QEMU

qemu-i386-static ioctl return -14 (Bad Address)

Bug #1894071 reported by Tony.LI
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Invalid
Undecided
Unassigned

Bug Description

I use qemu-i386-static on 64 bit ARM.But I don't know how to solve some problems.
First I added some ioctl operations.
Then I tried to do some DRM operations like test.c.
This is successful when I use qemu-x86_64-static,but it failed when I use qemu-i386-static.
I can get some strace info like this:

403 openat(AT_FDCWD,"/dev/dri/card0",O_RDWR|O_LARGEFILE|O_CLOEXEC) = 4
403 ioctl(4,DRM_IOCTL_GET_CAP,{1,0}) = 0 ({1,1})
403 ioctl(4,DRM_IOCTL_MODE_GETRESOURCES,{0,0,0,0,0,0,0,0,0,0,0,0}) = 0 ({0,0,0,0,0,2,2,2,0,16384,0,16384})
403 brk(NULL) = 0x40006000
403 brk(0x40027000) = 0x40027000
403 brk(0x40028000) = 0x40028000
403 ioctl(4,DRM_IOCTL_MODE_GETRESOURCES,{0,1073766816,1073766832,1073766848,0,2,2,2,0,16384,0,16384}) = -1 errno=14 (Bad address)

And there are similar errors in other self driven operations.
I want to know if it is QEMU's problem, so I hope to get some help.
Thank you!

Revision history for this message
Tony.LI (bigboy0822) wrote :
Revision history for this message
Tony.LI (bigboy0822) wrote :
Revision history for this message
Tony.LI (bigboy0822) wrote :
Revision history for this message
Tony.LI (bigboy0822) wrote :
Revision history for this message
Tony.LI (bigboy0822) wrote :
Revision history for this message
Tony.LI (bigboy0822) wrote :

This problem has bothered me for a long time, but I'm not sure whether it's the IOCTL () I added or the QEMU with 32 bits. I hope we can discuss it and help our friends who have other problems.

Thank you,my friends!

Revision history for this message
Tony.LI (bigboy0822) wrote :

My environment is that:
schroot + debian(bullseye-i386)
qemu: 5.1.0-rc3

Revision history for this message
Laurent Vivier (laurent-vivier) wrote :

Please, send your patches to the QEMU devel mailing list, so we can review them and comment.

https://wiki.qemu.org/Contribute/SubmitAPatch

Revision history for this message
Tony.LI (bigboy0822) wrote :

Hi,I found some problems, but I don't know if how to solve it better(I'm not really familiar with the source code).

When I use ioctl() and use a structure like this:

struct drm_mode_card_res {
        __u64 fb_id_ptr;
        __u64 crtc_id_ptr;
        __u64 connector_id_ptr;
        __u64 encoder_id_ptr;
        __u32 count_fbs;
        ....
};
And in syscall_types.h
STRUCT(drm_mode_card_res,
        TYPE_PTRVOID,
        TYPE_PTRVOID,
        TYPE_PTRVOID,
        TYPE_PTRVOID,
        TYPE_INT,
        ...
        )
Some code:
        ...
 if (res.count_fbs) {
  res.fb_id_ptr = VOID2U64(drmMalloc(res.count_fbs*sizeof(uint32_t)));
  if (!res.fb_id_ptr)
   goto err_allocs;
 }
        ...

This is strace:
openat(AT_FDCWD,"/dev/dri/card0",O_RDWR|O_LARGEFILE|O_CLOEXEC) = 4
9469 ioctl(4,DRM_IOCTL_GET_CAP,{1,0}) = 0 ({1,1})
9469 ioctl(4,DRM_IOCTL_MODE_GETRESOURCES,{0x0,0x0,0x0,0x0,0,0,0,0,0,0,0,0}) = 0 ({0x0,0x0,0x0,0x0,0,2,2,2,0,16384,0,16384})
9469 brk(NULL) = 0x40006000
9469 brk(0x40027000) = 0x40027000
9469 brk(0x40028000) = 0x40028000
9469 ioctl(4,DRM_IOCTL_MODE_GETRESOURCES,{0x0,0x0,0x400061a0,0x0,0,2,1073832368,0,0,16384,0,16384}) = -1 errno=14 (Bad address)
9469 brk(0x40027000) = 0x40027000

Look
9469 ioctl(4,DRM_IOCTL_MODE_GETRESOURCES,{0x0,0x0,0x400061a0,0x0,0,2,1073832368,0,0,16384,0,16384}) = -1 errno=14 (Bad address)

Why does memory overrun occur here???
I think this is right:
{0x0,0x400061a0,1073832368(0x400061a0),0x400061c0,0,2,2,2,0,16384,0,16384}

Who can help me? Thank you!

Revision history for this message
Laurent Vivier (laurent-vivier) wrote :

You need to use IOCTL_SPECIAL() or STRUCT_SPECIAL() macro to convert the target address to the host address.

Again, share your patches on the qemu-devel mailing list if you want help.

Thomas Huth (th-huth)
Changed in qemu:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.