* [PATCH v2 0/4] ui/console: chardev backend improvements
@ 2021-09-16 19:21 Volker Rümelin
2021-09-16 19:22 ` [PATCH v2 1/4] ui/console: replace QEMUFIFO with Fifo8 Volker Rümelin
` (3 more replies)
0 siblings, 4 replies; 7+ messages in thread
From: Volker Rümelin @ 2021-09-16 19:21 UTC (permalink / raw)
To: Gerd Hoffmann; +Cc: Marc-André Lureau, qemu-devel
A few things I learnt while writing a fix for a chardev bug
in the GTK backend.
v2:
Patch "ui/console: replace QEMUFIFO with Fifo8". Renamed the
variable free to num_free to help reading the code. (Marc-André)
New patch "ui/console: prevent use after free error".
ui/gtk.c needs a similar patch. I'll take care of it.
Volker Rümelin (4):
ui/console: replace QEMUFIFO with Fifo8
ui/console: replace kbd_timer with chr_accept_input callback
ui/console: remove chardev frontend connected test
ui/console: prevent use after free error
ui/console.c | 110 ++++++++++++++-------------------------------------
1 file changed, 30 insertions(+), 80 deletions(-)
--
2.31.1
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v2 1/4] ui/console: replace QEMUFIFO with Fifo8
2021-09-16 19:21 [PATCH v2 0/4] ui/console: chardev backend improvements Volker Rümelin
@ 2021-09-16 19:22 ` Volker Rümelin
2021-09-17 17:01 ` Marc-André Lureau
2021-09-16 19:22 ` [PATCH v2 2/4] ui/console: replace kbd_timer with chr_accept_input callback Volker Rümelin
` (2 subsequent siblings)
3 siblings, 1 reply; 7+ messages in thread
From: Volker Rümelin @ 2021-09-16 19:22 UTC (permalink / raw)
To: Gerd Hoffmann; +Cc: Marc-André Lureau, qemu-devel
One of the two FIFO implementations QEMUFIFO and Fifo8 is
redundant. Replace QEMUFIFO with Fifo8.
Signed-off-by: Volker Rümelin <vr_qemu@t-online.de>
---
ui/console.c | 86 ++++++++++++----------------------------------------
1 file changed, 20 insertions(+), 66 deletions(-)
diff --git a/ui/console.c b/ui/console.c
index eabbbc951c..d2433c0636 100644
--- a/ui/console.c
+++ b/ui/console.c
@@ -27,6 +27,7 @@
#include "hw/qdev-core.h"
#include "qapi/error.h"
#include "qapi/qapi-commands-ui.h"
+#include "qemu/fifo8.h"
#include "qemu/module.h"
#include "qemu/option.h"
#include "qemu/timer.h"
@@ -62,57 +63,6 @@ enum TTYState {
TTY_STATE_CSI,
};
-typedef struct QEMUFIFO {
- uint8_t *buf;
- int buf_size;
- int count, wptr, rptr;
-} QEMUFIFO;
-
-static int qemu_fifo_write(QEMUFIFO *f, const uint8_t *buf, int len1)
-{
- int l, len;
-
- l = f->buf_size - f->count;
- if (len1 > l)
- len1 = l;
- len = len1;
- while (len > 0) {
- l = f->buf_size - f->wptr;
- if (l > len)
- l = len;
- memcpy(f->buf + f->wptr, buf, l);
- f->wptr += l;
- if (f->wptr >= f->buf_size)
- f->wptr = 0;
- buf += l;
- len -= l;
- }
- f->count += len1;
- return len1;
-}
-
-static int qemu_fifo_read(QEMUFIFO *f, uint8_t *buf, int len1)
-{
- int l, len;
-
- if (len1 > f->count)
- len1 = f->count;
- len = len1;
- while (len > 0) {
- l = f->buf_size - f->rptr;
- if (l > len)
- l = len;
- memcpy(buf, f->buf + f->rptr, l);
