Re: [Qemu-devel] Use after free problem somewhere in ahci.c or ich.c cod

qemu-devel
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] Use after free problem somewhere in ahci.c or ich.c cod

From:	John Snow
Subject:	Re: [Qemu-devel] Use after free problem somewhere in ahci.c or ich.c code
Date:	Tue, 22 Aug 2017 14:39:38 -0400
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1

On 08/22/2017 02:15 PM, Thomas Huth wrote:
> 
>  Hi!
> 
> Looks like there is a use-after-free problem somewhere in
> the ahci.c or ich.c code when trying to add the ich9-ahci
> on a old PC machine. Using valgrind, I get:
> 

I'll look; it looks like it works okay for pc-i440fx-2.9 as well as 2.0
and 1.7.

1.6 appears to be the most modern board that has issues, as well as 1.4
and the pc-1.2 board you specify.

> $ valgrind x86_64-softmmu/qemu-system-x86_64 -M pc-1.2 -nographic -S
> ==6604== Memcheck, a memory error detector
> ==6604== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
> ==6604== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
> ==6604== Command: x86_64-softmmu/qemu-system-x86_64 -M pc-1.2 -nographic -S
> ==6604== 
> QEMU 2.9.93 monitor - type 'help' for more information
> (qemu) device_add ich9-ahci,id=ich9-ahci
> ==6604== Invalid read of size 8
> ==6604==    at 0x609AB0: object_unparent (object.c:445)
> ==6604==    by 0x4C4478: device_unparent (qdev.c:1095)
> ==6604==    by 0x60A364: object_finalize_child_property (object.c:1396)
> ==6604==    by 0x6092A6: object_property_del_child.isra.7 (object.c:427)
> ==6604==    by 0x451728: qdev_device_add (qdev-monitor.c:634)
> ==6604==    by 0x451C82: qmp_device_add (qdev-monitor.c:807)
> ==6604==    by 0x46B689: hmp_device_add (hmp.c:1925)
> ==6604==    by 0x364083: handle_hmp_command (monitor.c:3119)
> ==6604==    by 0x365439: monitor_command_cb (monitor.c:3922)
> ==6604==    by 0x6E5D27: readline_handle_byte (readline.c:393)
> ==6604==    by 0x364311: monitor_read (monitor.c:3905)
> ==6604==    by 0x67C573: mux_chr_read (char-mux.c:216)
> ==6604==  Address 0x15fc5448 is 30,328 bytes inside a block of size 36,288 
> free'd
> ==6604==    at 0x4C2ACDD: free (vg_replace_malloc.c:530)
> ==6604==    by 0xA04EBCD: g_free (in /usr/lib64/libglib-2.0.so.0.5000.3)
> ==6604==    by 0x50100E: pci_ich9_uninit (ich.c:161)
> ==6604==    by 0x5428AB: pci_qdev_unrealize (pci.c:1083)
> ==6604==    by 0x4C5EE9: device_set_realized (qdev.c:988)
> ==6604==    by 0x608DCD: property_set_bool (object.c:1886)
> ==6604==    by 0x60CEBE: object_property_set_qobject (qom-qobject.c:27)
> ==6604==    by 0x60AB6F: object_property_set_bool (object.c:1162)
> ==6604==    by 0x4516F3: qdev_device_add (qdev-monitor.c:630)
> ==6604==    by 0x451C82: qmp_device_add (qdev-monitor.c:807)
> ==6604==    by 0x46B689: hmp_device_add (hmp.c:1925)
> ==6604==    by 0x364083: handle_hmp_command (monitor.c:3119)
> ==6604==  Block was alloc'd at
