[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [Patch] Segfault with -vnc option
From: |
Jan Niehusmann |
Subject: |
[Qemu-devel] [Patch] Segfault with -vnc option |
Date: |
Mon, 22 Sep 2008 19:16:05 +0200 |
User-agent: |
Mutt/1.5.18 (2008-05-17) |
Hi!
I observed a reproducible segmentation fault of kvm under the following
conditions:
- start kvm with -vnc option, using cirrus vga (default)
- connect to the vnc console
- boot windows xp
- login
- screen resolutions 1024x768
- change to qemu monitor (ctrl-alt-2)
- wait for the windows screensaver to kick in
Here is the stack trace of the segmentation fault:
(gdb) info stack
#0 0xb7cc4573 in memmove () from /lib/i686/cmov/libc.so.6
#1 0x080db22a in vnc_copy (ds=0x81d0b20, src_x=50, src_y=50, dst_x=195,
dst_y=576, w=275, h=174) at vnc.c:477
#2 0x080b2626 in cirrus_bitblt_start (s=0x86eb1e4) at
/tmp/kvm-72+dfsg/qemu/hw/cirrus_vga.c:780
#3 0x080b29e5 in cirrus_hook_write_gr (s=0x86eb1e4, reg_index=0,
reg_value=275) at /tmp/kvm-72+dfsg/qemu/hw/cirrus_vga.c:1091
#4 0x080fe885 in cpu_physical_memory_rw (addr=753728, buf=0x5a408028 <Address
0x5a408028 out of bounds>, len=1, is_write=1) at
/tmp/kvm-72+dfsg/qemu/exec.c:2800
#5 0x08159eae in kvm_mmio_write (opaque=0x0, addr=753728, data=0x5a408028
<Address 0x5a408028 out of bounds>, len=1) at
/tmp/kvm-72+dfsg/qemu/qemu-kvm.c:690
#6 0x0818d30b in handle_mmio (kvm=0x83ec028, kvm_run=0x5a408000) at
libkvm.c:849
#7 0x0818d820 in kvm_run (kvm=0x83ec028, vcpu=0) at libkvm.c:975
#8 0x0815a680 in kvm_cpu_exec (env=0x84da9b0) at
/tmp/kvm-72+dfsg/qemu/qemu-kvm.c:218
#9 0x0815a980 in ap_main_loop (_env=0x84da9b0) at
/tmp/kvm-72+dfsg/qemu/qemu-kvm.c:407
#10 0xb7e964c0 in start_thread () from /lib/i686/cmov/libpthread.so.0
#11 0xb7d2d55e in clone () from /lib/i686/cmov/libc.so.6
The cause is that the default windows screensaver uses bitblt to
move the windows logo around, and cirrus_bitblt_start does call vnc_copy
with parameters suitable for the VGA mode the virtual VGA card uses. But
vnc_copy uses the currently active console, which is a text console with
a resolution of 800x600:
(gdb) up
#1 0x080db22a in vnc_copy (ds=0x81d0b20, src_x=50, src_y=50, dst_x=195,
dst_y=576, w=275, h=174) at vnc.c:477
477 memmove(old_row, src_row, w * vs->depth);
As you can see, dst_y + h = 750 > 600.
As vnc_copy doesn't check these parameters, a segmentation fault occurs.
I think it's quite easy to prevent this behaviour: If we are not on the
graphics console, just skip the vnc_copy.
This patch assumes that there is only one graphic console. This is,
of course, the usual case - but I'm not sure if this is guaranteed in
every case.
Regards,
Jan
Signed-off-by: Jan Niehusmann <address@hidden>
--- qemu/vnc.c.orig 2008-09-22 18:38:08.000000000 +0200
+++ qemu/vnc.c 2008-09-22 18:39:13.000000000 +0200
@@ -457,6 +457,9 @@
int pitch = ds->linesize;
VncState *vs = ds->opaque;
+ /* Skip copy when on text console */
+ if(!is_graphic_console()) return;
+
vnc_update_client(vs);
if (dst_y > src_y) {
- [Qemu-devel] [Patch] Segfault with -vnc option,
Jan Niehusmann <=