| Message ID | 1508137406-5222-1-git-send-email-bharata@linux.vnet.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Mon, 16 Oct 2017 12:33:26 +0530 Bharata B Rao <bharata@linux.vnet.ibm.com> wrote: > The following sequence of steps kill the QEMU: > > - Hotplug a CPU > - Change the default CPU to the newly hotplugged cpu using "cpu" HMP command. > - Hot unplug the CPU > - Run "info cpus" > > Fix this by not letting monitor_get_cpu() to return a CPU which is marked > for unplug. > > Reported-by: Satheesh Rajendran <sathnaga@linux.vnet.ibm.com> > Signed-off-by: Bharata B Rao <bharata@linux.vnet.ibm.com> > --- > monitor.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/monitor.c b/monitor.c > index fe0d1bd..8d60e57 100644 > --- a/monitor.c > +++ b/monitor.c > @@ -1053,7 +1053,7 @@ int monitor_set_cpu(int cpu_index) > > CPUState *mon_get_cpu(void) > { > - if (!cur_mon->mon_cpu) { > + if (!cur_mon->mon_cpu || cur_mon->mon_cpu->unplug) { mon_cpu could be freed so it would cause use after free, Greg was looking into the same issue see his patch: "PATCH] monitor: fix dangling CPU pointer" > if (!first_cpu) { > return NULL; > }
diff --git a/monitor.c b/monitor.c index fe0d1bd..8d60e57 100644 --- a/monitor.c +++ b/monitor.c @@ -1053,7 +1053,7 @@ int monitor_set_cpu(int cpu_index) CPUState *mon_get_cpu(void) { - if (!cur_mon->mon_cpu) { + if (!cur_mon->mon_cpu || cur_mon->mon_cpu->unplug) { if (!first_cpu) { return NULL; }
The following sequence of steps kill the QEMU: - Hotplug a CPU - Change the default CPU to the newly hotplugged cpu using "cpu" HMP command. - Hot unplug the CPU - Run "info cpus" Fix this by not letting monitor_get_cpu() to return a CPU which is marked for unplug. Reported-by: Satheesh Rajendran <sathnaga@linux.vnet.ibm.com> Signed-off-by: Bharata B Rao <bharata@linux.vnet.ibm.com> --- monitor.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)