I originally reported this:

In the case of badframe, user struct is not unlocked here and may lead to
deadlock:

https://github.com/qemu/qemu
/blob/d4f7d56759f7c75270c13d5f3f5f736a9558929c/linux-user/m68k/signal.c#L380

In similar case, it in unlocked correctly:
https://github.com/qemu/qemu
/blob/d4f7d56759f7c75270c13d5f3f5f736a9558929c/linux-user/sh4/signal.c#L303

Laurant replied that frame needs to be initialized with NULL in the second
case indeed:

In fact, this case is a little bit different and wrong but to fix that
the solution is to set frame to NULL when it is declared:

linux-user/qemu.h:
* Unlock an area of guest memory.  The first LEN bytes must be
   flushed back to guest memory. host_ptr = NULL is explicitly
   allowed and does nothing. */
static inline void unlock_user(void *host_ptr, abi_ulong guest_addr,
                               long len)
like for linux-user/aarch64/signal.c:
long do_rt_sigreturn(CPUARMState *env)
{
    struct target_rt_sigframe *frame = NULL;
...
We have several targets with the same problem.

Thanks,
Mansour

Reply via email to