- f->rptr += l;
- if (f->rptr >= f->buf_size)
- f->rptr = 0;
- buf += l;
- len -= l;
- }
- f->count -= len1;
- return len1;
-}
-
typedef enum {
GRAPHIC_CONSOLE,
TEXT_CONSOLE,
@@ -165,8 +115,7 @@ struct QemuConsole {
Chardev *chr;
/* fifo for key pressed */
- QEMUFIFO out_fifo;
- uint8_t out_fifo_buf[16];
+ Fifo8 out_fifo;
QEMUTimer *kbd_timer;
CoQueue dump_queue;
@@ -1160,21 +1109,25 @@ static int vc_chr_write(Chardev *chr, const uint8_t *buf, int len)
static void kbd_send_chars(void *opaque)
{
QemuConsole *s = opaque;
- int len;
- uint8_t buf[16];
+ uint32_t len, avail;
len = qemu_chr_be_can_write(s->chr);
- if (len > s->out_fifo.count)
- len = s->out_fifo.count;
- if (len > 0) {
- if (len > sizeof(buf))
- len = sizeof(buf);
- qemu_fifo_read(&s->out_fifo, buf, len);
- qemu_chr_be_write(s->chr, buf, len);
+ avail = fifo8_num_used(&s->out_fifo);
+ if (len > avail) {
+ len = avail;
+ }
+ while (len > 0) {
+ const uint8_t *buf;
+ uint32_t size;
+
+ buf = fifo8_pop_buf(&s->out_fifo, len, &size);
+ qemu_chr_be_write(s->chr, (uint8_t *)buf, size);
+ len -= size;
+ avail -= size;
}
/* characters are pending: we send them a bit later (XXX:
horrible, should change char device API) */
- if (s->out_fifo.count > 0) {
+ if (avail > 0) {
timer_mod(s->kbd_timer, qemu_clock_get_ms(QEMU_CLOCK_REALTIME) + 1);
}
}
@@ -1185,6 +1138,7 @@ void kbd_put_keysym_console(QemuConsole *s, int keysym)
uint8_t buf[16], *q;
CharBackend *be;
int c;
+ uint32_t num_free;
if (!s || (s->console_type == GRAPHIC_CONSOLE))
return;
@@ -1228,7 +1182,8 @@ void kbd_put_keysym_console(QemuConsole *s, int keysym)
}
be = s->chr->be;
if (be && be->chr_read) {
- qemu_fifo_write(&s->out_fifo, buf, q - buf);
+ num_free = fifo8_num_free(&s->out_fifo);
+ fifo8_push_all(&s->out_fifo, buf, MIN(num_free, q - buf));
kbd_send_chars(s);
}
break;
@@ -2233,8 +2188,7 @@ static void text_console_do_init(Chardev *chr, DisplayState *ds)
int g_width = 80 * FONT_WIDTH;
int g_height = 24 * FONT_HEIGHT;
- s->out_fifo.buf = s->out_fifo_buf;
- s->out_fifo.buf_size = sizeof(s->out_fifo_buf);
+ fifo8_create(&s->out_fifo, 16);
s->kbd_timer = timer_new_ms(QEMU_CLOCK_REALTIME, kbd_send_chars, s);
s->ds = ds;
--
2.31.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v2 2/4] ui/console: replace kbd_timer with chr_accept_input callback
2021-09-16 19:21 [PATCH v2 0/4] ui/console: chardev backend improvements Volker Rümelin
2021-09-16 19:22 ` [PATCH v2 1/4] ui/console: replace QEMUFIFO with Fifo8 Volker Rümelin
@ 2021-09-16 19:22 ` Volker Rümelin
2021-09-16 19:22 ` [PATCH v2 3/4] ui/console: remove chardev frontend connected test Volker Rümelin
2021-09-16 19:22 ` [PATCH v2 4/4] ui/console: prevent use after free error Volker Rümelin
3 siblings, 0 replies; 7+ messages in thread
From: Volker Rümelin @ 2021-09-16 19:22 UTC (permalink / raw)
To: Gerd Hoffmann; +Cc: Marc-André Lureau, qemu-devel
There's a ChardevClass chr_accept_input() callback function that
can replace the write retry timer.
