From patchwork Mon Feb 4 16:07:51 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Roth X-Patchwork-Id: 217993 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id EECDA2C02AF for ; Tue, 5 Feb 2013 03:51:53 +1100 (EST) Received: from localhost ([::1]:36803 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1U2PGq-0005HN-8E for incoming@patchwork.ozlabs.org; Mon, 04 Feb 2013 11:51:52 -0500 Received: from eggs.gnu.org ([208.118.235.92]:43931) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1U2Oco-0007Qd-L4 for qemu-devel@nongnu.org; Mon, 04 Feb 2013 11:10:31 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1U2Ocj-00043h-Lc for qemu-devel@nongnu.org; Mon, 04 Feb 2013 11:10:30 -0500 Received: from mail-oa0-f54.google.com ([209.85.219.54]:42845) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1U2Ocj-00043B-HO; Mon, 04 Feb 2013 11:10:25 -0500 Received: by mail-oa0-f54.google.com with SMTP id n12so3807216oag.41 for ; Mon, 04 Feb 2013 08:10:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:sender:from:to:cc:subject:date:message-id:x-mailer; bh=v8rJpjjmeEN67RkjU1su914f6PJxZmTTzC+XV65msK0=; b=W1TgXZg3J7xHIg88zNXoB3nqv8lozsG/Jz5aomTHH8Yxbb2k0e4Y3is4OGdxFzBazX uSwm/xbFPHRye6qJLuInlNJ8oLUaPxt9sZi9UShTfYICXmjeh5id6ecDPdsFHzs04ueI 0/T6yc2tzt6BTmE3T48zDT5V8HZ2x1wppmjpuCN5irhA1mSHnk+aZzJoqj4eeUCj6iCI XkGwDSPCt3zjK36L6UIfheHQgeeR3vO0cAcFVyt0zp4QCJ9JGLGM+5Db6uQxLdOPTfhn WBiJUIyV6Zk++SzhLvzUwEVGJHHnuD6TPIwEd9+ro3FRjXzntjYSJU5vATVTVdO64Amh Zfqg== X-Received: by 10.60.12.103 with SMTP id x7mr17389711oeb.56.1359994222882; Mon, 04 Feb 2013 08:10:22 -0800 (PST) Received: from localhost (cpe-72-177-121-217.austin.res.rr.com. [72.177.121.217]) by mx.google.com with ESMTPS id b6sm21718636oee.3.2013.02.04.08.10.21 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Mon, 04 Feb 2013 08:10:22 -0800 (PST) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 4 Feb 2013 10:07:51 -0600 Message-Id: <1359994071-6856-1-git-send-email-mdroth@linux.vnet.ibm.com> X-Mailer: git-send-email 1.7.9.5 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy] X-Received-From: 209.85.219.54 Cc: aliguori@us.ibm.com, mtosatti@redhat.com, qemu-stable@nongnu.org, quintela@redhat.com Subject: [Qemu-devel] [PATCH for-1.4] acpi_piix4: fix segfault migrating from 1.2 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org b0b873a07872f7ab7f66f259c73fb9dd42aa66a9 bumped the vmstate version and introduced an old-style load function to handle migration from prior (<= 1.2) versions. The load function passes the top-level PIIX4PMState pointer to vmstate_load_state() to handle nested structs for APMState and pci_status, which leads to corruption of the top-level PIIX4PMState, since pointers to the nested structs are expected. A segfault can be fairly reliably triggered by migrating from 1.2 and issuing a reset, which will trigger a number of QOM operations which rely on the now corrupted ObjectClass/Object members. Fix this by passing in the expected pointers for vmstate_load_state(). Cc: qemu-stable@nongnu.org Signed-off-by: Michael Roth --- hw/acpi_piix4.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/acpi_piix4.c b/hw/acpi_piix4.c index 0d33849..65b2601 100644 --- a/hw/acpi_piix4.c +++ b/hw/acpi_piix4.c @@ -235,7 +235,7 @@ static int acpi_load_old(QEMUFile *f, void *opaque, int version_id) qemu_get_be16s(f, &s->ar.pm1.evt.en); qemu_get_be16s(f, &s->ar.pm1.cnt.cnt); - ret = vmstate_load_state(f, &vmstate_apm, opaque, 1); + ret = vmstate_load_state(f, &vmstate_apm, &s->apm, 1); if (ret) { return ret; } @@ -253,7 +253,7 @@ static int acpi_load_old(QEMUFile *f, void *opaque, int version_id) qemu_get_be16s(f, &temp); } - ret = vmstate_load_state(f, &vmstate_pci_status, opaque, 1); + ret = vmstate_load_state(f, &vmstate_pci_status, &s->pci0_status, 1); return ret; }