From patchwork Wed Aug 6 20:39:56 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Roth X-Patchwork-Id: 35001 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-pa0-f70.google.com (mail-pa0-f70.google.com [209.85.220.70]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id CFE1F20523 for ; Wed, 6 Aug 2014 21:39:40 +0000 (UTC) Received: by mail-pa0-f70.google.com with SMTP id lf10sf20199549pab.1 for ; Wed, 06 Aug 2014 14:39:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:delivered-to:from:to:date :message-id:in-reply-to:references:cc:subject:precedence:list-id :list-unsubscribe:list-archive:list-post:list-help:list-subscribe :errors-to:sender:x-original-sender :x-original-authentication-results:mailing-list; bh=GjSbbnoGGr8M8eKsDIK7uMk8IPAGVmeRCH0a9Rgx5zc=; b=gO0yORroZSPDYpq5VfQqkyWvOcWX06GuvrkG6JmVS1hs1EsJtRehJ7EA6qzWU2A1tA dxQMejZjWHTDcIUuX0ouFLBY7ikJnqZDMrRWEI1HeSnbXDvXAqNQUlneLJt0hSpiPxmV gtJP+xK1QMDWA6v3Lp0rvc3hl7/HrzssgKmIPeqDsNBRS8g3xoC3QsMEqiPMM7kfdJpz jwSDJgY24dv8K9HYtjhzvONqOH0oYLbhSIAbqkzjGV65GGioiY85DPrZsemh6oZdYmoL SXGm1mMYlZHeJBsu+dL4W5A99xrTMHVJCF3b6XuU8S6IBUxV1oG7TtlEWL7kVXNSvI0a ihPw== X-Gm-Message-State: ALoCoQmEW2S5qWwnaEX2QqWvXOnHJ0adpyh0GhCQkk8jKmsmuJVb7CQqihvz+uOwVlorolYPRgBi X-Received: by 10.67.5.71 with SMTP id ck7mr7265261pad.9.1407361180124; Wed, 06 Aug 2014 14:39:40 -0700 (PDT) MIME-Version: 1.0 X-BeenThere: patchwork-forward@linaro.org Received: by 10.140.25.21 with SMTP id 21ls395799qgs.58.gmail; Wed, 06 Aug 2014 14:39:40 -0700 (PDT) X-Received: by 10.220.2.136 with SMTP id 8mr12932122vcj.17.1407361179979; Wed, 06 Aug 2014 14:39:39 -0700 (PDT) Received: from mail-vc0-f171.google.com (mail-vc0-f171.google.com [209.85.220.171]) by mx.google.com with ESMTPS id i4si990887vdg.41.2014.08.06.14.39.39 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 06 Aug 2014 14:39:39 -0700 (PDT) Received-SPF: pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.220.171 as permitted sender) client-ip=209.85.220.171; Received: by mail-vc0-f171.google.com with SMTP id hq11so5007306vcb.16 for ; Wed, 06 Aug 2014 14:39:39 -0700 (PDT) X-Received: by 10.52.244.138 with SMTP id xg10mr10992117vdc.40.1407361179886; Wed, 06 Aug 2014 14:39:39 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patch@linaro.org Received: by 10.221.37.5 with SMTP id tc5csp59505vcb; Wed, 6 Aug 2014 14:39:39 -0700 (PDT) X-Received: by 10.140.106.225 with SMTP id e88mr2133257qgf.20.1407361179219; Wed, 06 Aug 2014 14:39:39 -0700 (PDT) Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11]) by mx.google.com with ESMTPS id b91si3566495qge.123.2014.08.06.14.39.39 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 06 Aug 2014 14:39:39 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; Received: from localhost ([::1]:41573 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XF8vq-0005Lh-SD for patch@linaro.org; Wed, 06 Aug 2014 17:39:38 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40541) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XF85X-0003ym-Ao for qemu-devel@nongnu.org; Wed, 06 Aug 2014 16:45:43 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XF85L-0006cI-KR for qemu-devel@nongnu.org; Wed, 06 Aug 2014 16:45:35 -0400 Received: from e7.ny.us.ibm.com ([32.97.182.137]:34849) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XF85L-0006c7-Fj for qemu-devel@nongnu.org; Wed, 06 Aug 2014 16:45:23 -0400 Received: from /spool/local by e7.