From: "Denis V. Lunev" <den@openvz.org>
Cc: qemu-devel@nongnu.org, qemu-stable@nongnu.org,
"Denis V. Lunev" <den@openvz.org>, John Snow <jsnow@redhat.com>,
Kevin Wolf <kwolf@redhat.com>,
Stefan Hajnoczi <stefanha@redhat.com>
Subject: [Qemu-devel] [PATCH 2/2] ide: fix crash in IDE cdrom read
Date: Tue, 28 Nov 2017 15:10:55 +0300 [thread overview]
Message-ID: <20171128121055.6954-3-den@openvz.org> (raw)
In-Reply-To: <20171128121055.6954-1-den@openvz.org>
There is the following crash reported from the field in QEMU 2.9:
bdrv_inc_in_flight (bs=bs@entry=0x0)
blk_aio_prwv
blk_aio_preadv
ide_buffered_readv
cd_read_sector
ide_data_readw
portio_read
memory_region_read_accessor
access_with_adjusted_size
memory_region_dispatch_read1
memory_region_dispatch_read
address_space_read_continue
address_space_read_full
address_space_read
address_space_rw
kvm_handle_io
kvm_cpu_exec
qemu_kvm_cpu_thread_fn
start_thread
clone
Indeed, the CDROM device without media has blk->bs == NULL. We should
check that the media is really available for the device like has been done
in SCSI code.
May be the patch adds a bit more check than necessary, but this is not be
the problem. We should always stay on the safe side.
Signed-off-by: Denis V. Lunev <den@openvz.org>
CC: John Snow <jsnow@redhat.com>
CC: Kevin Wolf <kwolf@redhat.com>
CC: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/ide/atapi.c | 32 ++++++++++++++++++++++++++++----
hw/ide/core.c | 4 ++--
2 files changed, 30 insertions(+), 6 deletions(-)
diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
index c0509c8bf5..fa50c0ccf6 100644
--- a/hw/ide/atapi.c
+++ b/hw/ide/atapi.c
@@ -119,6 +119,11 @@ cd_read_sector_sync(IDEState *s)
trace_cd_read_sector_sync(s->lba);
+ if (!blk_is_available(s->blk)) {
+ ret = -ENOMEDIUM;
+ goto fail;
+ }
+
switch (s->cd_sector_size) {
case 2048:
ret = blk_pread(s->blk, (int64_t)s->lba << ATAPI_SECTOR_BITS,
@@ -132,8 +137,8 @@ cd_read_sector_sync(IDEState *s)
}
break;
default:
- block_acct_invalid(blk_get_stats(s->blk), BLOCK_ACCT_READ);
- return -EIO;
+ ret = -EIO;
+ goto fail;
}
if (ret < 0) {
@@ -145,6 +150,10 @@ cd_read_sector_sync(IDEState *s)
}
return ret;
+
+fail:
+ block_acct_invalid(blk_get_stats(s->blk), BLOCK_ACCT_READ);
+ return ret;
}
static void cd_read_sector_cb(void *opaque, int ret)
@@ -174,9 +183,15 @@ static void cd_read_sector_cb(void *opaque, int ret)
static int cd_read_sector(IDEState *s)
{
+ int err;
+
if (s->cd_sector_size != 2048 && s->cd_sector_size != 2352) {
- block_acct_invalid(blk_get_stats(s->blk), BLOCK_ACCT_READ);
- return -EINVAL;
+ err = -EINVAL;
+ goto fail;
+ }
+ if (!blk_is_available(s->blk)) {
+ err = -ENOMEDIUM;
+ goto fail;
}
s->iov.iov_base = (s->cd_sector_size == 2352) ?
@@ -195,6 +210,10 @@ static int cd_read_sector(IDEState *s)
s->status |= BUSY_STAT;
return 0;
+
+fail:
+ block_acct_invalid(blk_get_stats(s->blk), BLOCK_ACCT_READ);
+ return err;
}
void ide_atapi_cmd_ok(IDEState *s)
@@ -404,6 +423,11 @@ static void ide_atapi_cmd_read_dma_cb(void *opaque, int ret)
goto eot;
}
+ if (!blk_is_available(s->blk)) {
+ ide_atapi_cmd_read_dma_cb(s, -ENOMEDIUM);
+ return;
+ }
+
s->io_buffer_index = 0;
if (s->cd_sector_size == 2352) {
n = 1;
diff --git a/hw/ide/core.c b/hw/ide/core.c
index 471d0c928b..71780fc9d1 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -758,7 +758,7 @@ static void ide_sector_read(IDEState *s)
trace_ide_sector_read(sector_num, n);
- if (!ide_sect_range_ok(s, sector_num, n)) {
+ if (!ide_sect_range_ok(s, sector_num, n) || !blk_is_available(s->blk)) {
ide_rw_error(s);
block_acct_invalid(blk_get_stats(s->blk), BLOCK_ACCT_READ);
return;
@@ -1023,7 +1023,7 @@ static void ide_sector_write(IDEState *s)
trace_ide_sector_write(sector_num, n);
- if (!ide_sect_range_ok(s, sector_num, n)) {
+ if (!ide_sect_range_ok(s, sector_num, n) || !blk_is_available(s->blk)) {
ide_rw_error(s);
block_acct_invalid(blk_get_stats(s->blk), BLOCK_ACCT_WRITE);
return;
--
2.11.0
next prev parent reply other threads:[~2017-11-28 12:11 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-28 12:10 [Qemu-devel] [PATCH for 2.11 0/2] QEMU crashes with CD device without media Denis V. Lunev
2017-11-28 12:10 ` [Qemu-devel] [PATCH 1/2] hmp: block qemu-io command for " Denis V. Lunev
2017-11-30 16:22 ` Stefan Hajnoczi
2017-11-28 12:10 ` Denis V. Lunev [this message]
2017-11-28 16:56 ` [Qemu-devel] [PATCH 2/2] ide: fix crash in IDE cdrom read Kevin Wolf
2017-11-28 17:26 ` Denis V. Lunev
2017-11-28 23:50 ` John Snow
2017-11-30 12:01 ` Denis V. Lunev
2017-12-12 23:40 ` John Snow
2017-12-14 11:29 ` Denis V. Lunev
2017-12-18 17:49 ` John Snow
2018-01-24 10:25 ` Denis V. Lunev
2017-11-28 16:08 ` [Qemu-devel] [PATCH for 2.11 0/2] QEMU crashes with CD device without media Kevin Wolf
2017-11-28 16:29 ` Denis V. Lunev
2017-11-28 17:01 ` John Snow
2017-11-28 17:28 ` Peter Maydell
2017-11-28 18:40 ` Denis V. Lunev
2017-12-11 10:24 ` Denis V. Lunev
2017-12-11 18:26 ` John Snow
2018-03-13 17:18 ` John Snow
2018-03-13 17:25 ` Denis V. Lunev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171128121055.6954-3-den@openvz.org \
--to=den@openvz.org \
--cc=jsnow@redhat.com \
--cc=kwolf@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.