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Volker Rümelin <vr_qemu@t-online.de>
---
ui/console.c | 28 +++++++++++++---------------
1 file changed, 13 insertions(+), 15 deletions(-)
diff --git a/ui/console.c b/ui/console.c
index d2433c0636..dda1e6861d 100644
--- a/ui/console.c
+++ b/ui/console.c
@@ -116,7 +116,6 @@ struct QemuConsole {
Chardev *chr;
/* fifo for key pressed */
Fifo8 out_fifo;
- QEMUTimer *kbd_timer;
CoQueue dump_queue;
QTAILQ_ENTRY(QemuConsole) next;
@@ -1106,30 +1105,21 @@ static int vc_chr_write(Chardev *chr, const uint8_t *buf, int len)
return len;
}
-static void kbd_send_chars(void *opaque)
+static void kbd_send_chars(QemuConsole *s)
{
- QemuConsole *s = opaque;
uint32_t len, avail;
len = qemu_chr_be_can_write(s->chr);
avail = fifo8_num_used(&s->out_fifo);
- if (len > avail) {
- len = avail;
- }
- while (len > 0) {
+ while (len > 0 && avail > 0) {
const uint8_t *buf;
uint32_t size;
- buf = fifo8_pop_buf(&s->out_fifo, len, &size);
+ buf = fifo8_pop_buf(&s->out_fifo, MIN(len, avail), &size);
qemu_chr_be_write(s->chr, (uint8_t *)buf, size);
- len -= size;
+ len = qemu_chr_be_can_write(s->chr);
avail -= size;
}
- /* characters are pending: we send them a bit later (XXX:
- horrible, should change char device API) */
- if (avail > 0) {
- timer_mod(s->kbd_timer, qemu_clock_get_ms(QEMU_CLOCK_REALTIME) + 1);
- }
}
/* called when an ascii key is pressed */
@@ -2141,6 +2131,14 @@ int qemu_console_get_height(QemuConsole *con, int fallback)
return con ? surface_height(con->surface) : fallback;
}
+static void vc_chr_accept_input(Chardev *chr)
+{
+ VCChardev *drv = VC_CHARDEV(chr);
+ QemuConsole *s = drv->console;
+
+ kbd_send_chars(s);
+}
+
static void vc_chr_set_echo(Chardev *chr, bool echo)
{
VCChardev *drv = VC_CHARDEV(chr);
@@ -2189,7 +2187,6 @@ static void text_console_do_init(Chardev *chr, DisplayState *ds)
int g_height = 24 * FONT_HEIGHT;
fifo8_create(&s->out_fifo, 16);
- s->kbd_timer = timer_new_ms(QEMU_CLOCK_REALTIME, kbd_send_chars, s);
s->ds = ds;
s->y_displayed = 0;
@@ -2439,6 +2436,7 @@ static void char_vc_class_init(ObjectClass *oc, void *data)
cc->parse = qemu_chr_parse_vc;
cc->open = vc_chr_open;
cc->chr_write = vc_chr_write;
+ cc->chr_accept_input = vc_chr_accept_input;
cc->chr_set_echo = vc_chr_set_echo;
}
--
2.31.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v2 3/4] ui/console: remove chardev frontend connected test
2021-09-16 19:21 [PATCH v2 0/4] ui/console: chardev backend improvements Volker Rümelin
2021-09-16 19:22 ` [PATCH v2 1/4] ui/console: replace QEMUFIFO with Fifo8 Volker Rümelin
2021-09-16 19:22 ` [PATCH v2 2/4] ui/console: replace kbd_timer with chr_accept_input callback Volker Rümelin
@ 2021-09-16 19:22 ` Volker Rümelin
2021-09-16 19:22 ` [PATCH v2 4/4] ui/console: prevent use after free error Volker Rümelin
3 siblings, 0 replies; 7+ messages in thread
From: Volker Rümelin @ 2021-09-16 19:22 UTC (permalink / raw)
To: Gerd Hoffmann; +Cc: Marc-André Lureau, qemu-devel
The test if the chardev frontend is connected in
kbd_put_keysym_console() is redundant, because the call
to qemu_chr_be_can_write() in kbd_send_chars() tests
the connected condition again.
Remove the redundant test whether the chardev frontend
is connected.