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 6 Aug 2014 16:45:23 -0400 Received: from d01dlp03.pok.ibm.com (9.56.250.168) by e7.ny.us.ibm.com (192.168.1.107) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 6 Aug 2014 16:45:21 -0400 Received: from b01cxnp22035.gho.pok.ibm.com (b01cxnp22035.gho.pok.ibm.com [9.57.198.25]) by d01dlp03.pok.ibm.com (Postfix) with ESMTP id C02C2C9003E; Wed, 6 Aug 2014 16:45:13 -0400 (EDT) Received: from d01av05.pok.ibm.com (d01av05.pok.ibm.com [9.56.224.195]) by b01cxnp22035.gho.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id s76KjDB79109900; Wed, 6 Aug 2014 20:45:21 GMT Received: from d01av05.pok.ibm.com (localhost [127.0.0.1]) by d01av05.pok.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id s76Kimnm023047; Wed, 6 Aug 2014 16:44:48 -0400 Received: from localhost ([9.80.101.111]) by d01av05.pok.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP id s76Kilff022764; Wed, 6 Aug 2014 16:44:48 -0400 From: Michael Roth To: qemu-devel@nongnu.org Date: Wed, 6 Aug 2014 15:39:56 -0500 Message-Id: <1407357598-21541-107-git-send-email-mdroth@linux.vnet.ibm.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1407357598-21541-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1407357598-21541-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-MML: disable X-Content-Scanned: Fidelis XPS MAILER x-cbid: 14080620-5806-0000-0000-00000029000E X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 32.97.182.137 Cc: qemu-stable@nongnu.org Subject: [Qemu-devel] [PATCH 106/108] vmstate_xhci_event: fix unterminated field list X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: , List-Help: , List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: mdroth@linux.vnet.ibm.com X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.220.171 as permitted sender) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org X-Google-Group-Id: 836684582541 From: Laszlo Ersek "vmstate_xhci_event" was introduced in commit 37352df3 ("xhci: add live migration support"), and first released in v1.6.0. The field list in this VMSD is not terminated with the VMSTATE_END_OF_LIST() macro. During normal use (ie. migration), the issue is practically invisible, because the "vmstate_xhci_event" object (with the unterminated field list) is only ever referenced -- via "vmstate_xhci_intr" -- if xhci_er_full() returns true, for the "ev_buffer" test. Since that field_exists() check (apparently) almost always returns false, we almost never traverse "vmstate_xhci_event" during migration, which hides the bug. However, Amit's vmstate checker forces recursion into this VMSD as well, and the lack of VMSTATE_END_OF_LIST() breaks the field list terminator check (field->name != NULL) in dump_vmstate_vmsd(). The result is undefined behavior, which in my case translates to infinite recursion (because the loop happens to overflow into "vmstate_xhci_intr", which then links back to "vmstate_xhci_event"). Add the missing terminator. Signed-off-by: Laszlo Ersek Reviewed-by: Amit Shah Reviewed-by: Paolo Bonzini Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell (cherry picked from commit 3afca1d6d413592c2b78cf28f52fa24a586d8f56) Signed-off-by: Michael Roth --- hw/usb/hcd-xhci.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index ef3177a..0ceb10d 100644 --- a/hw/usb/hcd-xhci.c +++ b/hw/usb/hcd-xhci.c @@ -3703,6 +3703,7 @@ static const VMStateDescription vmstate_xhci_event = { VMSTATE_UINT32(flags, XHCIEvent), VMSTATE_UINT8(slotid, XHCIEvent), VMSTATE_UINT8(epid, XHCIEvent), + VMSTATE_END_OF_LIST() } };