qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [BUG] Regression in networking code (SIGSEGV)


From: Gleb Natapov
Subject: Re: [Qemu-devel] [BUG] Regression in networking code (SIGSEGV)
Date: Thu, 5 Feb 2009 17:34:34 +0200

On Wed, Feb 04, 2009 at 01:01:36PM +0100, Stefan Weil wrote:
> Hi,
> 
> of course. But I found a simple way to reproduce the bug, so I think
> this new way is simpler to handle than tcpreplay:
> 
> Host: amd64, debian 5.0 (I think others will do, too)
> Guest: i686, debian 4.0 (I think others will do, too)
> 
> The host must export an NFS filesystem (/tftpboot in my tests).
> The guest must be able to mount this NFS filesystem using special options.
> 
> Start the guest (hda.img contains a minimal debian 4.0 installation):
> $ i386-softmmu/qemu -m 512 -hda ~/hda.img
> 
> Mount host NFS on guest:
> $ mount 10.0.2.2:/tftpboot /mnt -o
> proto=udp,rsize=4096,wsize=4096,nointr,nolock,nfsvers=2
> 
> Copy files from host NFS to host NFS on guest:
> $ cp /mnt/malta-le/usr/lib/libstdc++.so.6.0.8 /mnt/malta-le/tmp
> 
> In my tests, the file to copy has 1164392 bytes, the guest creates
> the destination file with 0 bytes and crashs.
> 
> The NFS mount options are identical to the options used by Linux NFS root
> but different to those used by default. With default NFS options, there
> is no crash,
> so this explains why I get crashs in my NFS root tests but had difficulties
> to get a crash with other network operations.
> I know that proto=udp is important but did not check many other
> combinations.
> 
> With malta and other mips guests, the crash can be reproduced in the
> same way,
> so I am now fairly sure that any guest (on any host) will crash like this.
> 
Cool, I can reproduce it now! Can you try the patch below?

Signed-off-by: Gleb Natapov <address@hidden>

diff --git a/qemu/slirp/ip_input.c b/qemu/slirp/ip_input.c
index e7f2756..f00a2e8 100644
--- a/qemu/slirp/ip_input.c
+++ b/qemu/slirp/ip_input.c
@@ -393,7 +393,7 @@ insert:
         */
        if (m->m_flags & M_EXT) {
          int delta;
-         delta = (char *)ip - m->m_dat;
+         delta = (char *)q - m->m_dat;
          q = (struct ipasfrag *)(m->m_ext + delta);
        }
 
--
                        Gleb.




reply via email to

[Prev in Thread] Current Thread [Next in Thread]