> ==6604==    at 0x4C2B975: calloc (vg_replace_malloc.c:711)
> ==6604==    by 0xA04EB15: g_malloc0 (in /usr/lib64/libglib-2.0.so.0.5000.3)
> ==6604==    by 0x50094F: ahci_realize (ahci.c:1468)
> ==6604==    by 0x501098: pci_ich9_ahci_realize (ich.c:115)
> ==6604==    by 0x543E6D: pci_qdev_realize (pci.c:2002)
> ==6604==    by 0x4C5E69: device_set_realized (qdev.c:914)
> ==6604==    by 0x608DCD: property_set_bool (object.c:1886)
> ==6604==    by 0x60CEBE: object_property_set_qobject (qom-qobject.c:27)
> ==6604==    by 0x60AB6F: object_property_set_bool (object.c:1162)
> ==6604==    by 0x4516F3: qdev_device_add (qdev-monitor.c:630)
> ==6604==    by 0x451C82: qmp_device_add (qdev-monitor.c:807)
> ==6604==    by 0x46B689: hmp_device_add (hmp.c:1925)
> ==6604== 
> ==6604== Invalid read of size 8
> ==6604==    at 0x60A350: object_finalize_child_property (object.c:1395)
> ==6604==    by 0x6092A6: object_property_del_child.isra.7 (object.c:427)
> ==6604==    by 0x4C4478: device_unparent (qdev.c:1095)
> ==6604==    by 0x60A364: object_finalize_child_property (object.c:1396)
> ==6604==    by 0x6092A6: object_property_del_child.isra.7 (object.c:427)
> ==6604==    by 0x451728: qdev_device_add (qdev-monitor.c:634)
> ==6604==    by 0x451C82: qmp_device_add (qdev-monitor.c:807)
> ==6604==    by 0x46B689: hmp_device_add (hmp.c:1925)
> ==6604==    by 0x364083: handle_hmp_command (monitor.c:3119)
> ==6604==    by 0x365439: monitor_command_cb (monitor.c:3922)
> ==6604==    by 0x6E5D27: readline_handle_byte (readline.c:393)
> ==6604==    by 0x364311: monitor_read (monitor.c:3905)
> ==6604==  Address 0x15fc5428 is 30,296 bytes inside a block of size 36,288 
> free'd
> ==6604==    at 0x4C2ACDD: free (vg_replace_malloc.c:530)
> ==6604==    by 0xA04EBCD: g_free (in /usr/lib64/libglib-2.0.so.0.5000.3)
> ==6604==    by 0x50100E: pci_ich9_uninit (ich.c:161)
> ==6604==    by 0x5428AB: pci_qdev_unrealize (pci.c:1083)
> ==6604==    by 0x4C5EE9: device_set_realized (qdev.c:988)
> ==6604==    by 0x608DCD: property_set_bool (object.c:1886)
> ==6604==    by 0x60CEBE: object_property_set_qobject (qom-qobject.c:27)
> ==6604==    by 0x60AB6F: object_property_set_bool (object.c:1162)
> ==6604==    by 0x4516F3: qdev_device_add (qdev-monitor.c:630)
> ==6604==    by 0x451C82: qmp_device_add (qdev-monitor.c:807)
> ==6604==    by 0x46B689: hmp_device_add (hmp.c:1925)
> ==6604==    by 0x364083: handle_hmp_command (monitor.c:3119)
> ==6604==  Block was alloc'd at
> ==6604==    at 0x4C2B975: calloc (vg_replace_malloc.c:711)
> ==6604==    by 0xA04EB15: g_malloc0 (in /usr/lib64/libglib-2.0.so.0.5000.3)
> ==6604==    by 0x50094F: ahci_realize (ahci.c:1468)
> ==6604==    by 0x501098: pci_ich9_ahci_realize (ich.c:115)
> ==6604==    by 0x543E6D: pci_qdev_realize (pci.c:2002)
> ==6604==    by 0x4C5E69: device_set_realized (qdev.c:914)
> ==6604==    by 0x608DCD: property_set_bool (object.c:1886)
