Re: [Qemu-devel] [PATCH] hw/ppc/spapr: Fix segfault when instantiating a 'pc-dimm' without 'memdev'

Mon, 21 Aug 2017 06:05:27 -0700 

On 21.08.2017 14:09, Cornelia Huck wrote:
> On Mon, 21 Aug 2017 20:35:24 +1000
> David Gibson <da...@gibson.dropbear.id.au> wrote:
> 
>> From: Thomas Huth <th...@redhat.com>
>>
>> QEMU currently crashes when trying to use a 'pc-dimm' on the pseries
>> machine without specifying its 'memdev' property. This happens because
>> pc_dimm_get_memory_region() does not check whether the 'memdev' property
>> has properly been set by the user. Looking closer at this function, it's
>> also obvious that it is using &error_abort to call another function - and
>> this is bad in a function that is used in the hot-plugging calling chain
>> since this can also cause QEMU to exit unexpectedly.
>>
>> So let's fix these issues in a proper way now: Add a "Error **errp"
>> parameter to pc_dimm_get_memory_region() which we use in case the 'memdev'
>> property has not been set by the user, and which we can use instead of
>> the &error_abort, and change the callers of get_memory_region() to make
>> use of this "errp" parameter for proper error checking.
>>
>> Signed-off-by: Thomas Huth <th...@redhat.com>
>> Reviewed-by: Igor Mammedov <imamm...@redhat.com>
>> Signed-off-by: David Gibson <da...@gibson.dropbear.id.au>
>> ---
>>  hw/i386/pc.c             | 14 ++++++++++++--
>>  hw/mem/nvdimm.c          |  2 +-
>>  hw/mem/pc-dimm.c         | 14 +++++++++++---
>>  hw/ppc/spapr.c           | 42 ++++++++++++++++++++++++++++++------------
>>  include/hw/mem/pc-dimm.h |  2 +-
>>  5 files changed, 55 insertions(+), 19 deletions(-)
> 
>> diff --git a/hw/mem/pc-dimm.c b/hw/mem/pc-dimm.c
>> index ea67b461c2..bdf6649083 100644
>> --- a/hw/mem/pc-dimm.c
>> +++ b/hw/mem/pc-dimm.c
>> @@ -363,7 +363,10 @@ static void pc_dimm_get_size(Object *obj, Visitor *v, 
>> const char *name,
>>      PCDIMMDevice *dimm = PC_DIMM(obj);
>>      PCDIMMDeviceClass *ddc = PC_DIMM_GET_CLASS(obj);
>>  
>> -    mr = ddc->get_memory_region(dimm);
>> +    mr = ddc->get_memory_region(dimm, errp);
>> +    if (!mr) {
>> +        return;
> 
> What happens if mr == NULL, but no error was set (backend memory not
> inited case)?

Looks like this currently never happens™  ... otherwise someone would
have experienced a crash in memory_region_size() which derefernces mr.

Anyway, we should eventually modify host_memory_backend_get_memory() to
correctly set the errp in that case. But since this is a slightly
different issue, I think this can go into a separate patch instead... so
I'll sent a separate patch for that later...

 Thomas

Reply via email to