Hoffmann
2016-09-13 7:06 ` [Qemu-devel] [PULL 1/4] ui/curses.c: Ensure we don't read off the end of curses2qemu array Gerd Hoffmann
@ 2016-09-13 7:06 ` Gerd Hoffmann
2016-09-13 7:06 ` [Qemu-devel] [PULL 3/4] qemu-options.hx: correct spice options streaming-video default document value to 'off' Gerd Hoffmann
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Gerd Hoffmann @ 2016-09-13 7:06 UTC (permalink / raw)
To: qemu-devel; +Cc: Peter Maydell, Gerd Hoffmann
From: Peter Maydell <peter.maydell@linaro.org>
Coverity identifies that at the top of the while(1) loop
in curses_refresh() the variable nextchr is always ERR,
and so the else case of the first if() is dead code.
Remove this dead code, and narrow the scope of the
nextchr variable to the place where it's used.
(This confused logic has been present since the curses
code was added to QEMU in 2008.)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1470925407-23850-3-git-send-email-peter.maydell@linaro.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
ui/curses.c | 15 ++++-----------
1 file changed, 4 insertions(+), 11 deletions(-)
diff --git a/ui/curses.c b/ui/curses.c
index f1f886c..d06f724 100644
--- a/ui/curses.c
+++ b/ui/curses.c
@@ -181,7 +181,7 @@ static kbd_layout_t *kbd_layout = NULL;
static void curses_refresh(DisplayChangeListener *dcl)
{
- int chr, nextchr, keysym, keycode, keycode_alt;
+ int chr, keysym, keycode, keycode_alt;
curses_winch_check();
@@ -195,15 +195,9 @@ static void curses_refresh(DisplayChangeListener *dcl)
graphic_hw_text_update(NULL, screen);
- nextchr = ERR;
while (1) {
/* while there are any pending key strokes to process */
- if (nextchr == ERR)
- chr = getch();
- else {
- chr = nextchr;
- nextchr = ERR;
- }
+ chr = getch();
if (chr == ERR)
break;
@@ -224,13 +218,12 @@ static void curses_refresh(DisplayChangeListener *dcl)
/* alt key */
if (keycode == 1) {
- nextchr = getch();
+ int nextchr = getch();
if (nextchr != ERR) {
chr = nextchr;
keycode_alt = ALT;
- keycode = curses2keycode[nextchr];
- nextchr = ERR;
+ keycode = curses2keycode[chr];
if (keycode != -1) {
keycode |= ALT;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Qemu-devel] [PULL 4/4] vnc: fix qemu crash because of SIGSEGV
2016-09-13 7:06 [Qemu-devel] [PULL 0/4] ui: misc small fixes for vnc, spice and curses Gerd Hoffmann
` (2 preceding siblings ...)
2016-09-13 7:06 ` [Qemu-devel] [PULL 3/4] qemu-options.hx: correct spice options streaming-video default document value to 'off' Gerd Hoffmann
@ 2016-09-13 7:06 ` Gerd Hoffmann
2016-09-13 12:56 ` [Qemu-devel] [PULL 0/4] ui: misc small fixes for vnc, spice and curses Peter Maydell
4 siblings, 0 replies; 6+ messages in thread
From: Gerd Hoffmann @ 2016-09-13 7:06 UTC (permalink / raw)
To: qemu-devel; +Cc: Gonglei, Gerd Hoffmann, Daniel P. Berrange
From: Gonglei <arei.gonglei@huawei.com>
The backtrace is:
0x00007f0b75cdf880 in pixman_image_get_stride () from /lib64/libpixman-1.so.0
0x00007f0b77bcb3cf in vnc_server_fb_stride (vd=0x7f0b7a1a2bb0) at ui/vnc.c:680
vnc_dpy_copy (dcl=0x7f0b7a1a2c00, src_x=224, src_y=263, dst_x=319, dst_y=363, w=1, h=1) at ui/vnc.c:915
0x00007f0b77bbcc35 in dpy_gfx_copy (con=0x7f0b7a146210, src_x=src_x@entry=224, src_y=src_y@entry=263, dst_x=dst_x@entry=319,
dst_y=dst_y@entry=363, w=1, h=1) at ui/console.c:1575
0x00007f0b77bbda4e in qemu_console_copy (con=<optimized out>, src_x=src_x@entry=224, src_y=src_y@entry=263, dst_x=dst_x@entry=319,
