[Spice-commits] server/char_device.c

Uri Lublin uril at kemper.freedesktop.org
Sun Feb 8 03:20:57 PST 2015 

 server/char_device.c |   12 ++++++++++++
 1 file changed, 12 insertions(+)

New commits:
commit 0c1f5b00e7907aefee13f86a234558f00cd6c7ef
Author: Uri Lublin <uril at redhat.com>
Date:   Mon Feb 2 12:35:59 2015 +0200

    char-device: spice_char_device_write_to_device: protect against recursion
    
    This fixes Spice's smart card support and is related to
    commit 697f3214fd16adcd524456003619f7f44ddd031b.
    
    Reported-by: Swapna Krishnan <skrishna at redhat.com>
    
    Recursion is now possible starting with spice_char_device_write_to_device
    going through spice_char_device_wakeup (after going through qemu),
    calling again to spice_char_device_write_to_device.
    
    The protecting code is the same as the one protecting the read path.
    
    This function call loop makes the program to abort with the following messages:
    
      usb-ccid: chardev: unexpected message of type 3000000
      qemu: qemu_mutex_lock: Resource deadlock avoided
    
    Backtrace:
    
    (gdb) bt
    * #0  0x00007ffff3fc78c7 in raise () from /lib64/libc.so.6
    * #1  0x00007ffff3fc952a in abort () from /lib64/libc.so.6
    * #2  0x0000555555969a95 in error_exit (err=35,
    *     msg=0x5555559f8c90 <__func__.5119> "qemu_mutex_lock")
    *     at util/qemu-thread-posix.c:48
    * #3  0x0000555555969b82 in qemu_mutex_lock (mutex=0x5555562c4d60)
    *     at util/qemu-thread-posix.c:79
    * #4  0x0000555555714771 in qemu_chr_fe_write (s=0x5555562c4d60,
    *     buf=0x7fffffffd2a0 "", len=12) at qemu-char.c:219
    * #5  0x000055555586be49 in ccid_card_vscard_send_msg (s=0x5555565c5f80,
    *     type=VSC_Error, reader_id=0, payload=0x7fffffffd2e0 "", length=4)
    *     at hw/usb/ccid-card-passthru.c:75
    * #6  0x000055555586bf00 in ccid_card_vscard_send_error (s=0x5555565c5f80,
    *     reader_id=0, code=VSC_GENERAL_ERROR) at
    *     hw/usb/ccid-card-passthru.c:91
    * #7  0x000055555586c559 in ccid_card_vscard_handle_message (
    *     card=0x5555565c5f80, scr_msg_header=0x5555565c6008)
    *     at hw/usb/ccid-card-passthru.c:254
    * #8  0x000055555586c72f in ccid_card_vscard_read (opaque=0x5555565c5f80,
    *     buf=0x5555565034b0 "", size=12) at hw/usb/ccid-card-passthru.c:289
    * #9  0x00005555557149db in qemu_chr_be_write (s=0x5555562c4d60,
    *     buf=0x5555565034b0 "", len=12) at qemu-char.c:305
    * #10 0x000055555571cde5 in vmc_write (sin=0x5555562c4e78,
    *     buf=0x5555565034b0 "", len=12) at spice-qemu-char.c:41
    * #11 0x00007ffff4fa86aa in spice_char_device_write_to_device (
    *     dev=0x55555657f210) at char_device.c:462
    * #12 0x00007ffff4fa9b48 in spice_char_device_wakeup (dev=0x55555657f210)
    *     at char_device.c:862
    * #13 0x00007ffff4ff7658 in spice_server_char_device_wakeup
    *     (sin=0x5555562c4e78) at reds.c:2955
    * #14 0x000055555571d1d2 in spice_chr_write (chr=0x5555562c4d60,
    *     buf=0x7fffffffd560 "", len=12) at spice-qemu-char.c:189
    * #15 0x0000555555714789 in qemu_chr_fe_write (s=0x5555562c4d60,
    *     buf=0x7fffffffd560 "", len=12) at qemu-char.c:220
    * #16 0x000055555586be49 in ccid_card_vscard_send_msg (s=0x5555565c5f80,
    *     type=VSC_Error, reader_id=0, payload=0x7fffffffd5a0 "", length=4)
    *     at hw/usb/ccid-card-passthru.c:75
    * #17 0x000055555586bf00 in ccid_card_vscard_send_error
    * (s=0x5555565c5f80,
    *     reader_id=0, code=VSC_SUCCESS) at hw/usb/ccid-card-passthru.c:91
    * #18 0x000055555586c4fc in ccid_card_vscard_handle_message (
    *     card=0x5555565c5f80, scr_msg_header=0x5555565c6008)
    *     at hw/usb/ccid-card-passthru.c:242
    * #19 0x000055555586c72f in ccid_card_vscard_read (opaque=0x5555565c5f80,
    *     buf=0x5555565034b0 "", size=12) at hw/usb/ccid-card-passthru.c:289
    * #20 0x00005555557149db in qemu_chr_be_write (s=0x5555562c4d60,
    *     buf=0x5555565034b0 "", len=12) at qemu-char.c:305
    * #21 0x000055555571cde5 in vmc_write (sin=0x5555562c4e78,
    *     buf=0x5555565034b0 "", len=12) at spice-qemu-char.c:41
    * #22 0x00007ffff4fa86aa in spice_char_device_write_to_device (
    *     dev=0x55555657f210) at char_device.c:462
    * #23 0x00007ffff4fa8d37 in spice_char_device_write_buffer_add (
    *     dev=0x55555657f210, write_buf=0x555556501f70) at char_device.c:597
    * #24 0x00007ffff501142d in smartcard_channel_write_to_reader (
    *     write_buf=0x555556501f70) at smartcard.c:669
    * #25 0x00007ffff501034c in smartcard_char_device_notify_reader_add (
    *     st=0x55555657ef00) at smartcard.c:335
    * #26 0x00007ffff50112b3 in smartcard_add_reader (scc=0x555556493ee0,
    *     name=0x5555565023cc "E-Gate 0 0") at smartcard.c:642
    * #27 0x00007ffff50118d2 in smartcard_channel_handle_message (
    *     rcc=0x555556493ee0, type=101, size=22, msg=0x5555565023c0 "\003")
    *     at smartcard.c:757
    * #28 0x00007ffff4fbc168 in red_peer_handle_incoming
    *     (stream=0x555556588250, handler=0x555556497ff0) at red_channel.c:308
    * #29 0x00007ffff4fbc231 in red_channel_client_receive
    *     (rcc=0x555556493ee0) at red_channel.c:326
    * #30 0x00007ffff4fc0019 in red_channel_client_event (fd=59, event=1,
    *     data=0x555556493ee0) at red_channel.c:1574
    * #31 0x00005555558b6076 in watch_read (opaque=0x5555565002f0)
    *     at ui/spice-core.c:101
    * #32 0x00005555558e8d48 in qemu_iohandler_poll (pollfds=0x5555562b7630,
    *     ret=2) at iohandler.c:143
    * #33 0x00005555558e89a4 in main_loop_wait (nonblocking=0) at
    * main-loop.c:495
    * #34 0x00005555557219b0 in main_loop () at vl.c:1794
    * #35 0x0000555555729257 in main (argc=40, argv=0x7fffffffddc8,
    *     envp=0x7fffffffdf10) at vl.c:4350

