| Submitter | Anthony Liguori |
|---|---|
| Date | Sept. 5, 2012, 7:01 p.m. |
| Message ID | <1346871696-8150-1-git-send-email-aliguori@us.ibm.com> |
| Download | mbox | patch |
| Permalink | /patch/181916/ |
| State | New |
| Headers | show |
Comments
On Wed, Sep 05, 2012 at 02:01:36PM -0500, Anthony Liguori wrote: > Commit c3767ed0eb5d0bb25fe409ae5dec06e3411ff1b6 introduced a possible SEGV when > using a socket chardev with server=on because it assumes that all TCP sockets > are in client mode. > > This patch adds a check to only reconnect when in client mode. > > Cc: Lei Li <lilei@linux.vnet.ibm.com> > Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com> > Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> > --- > qemu-char.c | 4 +++- > 1 files changed, 3 insertions(+), 1 deletions(-) > > diff --git a/qemu-char.c b/qemu-char.c > index 398baf1..767da93 100644 > --- a/qemu-char.c > +++ b/qemu-char.c > @@ -2148,10 +2148,12 @@ static int tcp_chr_write(CharDriverState *chr, const uint8_t *buf, int len) > TCPCharDriver *s = chr->opaque; > if (s->connected) { > return send_all(s->fd, buf, len); > - } else { > + } else if (s->listen_fd == -1) { > /* (Re-)connect for unconnected writing */ > tcp_chr_connect(chr); > return 0; > + } else { > + return len; > } > } Hi Anthony, I just came around this patch when I was trying to fix this bug: https://bugzilla.redhat.com/show_bug.cgi?id=853408 qemu segfaults when trying to write to a serial socket which is *not* a server socket and has been closed by the other end. Unfortunately your patch above does not fix it. Only a complete revert of c3767ed0eb5d0 fixes it. I don't understand the purpose of c3767ed0eb5d0 at all. It seems to set the s->connected flag and carries on regardless, happily calling write (-1, ...), which is completely broken. The other end closed the socket. There's no one listening on the other end, and setting the s->connected flag will not help that. Rich.
"Richard W.M. Jones" <rjones@redhat.com> writes: > On Wed, Sep 05, 2012 at 02:01:36PM -0500, Anthony Liguori wrote: >> Commit c3767ed0eb5d0bb25fe409ae5dec06e3411ff1b6 introduced a possible SEGV when >> using a socket chardev with server=on because it assumes that all TCP sockets >> are in client mode. >> >> This patch adds a check to only reconnect when in client mode. >> >> Cc: Lei Li <lilei@linux.vnet.ibm.com> >> Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com> >> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> >> --- >> qemu-char.c | 4 +++- >> 1 files changed, 3 insertions(+), 1 deletions(-) >> >> diff --git a/qemu-char.c b/qemu-char.c >> index 398baf1..767da93 100644 >> --- a/qemu-char.c >> +++ b/qemu-char.c >> @@ -2148,10 +2148,12 @@ static int tcp_chr_write(CharDriverState *chr, const uint8_t *buf, int len) >> TCPCharDriver *s = chr->opaque; >> if (s->connected) { >> return send_all(s->fd, buf, len); >> - } else { >> + } else if (s->listen_fd == -1) { >> /* (Re-)connect for unconnected writing */ >> tcp_chr_connect(chr); >> return 0; >> + } else { >> + return len; >> } >> } > > Hi Anthony, > > I just came around this patch when I was trying to fix this > bug: https://bugzilla.redhat.com/show_bug.cgi?id=853408 > qemu segfaults when trying to write to a serial socket which > is *not* a server socket and has been closed by the other end. > > Unfortunately your patch above does not fix it. Only a > complete revert of c3767ed0eb5d0 fixes it. > > I don't understand the purpose of c3767ed0eb5d0 at all. It > seems to set the s->connected flag and carries on regardless, > happily calling write (-1, ...), which is completely broken. > > The other end closed the socket. There's no one listening on the > other end, and setting the s->connected flag will not help that. You're 100% correct. I was only attempting to fix the server SEGV, I didn't notice that client was hopelessly broken too. Will send a patch reverting both commits. Regards, Anthony Liguori > > Rich. > > -- > Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones > Read my programming blog: http://rwmj.wordpress.com > Fedora now supports 80 OCaml packages (the OPEN alternative to F#) > http://cocan.org/getting_started_with_ocaml_on_red_hat_and_fedora
Patch
diff --git a/qemu-char.c b/qemu-char.c index 398baf1..767da93 100644 --- a/qemu-char.c +++ b/qemu-char.c @@ -2148,10 +2148,12 @@ static int tcp_chr_write(CharDriverState *chr, const uint8_t *buf, int len) TCPCharDriver *s = chr->opaque; if (s->connected) { return send_all(s->fd, buf, len); - } else { + } else if (s->listen_fd == -1) { /* (Re-)connect for unconnected writing */ tcp_chr_connect(chr); return 0; + } else { + return len; } }
Commit c3767ed0eb5d0bb25fe409ae5dec06e3411ff1b6 introduced a possible SEGV when using a socket chardev with server=on because it assumes that all TCP sockets are in client mode. This patch adds a check to only reconnect when in client mode. Cc: Lei Li <lilei@linux.vnet.ibm.com> Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> --- qemu-char.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-)