From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44439)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1bjhoA-0002Kf-F6
	for qemu-devel@nongnu.org; Tue, 13 Sep 2016 03:07:07 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1bjho4-0003rn-W2
	for qemu-devel@nongnu.org; Tue, 13 Sep 2016 03:07:05 -0400
Received: from mx1.redhat.com ([209.132.183.28]:48240)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1bjho4-0003rW-Nb
	for qemu-devel@nongnu.org; Tue, 13 Sep 2016 03:07:00 -0400
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 13 Sep 2016 09:06:54 +0200
Message-Id: <1473750414-16525-5-git-send-email-kraxel@redhat.com>
In-Reply-To: <1473750414-16525-1-git-send-email-kraxel@redhat.com>
References: <1473750414-16525-1-git-send-email-kraxel@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: [Qemu-devel] [PULL 4/4] vnc: fix qemu crash because of SIGSEGV
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: Gonglei <arei.gonglei@huawei.com>, Gerd Hoffmann <kraxel@redhat.com>, "Daniel P. Berrange" <berrange@redhat.com>

From: Gonglei <arei.gonglei@huawei.com>

The backtrace is:

0x00007f0b75cdf880 in pixman_image_get_stride () from /lib64/libpixman-1.=
so.0
0x00007f0b77bcb3cf in vnc_server_fb_stride (vd=3D0x7f0b7a1a2bb0) at ui/vn=
c.c:680
vnc_dpy_copy (dcl=3D0x7f0b7a1a2c00, src_x=3D224, src_y=3D263, dst_x=3D319=
, dst_y=3D363, w=3D1, h=3D1) at ui/vnc.c:915
0x00007f0b77bbcc35 in dpy_gfx_copy (con=3D0x7f0b7a146210, src_x=3Dsrc_x@e=
ntry=3D224, src_y=3Dsrc_y@entry=3D263, dst_x=3Ddst_x@entry=3D319,
dst_y=3Ddst_y@entry=3D363, w=3D1, h=3D1) at ui/console.c:1575
0x00007f0b77bbda4e in qemu_console_copy (con=3D<optimized out>, src_x=3Ds=
rc_x@entry=3D224, src_y=3Dsrc_y@entry=3D263, dst_x=3Ddst_x@entry=3D319,
dst_y=3Ddst_y@entry=3D363, w=3D<optimized out>, h=3D<optimized out>) at u=
i/console.c:2111
0x00007f0b77ac0980 in cirrus_do_copy (h=3D<optimized out>, w=3D<optimized=
 out>, src=3D<optimized out>, dst=3D<optimized out>, s=3D0x7f0b7b086090) =
at hw/display/cirrus_vga.c:774
cirrus_bitblt_videotovideo_copy (s=3D0x7f0b7b086090) at hw/display/cirrus=
_vga.c:793
cirrus_bitblt_videotovideo (s=3D0x7f0b7b086090) at hw/display/cirrus_vga.=
c:915
cirrus_bitblt_start (s=3D0x7f0b7b086090) at hw/display/cirrus_vga.c:1056
0x00007f0b77965cfb in memory_region_write_accessor (mr=3D0x7f0b7b096e40, =
addr=3D320, value=3D<optimized out>, size=3D1, shift=3D<optimized out>,ma=
sk=3D<optimized out>, attrs=3D...) at /root/rpmbuild/BUILD/master/qemu/me=
mory.c:525
0x00007f0b77963f59 in access_with_adjusted_size (addr=3Daddr@entry=3D320,=
 value=3Dvalue@entry=3D0x7f0b69a268d8, size=3Dsize@entry=3D4,
access_size_min=3D<optimized out>, access_size_max=3D<optimized out>, acc=
ess=3Daccess@entry=3D0x7f0b77965c80 <memory_region_write_accessor>,
mr=3Dmr@entry=3D0x7f0b7b096e40, attrs=3Dattrs@entry=3D...) at /root/rpmbu=
ild/BUILD/master/qemu/memory.c:591
0x00007f0b77968315 in memory_region_dispatch_write (mr=3Dmr@entry=3D0x7f0=
b7b096e40, addr=3Daddr@entry=3D320, data=3D18446744073709551362,
size=3Dsize@entry=3D4, attrs=3Dattrs@entry=3D...) at /root/rpmbuild/BUILD=
/master/qemu/memory.c:1262
0x00007f0b779256a9 in address_space_write_continue (mr=3D0x7f0b7b096e40, =
l=3D4, addr1=3D320, len=3D4, buf=3D0x7f0b77713028 "\002\377\377\377",
attrs=3D..., addr=3D4273930560, as=3D0x7f0b7827d280 <address_space_memory=
>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2544
address_space_write (as=3D<optimized out>, addr=3D<optimized out>, attrs=3D=
..., buf=3D<optimized out>, len=3D<optimized out>) at /root/rpmbuild/BUIL=
D/master/qemu/exec.c:2601
0x00007f0b77925c1d in address_space_rw (as=3D<optimized out>, addr=3D<opt=
imized out>, attrs=3D..., attrs@entry=3D...,
buf=3Dbuf@entry=3D0x7f0b77713028 "\002\377\377\377", len=3D<optimized out=
>, is_write=3D<optimized out>) at /root/rpmbuild/BUILD/master/qemu/exec.c=
:2703
0x00007f0b77962f53 in kvm_cpu_exec (cpu=3Dcpu@entry=3D0x7f0b79fcc2d0) at =
/root/rpmbuild/BUILD/master/qemu/kvm-all.c:1965
0x00007f0b77950cc6 in qemu_kvm_cpu_thread_fn (arg=3D0x7f0b79fcc2d0) at /r=
oot/rpmbuild/BUILD/master/qemu/cpus.c:1078
0x00007f0b744b3dc5 in start_thread (arg=3D0x7f0b69a27700) at pthread_crea=
te.c:308
0x00007f0b70d3d66d in clone () from /lib64/libc.so.6

The code path while meeting segfault:
 vnc_dpy_copy
   vnc_update_client
     vnc_disconnect_finish [while vnc_disconnect_start() is invoked becau=
se somethins wrong]
       vnc_update_server_surface
         vd->server =3D NULL;
   vnc_server_fb_stride
     pixman_image_get_stride(vd->server)

Let's add a non-NULL check before calling vnc_server_fb_stride() to avoid=
 segmentation fault.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Daniel P. Berrange <berrange@redhat.com>
Reported-by: Yanying Zhuang <ann.zhuangyanying@huawei.com>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>
Message-id: 1472788698-120964-1-git-send-email-arei.gonglei@huawei.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 ui/vnc.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ui/vnc.c b/ui/vnc.c
index d1087c9..76a3273 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -911,6 +911,10 @@ static void vnc_dpy_copy(DisplayChangeListener *dcl,
         }
     }
=20
+    if (!vd->server) {
+        /* no client connected */
+        return;
+    }
     /* do bitblit op on the local surface too */
     pitch =3D vnc_server_fb_stride(vd);
     src_row =3D vnc_server_fb_ptr(vd, src_x, src_y);
--=20
1.8.3.1