From nobody Fri May  3 19:58:56 2024
Delivered-To: importer@patchew.org
Received-SPF: temperror (zoho.com: Error in retrieving data from DNS)
 client-ip=208.118.235.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Authentication-Results: mx.zohomail.com;
	spf=temperror (zoho.com: Error in retrieving data from DNS)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by
 mx.zohomail.com
	with SMTPS id 1511871223871146.98983013125348;
 Tue, 28 Nov 2017 04:13:43 -0800 (PST)
Received: from localhost ([::1]:37392 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1eJelT-0008Kn-Sm
	for importer@patchew.org; Tue, 28 Nov 2017 07:13:27 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:37154)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <den@openvz.org>) id 1eJejF-00063K-GX
	for qemu-devel@nongnu.org; Tue, 28 Nov 2017 07:11:10 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <den@openvz.org>) id 1eJejE-0005Ri-Nl
	for qemu-devel@nongnu.org; Tue, 28 Nov 2017 07:11:09 -0500
Received: from mailhub.sw.ru ([195.214.232.25]:40212 helo=relay.sw.ru)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <den@openvz.org>)
	id 1eJej9-0005Fk-0c; Tue, 28 Nov 2017 07:11:03 -0500
Received: from localhost.localdomain (msk-vpn.virtuozzo.com [195.214.232.6])
	by relay.sw.ru (8.13.4/8.13.4) with ESMTP id vASCAuDc008453;
	Tue, 28 Nov 2017 15:10:58 +0300 (MSK)
From: "Denis V. Lunev" <den@openvz.org>
To: 
Date: Tue, 28 Nov 2017 15:10:54 +0300
Message-Id: <20171128121055.6954-2-den@openvz.org>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20171128121055.6954-1-den@openvz.org>
References: <20171128121055.6954-1-den@openvz.org>
X-detected-operating-system: by eggs.gnu.org: OpenBSD 3.x [fuzzy]
X-Received-From: 195.214.232.25
Subject: [Qemu-devel] [PATCH 1/2] hmp: block qemu-io command for device
 without media
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Kevin Wolf <kwolf@redhat.com>, qemu-stable@nongnu.org,
	qemu-devel@nongnu.org, "Dr. David Alan Gilbert" <dgilbert@redhat.com>,
	Stefan Hajnoczi <stefanha@redhat.com>, "Denis V. Lunev" <den@openvz.org>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
X-ZohoMail: RSF_6  Z_629925259 SPT_0
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"

In this case blk->bs =3D=3D NULL and the code will just crash. Emulate error
on that path.

Signed-off-by: Denis V. Lunev <den@openvz.org>
CC: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
CC: Kevin Wolf <kwolf@redhat.com>
CC: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 hmp.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hmp.c b/hmp.c
index 35a7041824..cfd1d9ab29 100644
--- a/hmp.c
+++ b/hmp.c
@@ -2336,6 +2336,9 @@ void hmp_qemu_io(Monitor *mon, const QDict *qdict)
         } else {
             goto fail;
         }
+    } else if (!blk_is_available(blk)) {
+        error_setg(&err, "No media in the device '%s'", device);
+        goto fail;
     }
=20
     aio_context =3D blk_get_aio_context(blk);
--=20
2.11.0


From nobody Fri May  3 19:58:56 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as
 permitted sender) client-ip=208.118.235.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted
 sender)  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by
 mx.zohomail.com
	with SMTPS id 1511871194020906.0776116747878;
 Tue, 28 Nov 2017 04:13:14 -0800 (PST)
Received: from localhost ([::1]:37389 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1eJelD-00088A-37
	for importer@patchew.org; Tue, 28 Nov 2017 07:13:11 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:37167)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <den@openvz.org>) id 1eJejG-000646-8z
	for qemu-devel@nongnu.org; Tue, 28 Nov 2017 07:11:11 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <den@openvz.org>) id 1eJejF-0005S8-6z
	for qemu-devel@nongnu.org; Tue, 28 Nov 2017 07:11:10 -0500
Received: from mailhub.sw.ru ([195.214.232.25]:47730 helo=relay.sw.ru)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <den@openvz.org>)
	id 1eJej9-0005Fl-0i; Tue, 28 Nov 2017 07:11:03 -0500
Received: from localhost.localdomain (msk-vpn.virtuozzo.com [195.214.232.6])
	by relay.sw.ru (8.13.4/8.13.4) with ESMTP id vASCAuDd008453;
	Tue, 28 Nov 2017 15:10:58 +0300 (MSK)
From: "Denis V. Lunev" <den@openvz.org>
To: 
Date: Tue, 28 Nov 2017 15:10:55 +0300
Message-Id: <20171128121055.6954-3-den@openvz.org>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20171128121055.6954-1-den@openvz.org>
References: <20171128121055.6954-1-den@openvz.org>
X-detected-operating-system: by eggs.gnu.org: OpenBSD 3.x [fuzzy]
X-Received-From: 195.214.232.25
Subject: [Qemu-devel] [PATCH 2/2] ide: fix crash in IDE cdrom read
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Kevin Wolf <kwolf@redhat.com>, qemu-devel@nongnu.org,
	qemu-stable@nongnu.org, Stefan Hajnoczi <stefanha@redhat.com>,
	"Denis V. Lunev" <den@openvz.org>, John Snow <jsnow@redhat.com>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"