dst_y=dst_y@entry=363, w=<optimized out>, h=<optimized out>) at ui/console.c:2111
0x00007f0b77ac0980 in cirrus_do_copy (h=<optimized out>, w=<optimized out>, src=<optimized out>, dst=<optimized out>, s=0x7f0b7b086090) at hw/display/cirrus_vga.c:774
cirrus_bitblt_videotovideo_copy (s=0x7f0b7b086090) at hw/display/cirrus_vga.c:793
cirrus_bitblt_videotovideo (s=0x7f0b7b086090) at hw/display/cirrus_vga.c:915
cirrus_bitblt_start (s=0x7f0b7b086090) at hw/display/cirrus_vga.c:1056
0x00007f0b77965cfb in memory_region_write_accessor (mr=0x7f0b7b096e40, addr=320, value=<optimized out>, size=1, shift=<optimized out>,mask=<optimized out>, attrs=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:525
0x00007f0b77963f59 in access_with_adjusted_size (addr=addr@entry=320, value=value@entry=0x7f0b69a268d8, size=size@entry=4,
access_size_min=<optimized out>, access_size_max=<optimized out>, access=access@entry=0x7f0b77965c80 <memory_region_write_accessor>,
mr=mr@entry=0x7f0b7b096e40, attrs=attrs@entry=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:591
0x00007f0b77968315 in memory_region_dispatch_write (mr=mr@entry=0x7f0b7b096e40, addr=addr@entry=320, data=18446744073709551362,
size=size@entry=4, attrs=attrs@entry=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:1262
0x00007f0b779256a9 in address_space_write_continue (mr=0x7f0b7b096e40, l=4, addr1=320, len=4, buf=0x7f0b77713028 "\002\377\377\377",
attrs=..., addr=4273930560, as=0x7f0b7827d280 <address_space_memory>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2544
address_space_write (as=<optimized out>, addr=<optimized out>, attrs=..., buf=<optimized out>, len=<optimized out>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2601
0x00007f0b77925c1d in address_space_rw (as=<optimized out>, addr=<optimized out>, attrs=..., attrs@entry=...,
buf=buf@entry=0x7f0b77713028 "\002\377\377\377", len=<optimized out>, is_write=<optimized out>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2703
0x00007f0b77962f53 in kvm_cpu_exec (cpu=cpu@entry=0x7f0b79fcc2d0) at /root/rpmbuild/BUILD/master/qemu/kvm-all.c:1965
0x00007f0b77950cc6 in qemu_kvm_cpu_thread_fn (arg=0x7f0b79fcc2d0) at /root/rpmbuild/BUILD/master/qemu/cpus.c:1078
0x00007f0b744b3dc5 in start_thread (arg=0x7f0b69a27700) at pthread_create.c:308
0x00007f0b70d3d66d in clone () from /lib64/libc.so.6
The code path while meeting segfault:
vnc_dpy_copy
vnc_update_client
vnc_disconnect_finish [while vnc_disconnect_start() is invoked because somethins wrong]
vnc_update_server_surface
vd->server = NULL;
vnc_server_fb_stride
pixman_image_get_stride(vd->server)
Let's add a non-NULL check before calling vnc_server_fb_stride() to avoid segmentation fault.
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Daniel P. Berrange <berrange@redhat.com>
Reported-by: Yanying Zhuang <ann.zhuangyanying@huawei.com>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1472788698-120964-1-git-send-email-arei.gonglei@huawei.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
ui/vnc.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/ui/vnc.c b/ui/vnc.c
index d1087c9..76a3273 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -911,6 +911,10 @@ static void vnc_dpy_copy(DisplayChangeListener *dcl,
}
}
+ if (!vd->server) {
+ /* no client connected */
+ return;
+ }
/* do bitblit op on the local surface too */
pitch = vnc_server_fb_stride(vd);
src_row = vnc_server_fb_ptr(vd, src_x, src_y);
--
1.8.3.1
^ permalink raw reply related [flat|nested] 6+ messages in thread