From 062ffad79316d7c3a2ace6d96ffc1f90d61469ec Mon Sep 17 00:00:00 2001

From: Serhii Popovych <spopovyc@redhat.com>

Date: Wed, 8 Nov 2017 13:35:20 +0100

Subject: [PATCH 2/7] monitor: fix dangling CPU pointer

RH-Author: Serhii Popovych <spopovyc@redhat.com>

Message-id: <1510148120-54741-1-git-send-email-spopovyc@redhat.com>

Patchwork-id: 77520

O-Subject: [RHV7.5 qemu-kvm-rhev PATCH v2] monitor: fix dangling CPU pointer

Bugzilla: 1510001

RH-Acked-by: Laurent Vivier <lvivier@redhat.com>

RH-Acked-by: David Hildenbrand <david@redhat.com>

RH-Acked-by: Peter Xu <peterx@redhat.com>

From: Greg Kurz <groug@kaod.org>

Test: replay case as described in comment 4 on bz: qemu does not crash

If a CPU selected with the "cpu" command is hot-unplugged then "info cpus"

causes QEMU to exit:

(qemu) device_del cpu1

(qemu) info cpus

qemu:qemu_cpu_kick_thread: No such process

This happens because "cpu" stores the pointer to the selected CPU into

the monitor structure. When the CPU is hot-unplugged, we end up with a

dangling pointer. The "info cpus" command then does:

hmp_info_cpus()

 monitor_get_cpu_index()

  mon_get_cpu()

   cpu_synchronize_state() <--- called with dangling pointer

This could cause a QEMU crash as well.

This patch switches the monitor to store the QOM path instead of a

pointer to the current CPU. The path is then resolved when needed.

If the resolution fails, we assume that the CPU was removed and the

path is resetted to the default (ie, path of first_cpu).

Reported-by: Satheesh Rajendran <sathnaga@linux.vnet.ibm.com>

Suggested-by: Igor Mammedov <imammedo@redhat.com>

Signed-off-by: Greg Kurz <groug@kaod.org>

Message-Id: <150822818243.26242.12993827911736928961.stgit@bahia.lan>

Reviewed-by: Igor Mammedov <imammedo@redhat.com>

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

(cherry picked from commit 751f8cfe2a556b3ef49f6af2860e2d1d2a1ec66a)

Signed-off-by: Serhii Popovych <spopovyc@redhat.com>

Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>

---

 monitor.c | 23 ++++++++++++++++++-----

 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/monitor.c b/monitor.c

index bade261..c0a8dbc 100644

--- a/monitor.c

+++ b/monitor.c

@@ -200,7 +200,7 @@ struct Monitor {

     ReadLineState *rs;

     MonitorQMP qmp;

-    CPUState *mon_cpu;

+    gchar *mon_cpu_path;

     BlockCompletionFunc *password_completion_cb;

     void *password_opaque;

     mon_cmd_t *cmd_table;

@@ -579,6 +579,7 @@ static void monitor_data_init(Monitor *mon)

 static void monitor_data_destroy(Monitor *mon)

 {

+    g_free(mon->mon_cpu_path);

     qemu_chr_fe_deinit(&mon->chr, false);

     if (monitor_is_qmp(mon)) {

         json_message_parser_destroy(&mon->qmp.parser);

@@ -1065,20 +1066,32 @@ int monitor_set_cpu(int cpu_index)

     if (cpu == NULL) {

         return -1;

     }

-    cur_mon->mon_cpu = cpu;

+    g_free(cur_mon->mon_cpu_path);

+    cur_mon->mon_cpu_path = object_get_canonical_path(OBJECT(cpu));

     return 0;

 }

 CPUState *mon_get_cpu(void)

 {

-    if (!cur_mon->mon_cpu) {

+    CPUState *cpu;

+

+    if (cur_mon->mon_cpu_path) {

+        cpu = (CPUState *) object_resolve_path_type(cur_mon->mon_cpu_path,

+                                                    TYPE_CPU, NULL);

+        if (!cpu) {

+            g_free(cur_mon->mon_cpu_path);

+            cur_mon->mon_cpu_path = NULL;

+        }

+    }

+    if (!cur_mon->mon_cpu_path) {

         if (!first_cpu) {

             return NULL;

         }

         monitor_set_cpu(first_cpu->cpu_index);

+        cpu = first_cpu;

     }

-    cpu_synchronize_state(cur_mon->mon_cpu);

-    return cur_mon->mon_cpu;

+    cpu_synchronize_state(cpu);

+    return cpu;

 }

 CPUArchState *mon_get_cpu_env(void)

-- 

1.8.3.1