diff --git a/server/char_device.c b/server/char_device.c
index c6dc45b..54357f0 100644
--- a/server/char_device.c
+++ b/server/char_device.c
@@ -64,6 +64,7 @@ struct SpiceCharDeviceState {
     SpiceCharDeviceInstance *sin;
 
     int during_read_from_device;
+    int during_write_to_device;
 
     SpiceCharDeviceCallbacks cbs;
     void *opaque;
@@ -437,6 +438,11 @@ static int spice_char_device_write_to_device(SpiceCharDeviceState *dev)
         return 0;
     }
 
+    /* protect against recursion with spice_char_device_wakeup */
+    if (dev->during_write_to_device++ > 0) {
+        return 0;
+    }
+
     spice_char_device_state_ref(dev);
 
     if (dev->write_to_dev_timer) {
@@ -461,6 +467,11 @@ static int spice_char_device_write_to_device(SpiceCharDeviceState *dev)
                     dev->cur_write_buf_pos;
         n = sif->write(dev->sin, dev->cur_write_buf_pos, write_len);
         if (n <= 0) {
+            if (dev->during_write_to_device > 1) {
+                dev->during_write_to_device = 1;
+                continue; /* a wakeup might have been called during the write -
+                             make sure it doesn't get lost */
+            }
             break;
         }
         total += n;
@@ -485,6 +496,7 @@ static int spice_char_device_write_to_device(SpiceCharDeviceState *dev)
         }
         dev->active = dev->active || total;
     }
+    dev->during_write_to_device = 0;
     spice_char_device_state_unref(dev);
     return total;
 }

More information about the Spice-commits mailing list