qemu 0.9.0 on Linux crashes with SIGSEGV after read() on a char device
returns 0, which occurs if the char device is a fifo and the writer
closes the file.
In this case, fd_chr_read() and stdio_read() react by removing the IO
handler and freeing it. Unfortunately main_loop_wait() is unprepared
to deal with this (as the comment "XXX: better handling of removal"
suggests) and attempts to access the freed handler.
Even if main_loop_wait() were improved, it is not correct to remove
the IO handler just because read() returns 0: if the char device is a
fifo, a process may well reopen the fifo for writing at a later point.
The attached patch is a naive fix; feedback is welcome.
--Ed
Index: qemu-snapshot-2007-02-09_05/vl.c
===================================================================
--- qemu-snapshot-2007-02-09_05.orig/vl.c
+++ qemu-snapshot-2007-02-09_05/vl.c
@@ -1346,11 +1346,13 @@ static void fd_chr_read(void *opaque)
if (len == 0)
return;
size = read(s->fd_in, buf, len);
+#if 0
if (size == 0) {
/* FD has been closed. Remove it from the active list. */
qemu_set_fd_handler2(s->fd_in, NULL, NULL, NULL, NULL);
return;
}
+#endif
if (size > 0) {
qemu_chr_read(chr, buf, size);
}
@@ -1546,11 +1548,13 @@ static void stdio_read(void *opaque)
uint8_t buf[1];
size = read(0, buf, 1);
+#if 0
if (size == 0) {
/* stdin has been closed. Remove it from the active list. */
qemu_set_fd_handler2(0, NULL, NULL, NULL, NULL);
return;
}
+#endif
if (size > 0)
stdio_received_byte(buf[0]);
}
_______________________________________________
Qemu-devel mailing list
Qemu-devel@nongnu.org
http://lists.nongnu.org/mailman/listinfo/qemu-devel