> ==6604==    by 0x60CEBE: object_property_set_qobject (qom-qobject.c:27)
> ==6604==    by 0x60AB6F: object_property_set_bool (object.c:1162)
> ==6604==    by 0x4516F3: qdev_device_add (qdev-monitor.c:630)
> ==6604==    by 0x451C82: qmp_device_add (qdev-monitor.c:807)
> ==6604==    by 0x46B689: hmp_device_add (hmp.c:1925)
> ==6604== 
> ==6604== Invalid read of size 8
> ==6604==    at 0x609CA9: object_dynamic_cast_assert (object.c:614)
> ==6604==    by 0x4C879F: bus_unparent (bus.c:115)
> ==6604==    by 0x60A364: object_finalize_child_property (object.c:1396)
> ==6604==    by 0x6092A6: object_property_del_child.isra.7 (object.c:427)
> ==6604==    by 0x4C4478: device_unparent (qdev.c:1095)
> ==6604==    by 0x60A364: object_finalize_child_property (object.c:1396)
> ==6604==    by 0x6092A6: object_property_del_child.isra.7 (object.c:427)
> ==6604==    by 0x451728: qdev_device_add (qdev-monitor.c:634)
> ==6604==    by 0x451C82: qmp_device_add (qdev-monitor.c:807)
> ==6604==    by 0x46B689: hmp_device_add (hmp.c:1925)
> ==6604==    by 0x364083: handle_hmp_command (monitor.c:3119)
> ==6604==    by 0x365439: monitor_command_cb (monitor.c:3922)
> ==6604==  Address 0x15fc5428 is 30,296 bytes inside a block of size 36,288 
> free'd
> ==6604==    at 0x4C2ACDD: free (vg_replace_malloc.c:530)
> ==6604==    by 0xA04EBCD: g_free (in /usr/lib64/libglib-2.0.so.0.5000.3)
> ==6604==    by 0x50100E: pci_ich9_uninit (ich.c:161)
> ==6604==    by 0x5428AB: pci_qdev_unrealize (pci.c:1083)
> ==6604==    by 0x4C5EE9: device_set_realized (qdev.c:988)
> ==6604==    by 0x608DCD: property_set_bool (object.c:1886)
> ==6604==    by 0x60CEBE: object_property_set_qobject (qom-qobject.c:27)
> ==6604==    by 0x60AB6F: object_property_set_bool (object.c:1162)
> ==6604==    by 0x4516F3: qdev_device_add (qdev-monitor.c:630)
> ==6604==    by 0x451C82: qmp_device_add (qdev-monitor.c:807)
> ==6604==    by 0x46B689: hmp_device_add (hmp.c:1925)
> ==6604==    by 0x364083: handle_hmp_command (monitor.c:3119)
> ==6604==  Block was alloc'd at
> ==6604==    at 0x4C2B975: calloc (vg_replace_malloc.c:711)
> ==6604==    by 0xA04EB15: g_malloc0 (in /usr/lib64/libglib-2.0.so.0.5000.3)
> ==6604==    by 0x50094F: ahci_realize (ahci.c:1468)
> ==6604==    by 0x501098: pci_ich9_ahci_realize (ich.c:115)
> ==6604==    by 0x543E6D: pci_qdev_realize (pci.c:2002)
> ==6604==    by 0x4C5E69: device_set_realized (qdev.c:914)
> ==6604==    by 0x608DCD: property_set_bool (object.c:1886)
> ==6604==    by 0x60CEBE: object_property_set_qobject (qom-qobject.c:27)
> ==6604==    by 0x60AB6F: object_property_set_bool (object.c:1162)
> ==6604==    by 0x4516F3: qdev_device_add (qdev-monitor.c:630)
> ==6604==    by 0x451C82: qmp_device_add (qdev-monitor.c:807)
> ==6604==    by 0x46B689: hmp_device_add (hmp.c:1925)
> ==6604== 
> ==6604== Invalid read of size 8
> ==6604==    at 0x609CCB: object_dynamic_cast_assert (object.c:621)
