qemu-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] 462e5d: oslib: strip trailing '\n' from error

From: GitHub
Subject: [Qemu-commits] [qemu/qemu] 462e5d: oslib: strip trailing '\n' from error_setg() strin...
Date: Mon, 12 Jun 2017 06:50:59 -0700 
  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: 462e5d506573e61adce70f53176d5ae85d1ba92a
      
https://github.com/qemu/qemu/commit/462e5d506573e61adce70f53176d5ae85d1ba92a
  Author: Philippe Mathieu-Daudé <address@hidden>
  Date:   2017-06-07 (Wed, 07 Jun 2017)

  Changed paths:
    M util/oslib-posix.c

  Log Message:
  -----------
  oslib: strip trailing '\n' from error_setg() string argument

spotted by Coccinelle script scripts/coccinelle/err-bad-newline.cocci

Signed-off-by: Philippe Mathieu-Daudé <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Reviewed-by: Laurent Vivier <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>


  Commit: f652402487be592402a5edc000a652344e842369
      
https://github.com/qemu/qemu/commit/f652402487be592402a5edc000a652344e842369
  Author: Philippe Mathieu-Daudé <address@hidden>
  Date:   2017-06-07 (Wed, 07 Jun 2017)

  Changed paths:
    M scripts/coccinelle/return_directly.cocci

  Log Message:
  -----------
  coccinelle: fix typo in comment

Signed-off-by: Philippe Mathieu-Daudé <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>


  Commit: 3a586d2f0bb0cf9c1c7a53f7a183de199c93d0ea
      
https://github.com/qemu/qemu/commit/3a586d2f0bb0cf9c1c7a53f7a183de199c93d0ea
  Author: Stefan Hajnoczi <address@hidden>
  Date:   2017-06-07 (Wed, 07 Jun 2017)

  Changed paths:
    A .gdbinit
    M configure

  Log Message:
  -----------
  .gdbinit: load QEMU sub-commands when gdb starts

The scripts/qemu-gdb.py file is not easily discoverable.  Add a .gdbinit
file so GDB either loads qemu-gdb.py automatically or prints a message
informing the user how to enable them (some systems disable ./.gdbinit
loading for security reasons).

Symlink .gdbinit and the scripts directory in order to make out-of-tree
builds work.  The scripts directory is used to find the qemu-gdb.py file
specified by a relative path in .gdbinit.

Suggested-by: Eric Blake <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Reviewed-by: Alex Bennée <address@hidden>
Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
Tested-by: Eric Blake <address@hidden>
Message-id: address@hidden
Signed-off-by: Stefan Hajnoczi <address@hidden>


  Commit: 528f449f590829b53ea01ed91817a695b540421d
      
https://github.com/qemu/qemu/commit/528f449f590829b53ea01ed91817a695b540421d
  Author: Roman Pen <address@hidden>
  Date:   2017-06-07 (Wed, 07 Jun 2017)

  Changed paths:
    M util/qemu-coroutine-lock.c
    M util/qemu-coroutine.c

  Log Message:
  -----------
  coroutine-lock: do not touch coroutine after another one has been entered

Submission of requests on linux aio is a bit tricky and can lead to
requests completions on submission path:

44713c9e8547 ("linux-aio: Handle io_submit() failure gracefully")
0ed93d84edab ("linux-aio: process completions from ioq_submit()")

That means that any coroutine which has been yielded in order to wait
for completion can be resumed from submission path and be eventually
terminated (freed).

The following use-after-free crash was observed when IO throttling
was enabled:

 Program received signal SIGSEGV, Segmentation fault.
 [Switching to Thread 0x7f5813dff700 (LWP 56417)]
 virtqueue_unmap_sg (elem=0x7f5804009a30, len=1, vq=<optimized out>) at 
virtio.c:252
 (gdb) bt
 #0  virtqueue_unmap_sg (elem=0x7f5804009a30, len=1, vq=<optimized out>) at 
virtio.c:252
                        ^^^^^^^^^^^^^^
                        remember the address

 #1  virtqueue_fill (vq=0x5598b20d21b0, elem=0x7f5804009a30, len=1, idx=0) at 
virtio.c:282
 #2  virtqueue_push (vq=0x5598b20d21b0, address@hidden, len=<optimized out>) at 
virtio.c:308
 #3  virtio_blk_req_complete (address@hidden, address@hidden '\000') at 
virtio-blk.c:61
 #4  virtio_blk_rw_complete (opaque=<optimized out>, ret=0) at virtio-blk.c:126
 #5  blk_aio_complete (acb=0x7f58040068d0) at block-backend.c:923
 #6  coroutine_trampoline (i0=<optimized out>, i1=<optimized out>) at 
coroutine-ucontext.c:78

 (gdb) p * elem
 $8 = {index = 77, out_num = 2, in_num = 1,
       in_addr = 0x7f5804009ad8, out_addr = 0x7f5804009ae0,
       in_sg = 0x0, out_sg = 0x7f5804009a50}
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       'in_sg' and 'out_sg' are invalid.
       e.g. it is impossible that 'in_sg' is zero,
       instead its value must be equal to:
  (gdb) p/x 0x7f5804009ad8 + sizeof(elem->in_addr[0]) + 2 * 
sizeof(elem->out_addr[0])
       $26 = 0x7f5804009af0

Seems 'elem' was corrupted.  Meanwhile another thread raised an abort:

 Thread 12 (Thread 0x7f57f2ffd700 (LWP 56426)):
 #0  raise () from /lib/x86_64-linux-gnu/libc.so.6
 #1  abort () from /lib/x86_64-linux-gnu/libc.so.6
 #2  qemu_coroutine_enter (co=0x7f5804009af0) at qemu-coroutine.c:113
 #3  qemu_co_queue_run_restart (co=0x7f5804009a30) at qemu-coroutine-lock.c:60
 #4  qemu_coroutine_enter (co=0x7f5804009a30) at qemu-coroutine.c:119
                     ^^^^^^^^^^^^^^^^^^
                     WTF?? this is equal to elem from crashed thread

 #5  qemu_co_queue_run_restart (co=0x7f57e7f16ae0) at qemu-coroutine-lock.c:60
 #6  qemu_coroutine_enter (co=0x7f57e7f16ae0) at qemu-coroutine.c:119
 #7  qemu_co_queue_run_restart (co=0x7f5807e112a0) at qemu-coroutine-lock.c:60
 #8  qemu_coroutine_enter (co=0x7f5807e112a0) at qemu-coroutine.c:119
 #9  qemu_co_queue_run_restart (co=0x7f5807f17820) at qemu-coroutine-lock.c:60
 #10 qemu_coroutine_enter (co=0x7f5807f17820) at qemu-coroutine.c:119
 #11 qemu_co_queue_run_restart (co=0x7f57e7f18e10) at qemu-coroutine-lock.c:60
 #12 qemu_coroutine_enter (co=0x7f57e7f18e10) at qemu-coroutine.c:119
 #13 qemu_co_enter_next (address@hidden) at qemu-coroutine-lock.c:106
 #14 timer_cb (blk=0x5598b1e74280, is_write=<optimized out>) at 
throttle-groups.c:419

Crash can be explained by access of 'co' object from the loop inside
qemu_co_queue_run_restart():

  while ((next = QSIMPLEQ_FIRST(&co->co_queue_wakeup))) {
      QSIMPLEQ_REMOVE_HEAD(&co->co_queue_wakeup, co_queue_next);
                     ^^^^^^^^^^^^^^^^^^^^
                     on each iteration 'co' is accessed,
                     but 'co' can be already freed

      qemu_coroutine_enter(next);
  }

When 'next' coroutine is resumed (entered) it can in its turn resume
'co', and eventually free it.  That's why we see 'co' (which was freed)
has the same address as 'elem' from the first backtrace.

The fix is obvious: use temporary queue and do not touch coroutine after
first qemu_coroutine_enter() is invoked.

The issue is quite rare and happens every ~12 hours on very high IO
and CPU load (building linux kernel with -j512 inside guest) when IO
throttling is enabled.  With the fix applied guest is running ~35 hours
and is still alive so far.

Signed-off-by: Roman Pen <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Message-id: address@hidden
Cc: Paolo Bonzini <address@hidden>
Cc: Fam Zheng <address@hidden>
Cc: Stefan Hajnoczi <address@hidden>
Cc: Kevin Wolf <address@hidden>
Cc: address@hidden
Signed-off-by: Stefan Hajnoczi <address@hidden>


  Commit: 11cde1c81093a33c46c7a4039bf750bb61551087
      
https://github.com/qemu/qemu/commit/11cde1c81093a33c46c7a4039bf750bb61551087
  Author: Bruno Dominguez <address@hidden>
  Date:   2017-06-07 (Wed, 07 Jun 2017)

  Changed paths:
    M configure
    M disas/libvixl/Makefile.objs
    M rules.mak

  Log Message:
  -----------
  configure: split c and cxx extra flags

There was no possibility to add specific cxx flags using the configure
file. So A new entrance has been created to support it.

Duplication of information in configure and rules.mak. Taking
QEMU_CFLAGS and add them to QEMU_CXXFLAGS, now the value of
QEMU_CXXFLAGS is stored in config-host.mak, so there is no need for
it.

The makefile for libvixl was adding flags for QEMU_CXXFLAGS in
QEMU_CFLAGS because of the addition in rules.mak. That was removed, so
adding them where it should be.

Signed-off-by: Bruno Dominguez <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Message-id: address@hidden
Signed-off-by: Stefan Hajnoczi <address@hidden>


  Commit: 2a8469aaabdc86c369bf4aeb77f87de7361f464b
      
https://github.com/qemu/qemu/commit/2a8469aaabdc86c369bf4aeb77f87de7361f464b
  Author: Peter Maydell <address@hidden>
  Date:   2017-06-12 (Mon, 12 Jun 2017)

  Changed paths:
    A .gdbinit
    M configure
    M disas/libvixl/Makefile.objs
    M rules.mak
    M scripts/coccinelle/return_directly.cocci
    M util/oslib-posix.c
    M util/qemu-coroutine-lock.c
    M util/qemu-coroutine.c

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into 
staging

# gpg: Signature made Wed 07 Jun 2017 19:06:51 BST
# gpg:                using RSA key 0x9CA4ABB381AB73C8
# gpg: Good signature from "Stefan Hajnoczi <address@hidden>"
# gpg:                 aka "Stefan Hajnoczi <address@hidden>"
# Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35  775A 9CA4 ABB3 81AB 73C8

* remotes/stefanha/tags/block-pull-request:
  configure: split c and cxx extra flags
  coroutine-lock: do not touch coroutine after another one has been entered
  .gdbinit: load QEMU sub-commands when gdb starts
  coccinelle: fix typo in comment
  oslib: strip trailing '\n' from error_setg() string argument

Signed-off-by: Peter Maydell <address@hidden>


Compare: https://github.com/qemu/qemu/compare/475df9d809b1...2a8469aaabdc
reply via email to
[Prev in Thread] Current Thread [Next in Thread]