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Volker Rümelin <vr_qemu@t-online.de>
---
ui/console.c | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/ui/console.c b/ui/console.c
index dda1e6861d..29a3e3f0f5 100644
--- a/ui/console.c
+++ b/ui/console.c
@@ -28,10 +28,11 @@
#include "qapi/error.h"
#include "qapi/qapi-commands-ui.h"
#include "qemu/fifo8.h"
+#include "qemu/main-loop.h"
#include "qemu/module.h"
#include "qemu/option.h"
#include "qemu/timer.h"
-#include "chardev/char-fe.h"
+#include "chardev/char.h"
#include "trace.h"
#include "exec/memory.h"
#include "io/channel-file.h"
@@ -1126,7 +1127,6 @@ static void kbd_send_chars(QemuConsole *s)
void kbd_put_keysym_console(QemuConsole *s, int keysym)
{
uint8_t buf[16], *q;
- CharBackend *be;
int c;
uint32_t num_free;
@@ -1170,12 +1170,9 @@ void kbd_put_keysym_console(QemuConsole *s, int keysym)
if (s->echo) {
vc_chr_write(s->chr, buf, q - buf);
}
- be = s->chr->be;
- if (be && be->chr_read) {
- num_free = fifo8_num_free(&s->out_fifo);
- fifo8_push_all(&s->out_fifo, buf, MIN(num_free, q - buf));
- kbd_send_chars(s);
- }
+ num_free = fifo8_num_free(&s->out_fifo);
+ fifo8_push_all(&s->out_fifo, buf, MIN(num_free, q - buf));
+ kbd_send_chars(s);
break;
}
}
--
2.31.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v2 4/4] ui/console: prevent use after free error
2021-09-16 19:21 [PATCH v2 0/4] ui/console: chardev backend improvements Volker Rümelin
` (2 preceding siblings ...)
2021-09-16 19:22 ` [PATCH v2 3/4] ui/console: remove chardev frontend connected test Volker Rümelin
@ 2021-09-16 19:22 ` Volker Rümelin
2021-09-17 17:08 ` Marc-André Lureau
3 siblings, 1 reply; 7+ messages in thread
From: Volker Rümelin @ 2021-09-16 19:22 UTC (permalink / raw)
To: Gerd Hoffmann; +Cc: Marc-André Lureau, qemu-devel
Make chr in the QemuConsole object a strong reference to the
referenced chardev device. This prevents a use after free error
if the chardev device goes away unexpectedly.
To reproduce the error start qemu-system built with address
sanitizer with the the following command line options.
-display sdl -chardev vc,id=test0,cols=132,rows=50.
Open the monitor console with CTRL-ALT-3 and remove the
unconnected chardev device test0.
(qemu) chardev-remove test0
Open the text console test0 with CTRL-ALT-2 and type a character.
QEMU immediately exits with this error message.
==28148==ERROR: AddressSanitizer: heap-use-after-free
on address 0x60e000043778 at pc 0x558712ba7125
bp 0x7fff270980b0 sp 0x7fff270980a8
READ of size 8 at 0x60e000043778 thread T0
#0 0x558712ba7124 in qemu_chr_be_can_write
../qemu-master/chardev/char.c:188
#1 0x558711624770 in kbd_send_chars
../qemu-master/ui/console.c:1113
#2 0x558711634e91 in kbd_put_keysym_console
../qemu-master/ui/console.c:1175
#3 0x55871163532a in kbd_put_string_console
../qemu-master/ui/console.c:1221
#4 0x5587120a21e4 in handle_textinput
../qemu-master/ui/sdl2.c:464
#5 0x5587120a21e4 in sdl2_poll_events
../qemu-master/ui/sdl2.c:650
#6 0x5587116269c3 in dpy_refresh
../qemu-master/ui/console.c:1673
#7 0x5587116269c3 in gui_update
../qemu-master/ui/console.c:158