> ==6604==    by 0x4C879F: bus_unparent (bus.c:115)
> ==6604==    by 0x60A364: object_finalize_child_property (object.c:1396)
> ==6604==    by 0x6092A6: object_property_del_child.isra.7 (object.c:427)
> ==6604==    by 0x4C4478: device_unparent (qdev.c:1095)
> ==6604==    by 0x60A364: object_finalize_child_property (object.c:1396)
> ==6604==    by 0x6092A6: object_property_del_child.isra.7 (object.c:427)
> ==6604==    by 0x451728: qdev_device_add (qdev-monitor.c:634)
> ==6604==    by 0x451C82: qmp_device_add (qdev-monitor.c:807)
> ==6604==    by 0x46B689: hmp_device_add (hmp.c:1925)
> ==6604==    by 0x364083: handle_hmp_command (monitor.c:3119)
> ==6604==    by 0x365439: monitor_command_cb (monitor.c:3922)
> ==6604==  Address 0x15fc5428 is 30,296 bytes inside a block of size 36,288 
> free'd
> ==6604==    at 0x4C2ACDD: free (vg_replace_malloc.c:530)
> ==6604==    by 0xA04EBCD: g_free (in /usr/lib64/libglib-2.0.so.0.5000.3)
> ==6604==    by 0x50100E: pci_ich9_uninit (ich.c:161)
> ==6604==    by 0x5428AB: pci_qdev_unrealize (pci.c:1083)
> ==6604==    by 0x4C5EE9: device_set_realized (qdev.c:988)
> ==6604==    by 0x608DCD: property_set_bool (object.c:1886)
> ==6604==    by 0x60CEBE: object_property_set_qobject (qom-qobject.c:27)
> ==6604==    by 0x60AB6F: object_property_set_bool (object.c:1162)
> ==6604==    by 0x4516F3: qdev_device_add (qdev-monitor.c:630)
> ==6604==    by 0x451C82: qmp_device_add (qdev-monitor.c:807)
> ==6604==    by 0x46B689: hmp_device_add (hmp.c:1925)
> ==6604==    by 0x364083: handle_hmp_command (monitor.c:3119)
> ==6604==  Block was alloc'd at
> ==6604==    at 0x4C2B975: calloc (vg_replace_malloc.c:711)
> ==6604==    by 0xA04EB15: g_malloc0 (in /usr/lib64/libglib-2.0.so.0.5000.3)
> ==6604==    by 0x50094F: ahci_realize (ahci.c:1468)
> ==6604==    by 0x501098: pci_ich9_ahci_realize (ich.c:115)
> ==6604==    by 0x543E6D: pci_qdev_realize (pci.c:2002)
> ==6604==    by 0x4C5E69: device_set_realized (qdev.c:914)
> ==6604==    by 0x608DCD: property_set_bool (object.c:1886)
> ==6604==    by 0x60CEBE: object_property_set_qobject (qom-qobject.c:27)
> ==6604==    by 0x60AB6F: object_property_set_bool (object.c:1162)
> ==6604==    by 0x4516F3: qdev_device_add (qdev-monitor.c:630)
> ==6604==    by 0x451C82: qmp_device_add (qdev-monitor.c:807)
> ==6604==    by 0x46B689: hmp_device_add (hmp.c:1925)
> ==6604== 
> ==6604== Invalid read of size 8
> ==6604==    at 0x4C87A0: bus_unparent (bus.c:118)
> ==6604==    by 0x60A364: object_finalize_child_property (object.c:1396)
> ==6604==    by 0x6092A6: object_property_del_child.isra.7 (object.c:427)
> ==6604==    by 0x4C4478: device_unparent (qdev.c:1095)
> ==6604==    by 0x60A364: object_finalize_child_property (object.c:1396)
> ==6604==    by 0x6092A6: object_property_del_child.isra.7 (object.c:427)
> ==6604==    by 0x451728: qdev_device_add (qdev-monitor.c:634)
