Hi
On Fri, Sep 2, 2016 at 8:00 AM Gonglei <arei.gong...@huawei.com> wrote:
> The backtrace is:
>
> 0x00007f0b75cdf880 in pixman_image_get_stride () from
> /lib64/libpixman-1.so.0
> 0x00007f0b77bcb3cf in vnc_server_fb_stride (vd=0x7f0b7a1a2bb0) at
> ui/vnc.c:680
> vnc_dpy_copy (dcl=0x7f0b7a1a2c00, src_x=224, src_y=263, dst_x=319,
> dst_y=363, w=1, h=1) at ui/vnc.c:915
> 0x00007f0b77bbcc35 in dpy_gfx_copy (con=0x7f0b7a146210, src_x=src_x@entry=224,
> src_y=src_y@entry=263, dst_x=dst_x@entry=319,
> dst_y=dst_y@entry=363, w=1, h=1) at ui/console.c:1575
> 0x00007f0b77bbda4e in qemu_console_copy (con=<optimized out>,
> src_x=src_x@entry=224, src_y=src_y@entry=263, dst_x=dst_x@entry=319,
> dst_y=dst_y@entry=363, w=<optimized out>, h=<optimized out>) at
> ui/console.c:2111
> 0x00007f0b77ac0980 in cirrus_do_copy (h=<optimized out>, w=<optimized
> out>, src=<optimized out>, dst=<optimized out>, s=0x7f0b7b086090) at
> hw/display/cirrus_vga.c:774
> cirrus_bitblt_videotovideo_copy (s=0x7f0b7b086090) at
> hw/display/cirrus_vga.c:793
> cirrus_bitblt_videotovideo (s=0x7f0b7b086090) at
> hw/display/cirrus_vga.c:915
> cirrus_bitblt_start (s=0x7f0b7b086090) at hw/display/cirrus_vga.c:1056
> 0x00007f0b77965cfb in memory_region_write_accessor (mr=0x7f0b7b096e40,
> addr=320, value=<optimized out>, size=1, shift=<optimized
> out>,mask=<optimized out>, attrs=...) at
> /root/rpmbuild/BUILD/master/qemu/memory.c:525
> 0x00007f0b77963f59 in access_with_adjusted_size (addr=addr@entry=320,
> value=value@entry=0x7f0b69a268d8, size=size@entry=4,
> access_size_min=<optimized out>, access_size_max=<optimized out>,
> access=access@entry=0x7f0b77965c80 <memory_region_write_accessor>,
> mr=mr@entry=0x7f0b7b096e40, attrs=attrs@entry=...) at
> /root/rpmbuild/BUILD/master/qemu/memory.c:591
> 0x00007f0b77968315 in memory_region_dispatch_write
> (mr=mr@entry=0x7f0b7b096e40,
> addr=addr@entry=320, data=18446744073709551362,
> size=size@entry=4, attrs=attrs@entry=...) at
> /root/rpmbuild/BUILD/master/qemu/memory.c:1262
> 0x00007f0b779256a9 in address_space_write_continue (mr=0x7f0b7b096e40,
> l=4, addr1=320, len=4, buf=0x7f0b77713028 "\002\377\377\377",
> attrs=..., addr=4273930560, as=0x7f0b7827d280 <address_space_memory>) at
> /root/rpmbuild/BUILD/master/qemu/exec.c:2544
> address_space_write (as=<optimized out>, addr=<optimized out>, attrs=...,
> buf=<optimized out>, len=<optimized out>) at
> /root/rpmbuild/BUILD/master/qemu/exec.c:2601
> 0x00007f0b77925c1d in address_space_rw (as=<optimized out>,
> addr=<optimized out>, attrs=..., attrs@entry=...,
> buf=buf@entry=0x7f0b77713028 "\002\377\377\377", len=<optimized out>,
> is_write=<optimized out>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2703
> 0x00007f0b77962f53 in kvm_cpu_exec (cpu=cpu@entry=0x7f0b79fcc2d0) at
> /root/rpmbuild/BUILD/master/qemu/kvm-all.c:1965
> 0x00007f0b77950cc6 in qemu_kvm_cpu_thread_fn (arg=0x7f0b79fcc2d0) at
> /root/rpmbuild/BUILD/master/qemu/cpus.c:1078
> 0x00007f0b744b3dc5 in start_thread (arg=0x7f0b69a27700) at
> pthread_create.c:308
> 0x00007f0b70d3d66d in clone () from /lib64/libc.so.6
>
> The code path while meeting segfault:
> vnc_dpy_copy
> vnc_update_client
> vnc_disconnect_finish [while vnc_disconnect_start() is invoked
> because somethins wrong]
> vnc_update_server_surface
> vd->server = NULL;
> vnc_server_fb_stride
> pixman_image_get_stride(vd->server)
>
> Let's add a non-NULL check before calling vnc_server_fb_stride() to avoid
> segmentation fault.
>
Reviewed-by: Marc-André Lureau <marcandre.lur...@redhat.com>
(It would be great if you had a reproducer)
It looks like this is not a regression from 2.7, perhaps it should be
post-poned?
Cc: Gerd Hoffmann <kra...@redhat.com>
> Cc: Daniel P. Berrange <berra...@redhat.com>
> Reported-by: Yanying Zhuang <ann.zhuangyany...@huawei.com>
> Signed-off-by: Gonglei <arei.gong...@huawei.com>
> ---
> ui/vnc.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/ui/vnc.c b/ui/vnc.c
> index d1087c9..76a3273 100644
> --- a/ui/vnc.c
> +++ b/ui/vnc.c
> @@ -911,6 +911,10 @@ static void vnc_dpy_copy(DisplayChangeListener *dcl,
> }
> }
>
> + if (!vd->server) {
> + /* no client connected */
> + return;
> + }
> /* do bitblit op on the local surface too */
> pitch = vnc_server_fb_stride(vd);
> src_row = vnc_server_fb_ptr(vd, src_x, src_y);
> --
> 1.7.12.4
>
>
>
> --
Marc-André Lureau