#8 0x558712d3a919 in timerlist_run_timers
../qemu-master/util/qemu-timer.c:573
#9 0x558712d3b183 in qemu_clock_run_timers
../qemu-master/util/qemu-timer.c:587
#10 0x558712d3b183 in qemu_clock_run_all_timers
../qemu-master/util/qemu-timer.c:669
#11 0x558712d286d9 in main_loop_wait
../qemu-master/util/main-loop.c:542
#12 0x5587123d313b in qemu_main_loop
../qemu-master/softmmu/runstate.c:726
#13 0x5587115f989d in main
../qemu-master/softmmu/main.c:50
#14 0x7f832ee0934c in __libc_start_main
(/lib64/libc.so.6+0x2534c)
#15 0x55871160b6e9 in _start
(/home/ruemelin/rpmbuild/BUILD/qemu-6.1.50-build/
qemu-system-x86_64+0x1f4f6e9)
Signed-off-by: Volker Rümelin <vr_qemu@t-online.de>
---
ui/console.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ui/console.c b/ui/console.c
index 29a3e3f0f5..1ef5a96295 100644
--- a/ui/console.c
+++ b/ui/console.c
@@ -2264,6 +2264,7 @@ static void vc_chr_open(Chardev *chr,
}
s->chr = chr;
+ object_ref(chr);
drv->console = s;
if (display_state) {
--
2.31.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v2 1/4] ui/console: replace QEMUFIFO with Fifo8
2021-09-16 19:22 ` [PATCH v2 1/4] ui/console: replace QEMUFIFO with Fifo8 Volker Rümelin
@ 2021-09-17 17:01 ` Marc-André Lureau
0 siblings, 0 replies; 7+ messages in thread
From: Marc-André Lureau @ 2021-09-17 17:01 UTC (permalink / raw)
To: Volker Rümelin; +Cc: Gerd Hoffmann, qemu-devel
[-- Attachment #1: Type: text/plain, Size: 4793 bytes --]
On Thu, Sep 16, 2021 at 11:22 PM Volker Rümelin <vr_qemu@t-online.de> wrote:
> One of the two FIFO implementations QEMUFIFO and Fifo8 is
> redundant. Replace QEMUFIFO with Fifo8.
>
> Signed-off-by: Volker Rümelin <vr_qemu@t-online.de>
>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
> ui/console.c | 86 ++++++++++++----------------------------------------
> 1 file changed, 20 insertions(+), 66 deletions(-)
>
> diff --git a/ui/console.c b/ui/console.c
> index eabbbc951c..d2433c0636 100644
> --- a/ui/console.c
> +++ b/ui/console.c
> @@ -27,6 +27,7 @@
> #include "hw/qdev-core.h"
> #include "qapi/error.h"
> #include "qapi/qapi-commands-ui.h"
> +#include "qemu/fifo8.h"
> #include "qemu/module.h"
> #include "qemu/option.h"
> #include "qemu/timer.h"
> @@ -62,57 +63,6 @@ enum TTYState {
> TTY_STATE_CSI,
> };
>
> -typedef struct QEMUFIFO {
> - uint8_t *buf;
> - int buf_size;
> - int count, wptr, rptr;
> -} QEMUFIFO;
> -
> -static int qemu_fifo_write(QEMUFIFO *f, const uint8_t *buf, int len1)
> -{
> - int l, len;
> -
> - l = f->buf_size - f->count;
> - if (len1 > l)
> - len1 = l;
> - len = len1;
> - while (len > 0) {
> - l = f->buf_size - f->wptr;
> - if (l > len)
> - l = len;
> - memcpy(f->buf + f->wptr, buf, l);
> - f->wptr += l;
> - if (f->wptr >= f->buf_size)
> - f->wptr = 0;
> - buf += l;
> - len -= l;
> - }
> - f->count += len1;
> - return len1;
> -}
> -
> -static int qemu_fifo_read(QEMUFIFO *f, uint8_t *buf, int len1)
> -{
> - int l, len;
> -
> - if (len1 > f->count)
> - len1 = f->count;
> - len = len1;
> - while (len > 0) {
> - l = f->buf_size - f->rptr;
> - if (l > len)
> - l = len;
> - memcpy(buf, f->buf + f->rptr, l);
> - f->rptr += l;
