QEMU will crash with:
Segmentation fault (core dumped)
when negative slot number is used, ex:
qemu-system-x86_64 -m 1G,maxmem=20G,slots=256 \
-object memory-backend-ram,id=mem1,size=1G \
-device pc-dimm,id=dimm1,memdev=mem1,slot=-2
fix it by checking that slot number is within valid range.
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
---
hw/mem/pc-dimm.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/hw/mem/pc-dimm.c b/hw/mem/pc-dimm.c
index b1239fd0d3..29c785799c 100644
--- a/hw/mem/pc-dimm.c
+++ b/hw/mem/pc-dimm.c
@@ -38,6 +38,13 @@ void pc_dimm_pre_plug(PCDIMMDevice *dimm, MachineState *machine,
slot = object_property_get_int(OBJECT(dimm), PC_DIMM_SLOT_PROP,
&error_abort);
+ if ((slot < 0 || slot >= machine->ram_slots) &&
+ slot != PC_DIMM_UNASSIGNED_SLOT) {
+ error_setg(&local_err, "invalid slot number, valid range is [0-%"
+ PRIu64 "]", machine->ram_slots - 1);
+ goto out;
+ }
+
slot = pc_dimm_get_free_slot(slot == PC_DIMM_UNASSIGNED_SLOT ? NULL : &slot,
machine->ram_slots, &local_err);
if (local_err) {
--
2.18.1
On Mon, 29 Jul 2019 17:16:14 -0400 "Michael S. Tsirkin" <mst@redhat.com> wrote: Hi Michael, it seems tooling used for pull req is a bit broken * minor issue is CC list contains bogus addresses like: <@redhat.com, Mammedov@redhat.com, * a bigger issie is that Message-Id is taken from original patch even though [PULL 3/3] is not 100% the same as original which confuses mail clients quite a bit.
On Tue, Jul 30, 2019 at 02:36:38PM +0200, Igor Mammedov wrote: > On Mon, 29 Jul 2019 17:16:14 -0400 > "Michael S. Tsirkin" <mst@redhat.com> wrote: > > Hi Michael, > > it seems tooling used for pull req is a bit broken > * minor issue is CC list contains bogus addresses like: <@redhat.com, Mammedov@redhat.com, Ouch. Looks like the html version ended up there in git somehow. I'll look into fixing that. > * a bigger issie is that Message-Id is taken from original patch even though [PULL 3/3] > is not 100% the same as original which confuses mail clients quite a bit. That's somehow the fault of the mail sending script. I checked and I don't see any logs of how it run though. I think I somehow triggered an old version by mistake. Sorry :( -- MST
Igor Mammedov <imammedo@redhat.com> 于2019年7月24日周三 上午12:09写道:
> QEMU will crash with:
> Segmentation fault (core dumped)
> when negative slot number is used, ex:
> qemu-system-x86_64 -m 1G,maxmem=20G,slots=256 \
> -object memory-backend-ram,id=mem1,size=1G \
> -device pc-dimm,id=dimm1,memdev=mem1,slot=-2
>
> fix it by checking that slot number is within valid range.
>
> Signed-off-by: Igor Mammedov <imammedo@redhat.com>
>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
> ---
> hw/mem/pc-dimm.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/hw/mem/pc-dimm.c b/hw/mem/pc-dimm.c
> index b1239fd0d3..29c785799c 100644
> --- a/hw/mem/pc-dimm.c
> +++ b/hw/mem/pc-dimm.c
> @@ -38,6 +38,13 @@ void pc_dimm_pre_plug(PCDIMMDevice *dimm, MachineState
> *machine,
>
> slot = object_property_get_int(OBJECT(dimm), PC_DIMM_SLOT_PROP,
> &error_abort);
> + if ((slot < 0 || slot >= machine->ram_slots) &&
> + slot != PC_DIMM_UNASSIGNED_SLOT) {
> + error_setg(&local_err, "invalid slot number, valid range is [0-%"
> + PRIu64 "]", machine->ram_slots - 1);
> + goto out;
> + }
> +
> slot = pc_dimm_get_free_slot(slot == PC_DIMM_UNASSIGNED_SLOT ? NULL :
> &slot,
> machine->ram_slots, &local_err);
> if (local_err) {
> --
> 2.18.1
>
>
>
> QEMU will crash with:
> Segmentation fault (core dumped)
> when negative slot number is used, ex:
> qemu-system-x86_64 -m 1G,maxmem=20G,slots=256 \
> -object memory-backend-ram,id=mem1,size=1G \
> -device pc-dimm,id=dimm1,memdev=mem1,slot=-2
>
> fix it by checking that slot number is within valid range.
>
> Signed-off-by: Igor Mammedov <imammedo@redhat.com>
> ---
> hw/mem/pc-dimm.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/hw/mem/pc-dimm.c b/hw/mem/pc-dimm.c
> index b1239fd0d3..29c785799c 100644
> --- a/hw/mem/pc-dimm.c
> +++ b/hw/mem/pc-dimm.c
> @@ -38,6 +38,13 @@ void pc_dimm_pre_plug(PCDIMMDevice *dimm, MachineState
> *machine,
>
> slot = object_property_get_int(OBJECT(dimm), PC_DIMM_SLOT_PROP,
> &error_abort);
> + if ((slot < 0 || slot >= machine->ram_slots) &&
> + slot != PC_DIMM_UNASSIGNED_SLOT) {
> + error_setg(&local_err, "invalid slot number, valid range is [0-%"
> + PRIu64 "]", machine->ram_slots - 1);
> + goto out;
> + }
> +
> slot = pc_dimm_get_free_slot(slot == PC_DIMM_UNASSIGNED_SLOT ? NULL :
> &slot,
> machine->ram_slots, &local_err);
> if (local_err) {
> --
Reviewed-by: Pankaj Gupta <pagupta@redhat.com>
> 2.18.1
>
>
>
On Tue, Jul 23, 2019 at 12:08:59PM -0400, Igor Mammedov wrote:
> QEMU will crash with:
> Segmentation fault (core dumped)
> when negative slot number is used, ex:
> qemu-system-x86_64 -m 1G,maxmem=20G,slots=256 \
> -object memory-backend-ram,id=mem1,size=1G \
> -device pc-dimm,id=dimm1,memdev=mem1,slot=-2
>
> fix it by checking that slot number is within valid range.
>
> Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
> ---
> hw/mem/pc-dimm.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/hw/mem/pc-dimm.c b/hw/mem/pc-dimm.c
> index b1239fd0d3..29c785799c 100644
> --- a/hw/mem/pc-dimm.c
> +++ b/hw/mem/pc-dimm.c
> @@ -38,6 +38,13 @@ void pc_dimm_pre_plug(PCDIMMDevice *dimm, MachineState *machine,
>
> slot = object_property_get_int(OBJECT(dimm), PC_DIMM_SLOT_PROP,
> &error_abort);
> + if ((slot < 0 || slot >= machine->ram_slots) &&
> + slot != PC_DIMM_UNASSIGNED_SLOT) {
> + error_setg(&local_err, "invalid slot number, valid range is [0-%"
> + PRIu64 "]", machine->ram_slots - 1);
> + goto out;
> + }
> +
> slot = pc_dimm_get_free_slot(slot == PC_DIMM_UNASSIGNED_SLOT ? NULL : &slot,
> machine->ram_slots, &local_err);
> if (local_err) {
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
© 2016 - 2026 Red Hat, Inc.