From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:55223) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bfk08-0004Pc-1m for qemu-devel@nongnu.org; Fri, 02 Sep 2016 04:39:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bfk05-0002bC-7o for qemu-devel@nongnu.org; Fri, 02 Sep 2016 04:39:03 -0400 Received: from mail-lf0-x22c.google.com ([2a00:1450:4010:c07::22c]:34810) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bfk04-0002b8-SX for qemu-devel@nongnu.org; Fri, 02 Sep 2016 04:39:01 -0400 Received: by mail-lf0-x22c.google.com with SMTP id p41so60013327lfi.1 for ; Fri, 02 Sep 2016 01:39:00 -0700 (PDT) MIME-Version: 1.0 References: <1472788698-120964-1-git-send-email-arei.gonglei@huawei.com> In-Reply-To: <1472788698-120964-1-git-send-email-arei.gonglei@huawei.com> From: =?UTF-8?B?TWFyYy1BbmRyw6kgTHVyZWF1?= Date: Fri, 02 Sep 2016 08:38:48 +0000 Message-ID: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [Qemu-devel] [PATCH for-2.7] vnc: fix qemu crash because of SIGSEGV List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Gonglei , qemu-devel@nongnu.org Cc: weidong.huang@huawei.com, Gerd Hoffmann Hi On Fri, Sep 2, 2016 at 8:00 AM Gonglei wrote: > The backtrace is: > > 0x00007f0b75cdf880 in pixman_image_get_stride () from > /lib64/libpixman-1.so.0 > 0x00007f0b77bcb3cf in vnc_server_fb_stride (vd=3D0x7f0b7a1a2bb0) at > ui/vnc.c:680 > vnc_dpy_copy (dcl=3D0x7f0b7a1a2c00, src_x=3D224, src_y=3D263, dst_x=3D319= , > dst_y=3D363, w=3D1, h=3D1) at ui/vnc.c:915 > 0x00007f0b77bbcc35 in dpy_gfx_copy (con=3D0x7f0b7a146210, src_x=3Dsrc_x@e= ntry=3D224, > src_y=3Dsrc_y@entry=3D263, dst_x=3Ddst_x@entry=3D319, > dst_y=3Ddst_y@entry=3D363, w=3D1, h=3D1) at ui/console.c:1575 > 0x00007f0b77bbda4e in qemu_console_copy (con=3D, > src_x=3Dsrc_x@entry=3D224, src_y=3Dsrc_y@entry=3D263, dst_x=3Ddst_x@entry= =3D319, > dst_y=3Ddst_y@entry=3D363, w=3D, h=3D) at > ui/console.c:2111 > 0x00007f0b77ac0980 in cirrus_do_copy (h=3D, w=3D out>, src=3D, dst=3D, s=3D0x7f0b7b086090) a= t > hw/display/cirrus_vga.c:774 > cirrus_bitblt_videotovideo_copy (s=3D0x7f0b7b086090) at > hw/display/cirrus_vga.c:793 > cirrus_bitblt_videotovideo (s=3D0x7f0b7b086090) at > hw/display/cirrus_vga.c:915 > cirrus_bitblt_start (s=3D0x7f0b7b086090) at hw/display/cirrus_vga.c:1056 > 0x00007f0b77965cfb in memory_region_write_accessor (mr=3D0x7f0b7b096e40, > addr=3D320, value=3D, size=3D1, shift=3D out>,mask=3D, attrs=3D...) at > /root/rpmbuild/BUILD/master/qemu/memory.c:525 > 0x00007f0b77963f59 in access_with_adjusted_size (addr=3Daddr@entry=3D320, > value=3Dvalue@entry=3D0x7f0b69a268d8, size=3Dsize@entry=3D4, > access_size_min=3D, access_size_max=3D, > access=3Daccess@entry=3D0x7f0b77965c80 , > mr=3Dmr@entry=3D0x7f0b7b096e40, attrs=3Dattrs@entry=3D...) at > /root/rpmbuild/BUILD/master/qemu/memory.c:591 > 0x00007f0b77968315 in memory_region_dispatch_write (mr=3Dmr@entry=3D0x7f0= b7b096e40, > addr=3Daddr@entry=3D320, data=3D18446744073709551362, > size=3Dsize@entry=3D4, attrs=3Dattrs@entry=3D...) at > /root/rpmbuild/BUILD/master/qemu/memory.c:1262 > 0x00007f0b779256a9 in address_space_write_continue (mr=3D0x7f0b7b096e40, > l=3D4, addr1=3D320, len=3D4, buf=3D0x7f0b77713028 "\002\377\377\377", > attrs=3D..., addr=3D4273930560, as=3D0x7f0b7827d280 ) at > /root/rpmbuild/BUILD/master/qemu/exec.c:2544 > address_space_write (as=3D, addr=3D, attrs= =3D..., > buf=3D, len=3D) at > /root/rpmbuild/BUILD/master/qemu/exec.c:2601 > 0x00007f0b77925c1d in address_space_rw (as=3D, > addr=3D, attrs=3D..., attrs@entry=3D..., > buf=3Dbuf@entry=3D0x7f0b77713028 "\002\377\377\377", len=3D, > is_write=3D) at /root/rpmbuild/BUILD/master/qemu/exec.c:27= 03 > 0x00007f0b77962f53 in kvm_cpu_exec (cpu=3Dcpu@entry=3D0x7f0b79fcc2d0) at > /root/rpmbuild/BUILD/master/qemu/kvm-all.c:1965 > 0x00007f0b77950cc6 in qemu_kvm_cpu_thread_fn (arg=3D0x7f0b79fcc2d0) at > /root/rpmbuild/BUILD/master/qemu/cpus.c:1078 > 0x00007f0b744b3dc5 in start_thread (arg=3D0x7f0b69a27700) at > pthread_create.c:308 > 0x00007f0b70d3d66d in clone () from /lib64/libc.so.6 > > The code path while meeting segfault: > vnc_dpy_copy > vnc_update_client > vnc_disconnect_finish [while vnc_disconnect_start() is invoked > because somethins wrong] > vnc_update_server_surface > vd->server =3D NULL; > vnc_server_fb_stride > pixman_image_get_stride(vd->server) > > Let's add a non-NULL check before calling vnc_server_fb_stride() to avoid > segmentation fault. > Reviewed-by: Marc-Andr=C3=A9 Lureau (It would be great if you had a reproducer) It looks like this is not a regression from 2.7, perhaps it should be post-poned? Cc: Gerd Hoffmann > Cc: Daniel P. Berrange > Reported-by: Yanying Zhuang > Signed-off-by: Gonglei > --- > ui/vnc.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/ui/vnc.c b/ui/vnc.c > index d1087c9..76a3273 100644 > --- a/ui/vnc.c > +++ b/ui/vnc.c > @@ -911,6 +911,10 @@ static void vnc_dpy_copy(DisplayChangeListener *dcl, > } > } > > + if (!vd->server) { > + /* no client connected */ > + return; > + } > /* do bitblit op on the local surface too */ > pitch =3D vnc_server_fb_stride(vd); > src_row =3D vnc_server_fb_ptr(vd, src_x, src_y); > -- > 1.7.12.4 > > > > -- Marc-Andr=C3=A9 Lureau