> - if (f->rptr >= f->buf_size)
> - f->rptr = 0;
> - buf += l;
> - len -= l;
> - }
> - f->count -= len1;
> - return len1;
> -}
> -
> typedef enum {
> GRAPHIC_CONSOLE,
> TEXT_CONSOLE,
> @@ -165,8 +115,7 @@ struct QemuConsole {
>
> Chardev *chr;
> /* fifo for key pressed */
> - QEMUFIFO out_fifo;
> - uint8_t out_fifo_buf[16];
> + Fifo8 out_fifo;
> QEMUTimer *kbd_timer;
> CoQueue dump_queue;
>
> @@ -1160,21 +1109,25 @@ static int vc_chr_write(Chardev *chr, const
> uint8_t *buf, int len)
> static void kbd_send_chars(void *opaque)
> {
> QemuConsole *s = opaque;
> - int len;
> - uint8_t buf[16];
> + uint32_t len, avail;
>
> len = qemu_chr_be_can_write(s->chr);
> - if (len > s->out_fifo.count)
> - len = s->out_fifo.count;
> - if (len > 0) {
> - if (len > sizeof(buf))
> - len = sizeof(buf);
> - qemu_fifo_read(&s->out_fifo, buf, len);
> - qemu_chr_be_write(s->chr, buf, len);
> + avail = fifo8_num_used(&s->out_fifo);
> + if (len > avail) {
> + len = avail;
> + }
> + while (len > 0) {
> + const uint8_t *buf;
> + uint32_t size;
> +
> + buf = fifo8_pop_buf(&s->out_fifo, len, &size);
> + qemu_chr_be_write(s->chr, (uint8_t *)buf, size);
> + len -= size;
> + avail -= size;
> }
> /* characters are pending: we send them a bit later (XXX:
> horrible, should change char device API) */
> - if (s->out_fifo.count > 0) {
> + if (avail > 0) {
> timer_mod(s->kbd_timer, qemu_clock_get_ms(QEMU_CLOCK_REALTIME) +
> 1);
> }
> }
> @@ -1185,6 +1138,7 @@ void kbd_put_keysym_console(QemuConsole *s, int
> keysym)
> uint8_t buf[16], *q;
> CharBackend *be;
> int c;
> + uint32_t num_free;
>
> if (!s || (s->console_type == GRAPHIC_CONSOLE))
> return;
> @@ -1228,7 +1182,8 @@ void kbd_put_keysym_console(QemuConsole *s, int
> keysym)
> }
> be = s->chr->be;
> if (be && be->chr_read) {
> - qemu_fifo_write(&s->out_fifo, buf, q - buf);
> + num_free = fifo8_num_free(&s->out_fifo);
> + fifo8_push_all(&s->out_fifo, buf, MIN(num_free, q - buf));
> kbd_send_chars(s);
> }
> break;
> @@ -2233,8 +2188,7 @@ static void text_console_do_init(Chardev *chr,
> DisplayState *ds)
> int g_width = 80 * FONT_WIDTH;
> int g_height = 24 * FONT_HEIGHT;
>
> - s->out_fifo.buf = s->out_fifo_buf;
> - s->out_fifo.buf_size = sizeof(s->out_fifo_buf);
> + fifo8_create(&s->out_fifo, 16);
> s->kbd_timer = timer_new_ms(QEMU_CLOCK_REALTIME, kbd_send_chars, s);
> s->ds = ds;
>
> --
> 2.31.1
>
>
[-- Attachment #2: Type: text/html, Size: 6327 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2 4/4] ui/console: prevent use after free error
2021-09-16 19:22 ` [PATCH v2 4/4] ui/console: prevent use after free error Volker Rümelin
@ 2021-09-17 17:08 ` Marc-André Lureau
0 siblings, 0 replies; 7+ messages in thread
From: Marc-André Lureau @ 2021-09-17 17:08 UTC (permalink / raw)
To: Volker Rümelin; +Cc: Gerd Hoffmann, QEMU
[-- Attachment #1: Type: text/plain, Size: 3058 bytes --]
Hi
On Thu, Sep 16, 2021 at 11:29 PM Volker Rümelin <vr_qemu@t-online.de> wrote:
> Make chr in the QemuConsole object a strong reference to the
> referenced chardev device. This prevents a use after free error
> if the chardev device goes away unexpectedly.