There is the following crash reported from the field in QEMU 2.9:
    bdrv_inc_in_flight (bs=3Dbs@entry=3D0x0)
    blk_aio_prwv
    blk_aio_preadv
    ide_buffered_readv
    cd_read_sector
    ide_data_readw
    portio_read
    memory_region_read_accessor
    access_with_adjusted_size
    memory_region_dispatch_read1
    memory_region_dispatch_read
    address_space_read_continue
    address_space_read_full
    address_space_read
    address_space_rw
    kvm_handle_io
    kvm_cpu_exec
    qemu_kvm_cpu_thread_fn
    start_thread
    clone
Indeed, the CDROM device without media has blk->bs =3D=3D NULL. We should
check that the media is really available for the device like has been done
in SCSI code.

May be the patch adds a bit more check than necessary, but this is not be
the problem. We should always stay on the safe side.

Signed-off-by: Denis V. Lunev <den@openvz.org>
CC: John Snow <jsnow@redhat.com>
CC: Kevin Wolf <kwolf@redhat.com>
CC: Stefan Hajnoczi <stefanha@redhat.com>
---
 hw/ide/atapi.c | 32 ++++++++++++++++++++++++++++----
 hw/ide/core.c  |  4 ++--
 2 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
index c0509c8bf5..fa50c0ccf6 100644
--- a/hw/ide/atapi.c
+++ b/hw/ide/atapi.c
@@ -119,6 +119,11 @@ cd_read_sector_sync(IDEState *s)
=20
     trace_cd_read_sector_sync(s->lba);
=20
+    if (!blk_is_available(s->blk)) {
+        ret =3D -ENOMEDIUM;
+        goto fail;
+    }
+
     switch (s->cd_sector_size) {
     case 2048:
         ret =3D blk_pread(s->blk, (int64_t)s->lba << ATAPI_SECTOR_BITS,
@@ -132,8 +137,8 @@ cd_read_sector_sync(IDEState *s)
         }
         break;
     default:
-        block_acct_invalid(blk_get_stats(s->blk), BLOCK_ACCT_READ);
-        return -EIO;
+        ret =3D -EIO;
+        goto fail;
     }
=20
     if (ret < 0) {
@@ -145,6 +150,10 @@ cd_read_sector_sync(IDEState *s)
     }
=20
     return ret;
+
+fail:
+    block_acct_invalid(blk_get_stats(s->blk), BLOCK_ACCT_READ);
+    return ret;
 }
=20
 static void cd_read_sector_cb(void *opaque, int ret)
@@ -174,9 +183,15 @@ static void cd_read_sector_cb(void *opaque, int ret)
=20
 static int cd_read_sector(IDEState *s)
 {
+    int err;
+
     if (s->cd_sector_size !=3D 2048 && s->cd_sector_size !=3D 2352) {
-        block_acct_invalid(blk_get_stats(s->blk), BLOCK_ACCT_READ);
-        return -EINVAL;
+        err =3D -EINVAL;
+        goto fail;
+    }
+    if (!blk_is_available(s->blk)) {
+        err =3D -ENOMEDIUM;
+        goto fail;
     }
=20
     s->iov.iov_base =3D (s->cd_sector_size =3D=3D 2352) ?
@@ -195,6 +210,10 @@ static int cd_read_sector(IDEState *s)
=20
     s->status |=3D BUSY_STAT;
     return 0;
+
+fail:
+    block_acct_invalid(blk_get_stats(s->blk), BLOCK_ACCT_READ);
+    return err;
 }
=20
 void ide_atapi_cmd_ok(IDEState *s)
@@ -404,6 +423,11 @@ static void ide_atapi_cmd_read_dma_cb(void *opaque, in=
t ret)
         goto eot;
     }
=20
+    if (!blk_is_available(s->blk)) {
+        ide_atapi_cmd_read_dma_cb(s, -ENOMEDIUM);
+        return;
+    }
+
     s->io_buffer_index =3D 0;
     if (s->cd_sector_size =3D=3D 2352) {
         n =3D 1;
diff --git a/hw/ide/core.c b/hw/ide/core.c
index 471d0c928b..71780fc9d1 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -758,7 +758,7 @@ static void ide_sector_read(IDEState *s)
=20
     trace_ide_sector_read(sector_num, n);
=20
-    if (!ide_sect_range_ok(s, sector_num, n)) {
+    if (!ide_sect_range_ok(s, sector_num, n) || !blk_is_available(s->blk))=
 {
         ide_rw_error(s);
         block_acct_invalid(blk_get_stats(s->blk), BLOCK_ACCT_READ);
         return;
@@ -1023,7 +1023,7 @@ static void ide_sector_write(IDEState *s)
=20
     trace_ide_sector_write(sector_num, n);
=20
-    if (!ide_sect_range_ok(s, sector_num, n)) {
+    if (!ide_sect_range_ok(s, sector_num, n) || !blk_is_available(s->blk))=
 {
         ide_rw_error(s);
         block_acct_invalid(blk_get_stats(s->blk), BLOCK_ACCT_WRITE);
         return;
--=20
2.11.0