From nobody Wed Nov 5 17:23:02 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1496397346945361.5564945147937; Fri, 2 Jun 2017 02:55:46 -0700 (PDT) Received: from localhost ([::1]:48772 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dGjJ3-0005gn-HV for importer@patchew.org; Fri, 02 Jun 2017 05:55:45 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48328) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dGjHu-00051y-QJ for qemu-devel@nongnu.org; Fri, 02 Jun 2017 05:54:35 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dGjHr-00055S-O6 for qemu-devel@nongnu.org; Fri, 02 Jun 2017 05:54:34 -0400 Received: from mx1.redhat.com ([209.132.183.28]:57288) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dGjHr-00054S-FR for qemu-devel@nongnu.org; Fri, 02 Jun 2017 05:54:31 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 225BF80C0E; Fri, 2 Jun 2017 09:54:30 +0000 (UTC) Received: from localhost (ovpn-116-138.ams2.redhat.com [10.36.116.138]) by smtp.corp.redhat.com (Postfix) with ESMTP id BF94980DE3; Fri, 2 Jun 2017 09:54:25 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 225BF80C0E Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=stefanha@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 225BF80C0E From: Stefan Hajnoczi To: Date: Fri, 2 Jun 2017 10:54:24 +0100 Message-Id: <20170602095424.9064-1-stefanha@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Fri, 02 Jun 2017 09:54:30 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH] virtio-serial: fix segfault on disconnect X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: lprosek@redhat.com, "Michael S. Tsirkin" , Stefan Hajnoczi , Amit Shah Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Since commit d4c19cdeeb2f1e474bc426a6da261f1d7346eb5b ("virtio-serial: add missing virtio_detach_element() call") the following commands may cause QEMU to segfault: $ qemu -M accel=3Dkvm -cpu host -m 1G \ -drive if=3Dvirtio,file=3Dtest.img,format=3Draw \ -device virtio-serial-pci,id=3Dvirtio-serial0 \ -chardev socket,id=3Dchannel1,path=3D/tmp/chardev.sock,server,nowa= it \ -device virtserialport,chardev=3Dchannel1,bus=3Dvirtio-serial0.0,i= d=3Dport1 $ nc -U /tmp/chardev.sock ^C (guest)$ cat /dev/zero >/dev/vport0p1 The segfault is non-deterministic: if the event loop notices the socket has been closed then there is no crash. The disconnect has to happen right before QEMU attempts to write data to the socket. The backtrace is as follows: Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault. 0x00005555557e0698 in do_flush_queued_data (port=3D0x5555582cedf0, vq=3D0= x7fffcc854290, vdev=3D0x55555807b1d0) at hw/char/virtio-serial-bus.c:180 180 for (i =3D port->iov_idx; i < port->elem->out_num; i++) { #1 0x000055555580d363 in virtio_queue_notify_vq (vq=3D0x7fffcc854290) at= hw/virtio/virtio.c:1524 #2 0x000055555580d363 in virtio_queue_host_notifier_read (n=3D0x7fffcc85= 42f8) at hw/virtio/virtio.c:2430 #3 0x0000555555b3482c in aio_dispatch_handlers (ctx=3Dctx@entry=3D0x5555= 566b8c80) at util/aio-posix.c:399 #4 0x0000555555b350d8 in aio_dispatch (ctx=3D0x5555566b8c80) at util/aio= -posix.c:430 #5 0x0000555555b3212e in aio_ctx_dispatch (source=3D, cal= lback=3D, user_data=3D) at util/async.c:261 #6 0x00007fffde71de52 in g_main_context_dispatch () at /lib64/libglib-2.= 0.so.0 #7 0x0000555555b34353 in glib_pollfds_poll () at util/main-loop.c:213 #8 0x0000555555b34353 in os_host_main_loop_wait (timeout=3D) at util/main-loop.c:261 #9 0x0000555555b34353 in main_loop_wait (nonblocking=3D) = at util/main-loop.c:517 #10 0x0000555555773207 in main_loop () at vl.c:1917 #11 0x0000555555773207 in main (argc=3D, argv=3D, envp=3D) at vl.c:4751 The do_flush_queued_data() function does not anticipate chardev close events during vsc->have_data(). It expects port->elem to remain non-NULL for the duration its for loop. The fix is simply to return from do_flush_queued_data() if the port closes because the close event already frees port->elem and drains the virtqueue - there is nothing left for do_flush_queued_data() to do. Reported-by: Sitong Liu Reported-by: Min Deng Signed-off-by: Stefan Hajnoczi --- hw/char/virtio-serial-bus.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/char/virtio-serial-bus.c b/hw/char/virtio-serial-bus.c index d797a67..c5aa26c 100644 --- a/hw/char/virtio-serial-bus.c +++ b/hw/char/virtio-serial-bus.c @@ -186,6 +186,9 @@ static void do_flush_queued_data(VirtIOSerialPort *port= , VirtQueue *vq, port->elem->out_sg[i].iov_base + port->iov_offset, buf_size); + if (!port->elem) { /* bail if we got disconnected */ + return; + } if (port->throttled) { port->iov_idx =3D i; if (ret > 0) { --=20 2.9.4