>
> To reproduce the error start qemu-system built with address
> sanitizer with the the following command line options.
>
> -display sdl -chardev vc,id=test0,cols=132,rows=50.
>
> Open the monitor console with CTRL-ALT-3 and remove the
> unconnected chardev device test0.
>
> (qemu) chardev-remove test0
>
> Open the text console test0 with CTRL-ALT-2 and type a character.
> QEMU immediately exits with this error message.
>
Hmm, why is it not busy like the other chardevs?
> ==28148==ERROR: AddressSanitizer: heap-use-after-free
> on address 0x60e000043778 at pc 0x558712ba7125
> bp 0x7fff270980b0 sp 0x7fff270980a8
> READ of size 8 at 0x60e000043778 thread T0
> #0 0x558712ba7124 in qemu_chr_be_can_write
> ../qemu-master/chardev/char.c:188
> #1 0x558711624770 in kbd_send_chars
> ../qemu-master/ui/console.c:1113
> #2 0x558711634e91 in kbd_put_keysym_console
> ../qemu-master/ui/console.c:1175
> #3 0x55871163532a in kbd_put_string_console
> ../qemu-master/ui/console.c:1221
> #4 0x5587120a21e4 in handle_textinput
> ../qemu-master/ui/sdl2.c:464
> #5 0x5587120a21e4 in sdl2_poll_events
> ../qemu-master/ui/sdl2.c:650
> #6 0x5587116269c3 in dpy_refresh
> ../qemu-master/ui/console.c:1673
> #7 0x5587116269c3 in gui_update
> ../qemu-master/ui/console.c:158
> #8 0x558712d3a919 in timerlist_run_timers
> ../qemu-master/util/qemu-timer.c:573
> #9 0x558712d3b183 in qemu_clock_run_timers
> ../qemu-master/util/qemu-timer.c:587
> #10 0x558712d3b183 in qemu_clock_run_all_timers
> ../qemu-master/util/qemu-timer.c:669
> #11 0x558712d286d9 in main_loop_wait
> ../qemu-master/util/main-loop.c:542
> #12 0x5587123d313b in qemu_main_loop
> ../qemu-master/softmmu/runstate.c:726
> #13 0x5587115f989d in main
> ../qemu-master/softmmu/main.c:50
> #14 0x7f832ee0934c in __libc_start_main
> (/lib64/libc.so.6+0x2534c)
> #15 0x55871160b6e9 in _start
> (/home/ruemelin/rpmbuild/BUILD/qemu-6.1.50-build/
> qemu-system-x86_64+0x1f4f6e9)
>
> Signed-off-by: Volker Rümelin <vr_qemu@t-online.de>
> ---
> ui/console.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/ui/console.c b/ui/console.c
> index 29a3e3f0f5..1ef5a96295 100644
> --- a/ui/console.c
> +++ b/ui/console.c
> @@ -2264,6 +2264,7 @@ static void vc_chr_open(Chardev *chr,
> }
>
> s->chr = chr;
> + object_ref(chr);
> drv->console = s;
>
> if (display_state) {
>
Isn't this effectively preventing removing the chardev? Hence, it should
either be made busy, or keeping a weak pointer invalidated on
instance_finalize imho.
thanks
--
Marc-André Lureau
[-- Attachment #2: Type: text/html, Size: 3972 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-09-17 17:11 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-16 19:21 [PATCH v2 0/4] ui/console: chardev backend improvements Volker Rümelin
2021-09-16 19:22 ` [PATCH v2 1/4] ui/console: replace QEMUFIFO with Fifo8 Volker Rümelin
2021-09-17 17:01 ` Marc-André Lureau
2021-09-16 19:22 ` [PATCH v2 2/4] ui/console: replace kbd_timer with chr_accept_input callback Volker Rümelin
2021-09-16 19:22 ` [PATCH v2 3/4] ui/console: remove chardev frontend connected test Volker Rümelin
2021-09-16 19:22 ` [PATCH v2 4/4] ui/console: prevent use after free error Volker Rümelin
2021-09-17 17:08 ` Marc-André Lureau
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.