Patchwork socket: don't attempt to reconnect a TCP socket in server mode

login
register
mail settings
Submitter Anthony Liguori
Date Sept. 5, 2012, 7:01 p.m.
Message ID <1346871696-8150-1-git-send-email-aliguori@us.ibm.com>
Download mbox | patch
Permalink /patch/181916/
State New
Headers show

Comments

Anthony Liguori - Sept. 5, 2012, 7:01 p.m.
Commit c3767ed0eb5d0bb25fe409ae5dec06e3411ff1b6 introduced a possible SEGV when
using a socket chardev with server=on because it assumes that all TCP sockets
are in client mode.

This patch adds a check to only reconnect when in client mode.

Cc: Lei Li <lilei@linux.vnet.ibm.com>
Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
---
 qemu-char.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)
Richard W.M. Jones - Sept. 12, 2012, 6:34 p.m.
On Wed, Sep 05, 2012 at 02:01:36PM -0500, Anthony Liguori wrote:
> Commit c3767ed0eb5d0bb25fe409ae5dec06e3411ff1b6 introduced a possible SEGV when
> using a socket chardev with server=on because it assumes that all TCP sockets
> are in client mode.
> 
> This patch adds a check to only reconnect when in client mode.
> 
> Cc: Lei Li <lilei@linux.vnet.ibm.com>
> Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
> ---
>  qemu-char.c |    4 +++-
>  1 files changed, 3 insertions(+), 1 deletions(-)
> 
> diff --git a/qemu-char.c b/qemu-char.c
> index 398baf1..767da93 100644
> --- a/qemu-char.c
> +++ b/qemu-char.c
> @@ -2148,10 +2148,12 @@ static int tcp_chr_write(CharDriverState *chr, const uint8_t *buf, int len)
>      TCPCharDriver *s = chr->opaque;
>      if (s->connected) {
>          return send_all(s->fd, buf, len);
> -    } else {
> +    } else if (s->listen_fd == -1) {
>          /* (Re-)connect for unconnected writing */
>          tcp_chr_connect(chr);
>          return 0;
> +    } else {
> +        return len;
>      }
>  }

Hi Anthony,

I just came around this patch when I was trying to fix this
bug: https://bugzilla.redhat.com/show_bug.cgi?id=853408
qemu segfaults when trying to write to a serial socket which
is *not* a server socket and has been closed by the other end.

Unfortunately your patch above does not fix it.  Only a
complete revert of c3767ed0eb5d0 fixes it.

I don't understand the purpose of c3767ed0eb5d0 at all.  It
seems to set the s->connected flag and carries on regardless,
happily calling write (-1, ...), which is completely broken.

The other end closed the socket.  There's no one listening on the
other end, and setting the s->connected flag will not help that.

Rich.
Anthony Liguori - Sept. 12, 2012, 7:37 p.m.
"Richard W.M. Jones" <rjones@redhat.com> writes:

> On Wed, Sep 05, 2012 at 02:01:36PM -0500, Anthony Liguori wrote:
>> Commit c3767ed0eb5d0bb25fe409ae5dec06e3411ff1b6 introduced a possible SEGV when
>> using a socket chardev with server=on because it assumes that all TCP sockets
>> are in client mode.
>> 
>> This patch adds a check to only reconnect when in client mode.
>> 
>> Cc: Lei Li <lilei@linux.vnet.ibm.com>
>> Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
>> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
>> ---
>>  qemu-char.c |    4 +++-
>>  1 files changed, 3 insertions(+), 1 deletions(-)
>> 
>> diff --git a/qemu-char.c b/qemu-char.c
>> index 398baf1..767da93 100644
>> --- a/qemu-char.c
>> +++ b/qemu-char.c
>> @@ -2148,10 +2148,12 @@ static int tcp_chr_write(CharDriverState *chr, const uint8_t *buf, int len)
>>      TCPCharDriver *s = chr->opaque;
>>      if (s->connected) {
>>          return send_all(s->fd, buf, len);
>> -    } else {
>> +    } else if (s->listen_fd == -1) {
>>          /* (Re-)connect for unconnected writing */
>>          tcp_chr_connect(chr);
>>          return 0;
>> +    } else {
>> +        return len;
>>      }
>>  }
>
> Hi Anthony,
>
> I just came around this patch when I was trying to fix this
> bug: https://bugzilla.redhat.com/show_bug.cgi?id=853408
> qemu segfaults when trying to write to a serial socket which
> is *not* a server socket and has been closed by the other end.
>
> Unfortunately your patch above does not fix it.  Only a
> complete revert of c3767ed0eb5d0 fixes it.
>
> I don't understand the purpose of c3767ed0eb5d0 at all.  It
> seems to set the s->connected flag and carries on regardless,
> happily calling write (-1, ...), which is completely broken.
>
> The other end closed the socket.  There's no one listening on the
> other end, and setting the s->connected flag will not help that.

You're 100% correct.  I was only attempting to fix the server SEGV, I
didn't notice that client was hopelessly broken too.  Will send a patch
reverting both commits.

Regards,

Anthony Liguori

>
> Rich.
>
> -- 
> Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
> Read my programming blog: http://rwmj.wordpress.com
> Fedora now supports 80 OCaml packages (the OPEN alternative to F#)
> http://cocan.org/getting_started_with_ocaml_on_red_hat_and_fedora

Patch

diff --git a/qemu-char.c b/qemu-char.c
index 398baf1..767da93 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -2148,10 +2148,12 @@  static int tcp_chr_write(CharDriverState *chr, const uint8_t *buf, int len)
     TCPCharDriver *s = chr->opaque;
     if (s->connected) {
         return send_all(s->fd, buf, len);
-    } else {
+    } else if (s->listen_fd == -1) {
         /* (Re-)connect for unconnected writing */
         tcp_chr_connect(chr);
         return 0;
+    } else {
+        return len;
     }
 }