qemu-2.0 / spice crash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Qemu 2.0 crashes on (at least windows) guest machine reboot with spice-0.12.4, with the following backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff211eae5 in spice_char_device_write_to_device (dev=0x55555725bf30) at char_device.c:443
443         sif = SPICE_CONTAINEROF(dev->sin->base.sif, SpiceCharDeviceInterface, base);
(gdb) bt
#0  0x00007ffff211eae5 in spice_char_device_write_to_device (dev=0x55555725bf30) at char_device.c:443
#1  0x00007ffff211fd81 in spice_char_device_start (dev=0x55555725bf30) at char_device.c:798
#2  0x00007ffff2171f95 in spice_server_vm_start (s=0x5555561d4360) at reds.c:4520
#3  0x00005555556a1119 in qdev_reset_one (dev=<optimized out>, opaque=<optimized out>) at hw/core/qdev.c:240
#4  0x00005555556a0958 in qbus_walk_children (bus=0x555556757610, pre_devfn=0x0, pre_busfn=0x0, post_devfn=0x5555556a1100 <qdev_reset_one>, post_busfn=0x55555569f060 <qbus_reset_one>, opaque=0x0) at hw/core/qdev.c:369
#5  0x00005555556a0878 in qdev_walk_children (dev=0x55555677c020, pre_devfn=0x0, pre_busfn=0x0, post_devfn=0x5555556a1100 <qdev_reset_one>, post_busfn=0x55555569f060 <qbus_reset_one>, opaque=0x0) at hw/core/qdev.c:403
#6  0x00005555556a0958 in qbus_walk_children (bus=0x555556745930, pre_devfn=0x0, pre_busfn=0x0, post_devfn=0x5555556a1100 <qdev_reset_one>, post_busfn=0x55555569f060 <qbus_reset_one>, opaque=0x0) at hw/core/qdev.c:369
#7  0x00005555557d717a in qemu_devices_reset () at vl.c:1867
#8  qemu_system_reset (report=report@entry=true) at vl.c:1880
#9  0x00005555555f9e2f in main_loop_should_exit () at vl.c:2015
#10 main_loop () at vl.c:2055
#11 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4507


Having essentially zero knowledge of qemu or spice at a source level, I threw together a quick patch that at least prevents the crash for me...which is attached here.

Thanks,
-Rick
--- spice-0.12.4/server/char_device.c	2013-07-17 09:00:56.000000000 -0500
+++ ./char_device.c	2014-04-21 10:02:01.925286492 -0500
@@ -440,6 +440,14 @@
     spice_char_device_state_ref(dev);
     core->timer_cancel(dev->write_to_dev_timer);
 
+    if (dev->sin == NULL || dev->sin->base.sif == NULL) {
+        return 0;
+    }
+
+    if (SPICE_OFFSETOF(SpiceCharDeviceInterface, base) > ((SpiceCharDeviceInterface *)((uint8_t *)(dev->sin->base.sif)))) {
+        return 0;
+    }
+
     sif = SPICE_CONTAINEROF(dev->sin->base.sif, SpiceCharDeviceInterface, base);
     while (dev->running) {
         uint32_t write_len;

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]