> ==6604==    by 0x451C82: qmp_device_add (qdev-monitor.c:807)
> ==6604==    by 0x46B689: hmp_device_add (hmp.c:1925)
> ==6604==    by 0x364083: handle_hmp_command (monitor.c:3119)
> ==6604==    by 0x365439: monitor_command_cb (monitor.c:3922)
> ==6604==    by 0x6E5D27: readline_handle_byte (readline.c:393)
> ==6604==  Address 0x15fc5470 is 30,368 bytes inside a block of size 36,288 
> free'd
> ==6604==    at 0x4C2ACDD: free (vg_replace_malloc.c:530)
> ==6604==    by 0xA04EBCD: g_free (in /usr/lib64/libglib-2.0.so.0.5000.3)
> ==6604==    by 0x50100E: pci_ich9_uninit (ich.c:161)
> ==6604==    by 0x5428AB: pci_qdev_unrealize (pci.c:1083)
> ==6604==    by 0x4C5EE9: device_set_realized (qdev.c:988)
> ==6604==    by 0x608DCD: property_set_bool (object.c:1886)
> ==6604==    by 0x60CEBE: object_property_set_qobject (qom-qobject.c:27)
> ==6604==    by 0x60AB6F: object_property_set_bool (object.c:1162)
> ==6604==    by 0x4516F3: qdev_device_add (qdev-monitor.c:630)
> ==6604==    by 0x451C82: qmp_device_add (qdev-monitor.c:807)
> ==6604==    by 0x46B689: hmp_device_add (hmp.c:1925)
> ==6604==    by 0x364083: handle_hmp_command (monitor.c:3119)
> ==6604==  Block was alloc'd at
> ==6604==    at 0x4C2B975: calloc (vg_replace_malloc.c:711)
> ==6604==    by 0xA04EB15: g_malloc0 (in /usr/lib64/libglib-2.0.so.0.5000.3)
> ==6604==    by 0x50094F: ahci_realize (ahci.c:1468)
> ==6604==    by 0x501098: pci_ich9_ahci_realize (ich.c:115)
> ==6604==    by 0x543E6D: pci_qdev_realize (pci.c:2002)
> ==6604==    by 0x4C5E69: device_set_realized (qdev.c:914)
> ==6604==    by 0x608DCD: property_set_bool (object.c:1886)
> ==6604==    by 0x60CEBE: object_property_set_qobject (qom-qobject.c:27)
> ==6604==    by 0x60AB6F: object_property_set_bool (object.c:1162)
> ==6604==    by 0x4516F3: qdev_device_add (qdev-monitor.c:630)
> ==6604==    by 0x451C82: qmp_device_add (qdev-monitor.c:807)
> ==6604==    by 0x46B689: hmp_device_add (hmp.c:1925)
> ==6604== 
> ==6604== Invalid read of size 8
> ==6604==    at 0x4C87C1: bus_unparent (bus.c:122)
> ==6604==    by 0x60A364: object_finalize_child_property (object.c:1396)
> ==6604==    by 0x6092A6: object_property_del_child.isra.7 (object.c:427)
> ==6604==    by 0x4C4478: device_unparent (qdev.c:1095)
> ==6604==    by 0x60A364: object_finalize_child_property (object.c:1396)
> ==6604==    by 0x6092A6: object_property_del_child.isra.7 (object.c:427)
> ==6604==    by 0x451728: qdev_device_add (qdev-monitor.c:634)
> ==6604==    by 0x451C82: qmp_device_add (qdev-monitor.c:807)
> ==6604==    by 0x46B689: hmp_device_add (hmp.c:1925)
> ==6604==    by 0x364083: handle_hmp_command (monitor.c:3119)
> ==6604==    by 0x365439: monitor_command_cb (monitor.c:3922)
> ==6604==    by 0x6E5D27: readline_handle_byte (readline.c:393)
> ==6604==  Address 0x15fc5450 is 30,336 bytes inside a block of size 36,288 
> free'd
> ==6604==    at 0x4C2ACDD: free (vg_replace_malloc.c:530)
> ==6604==    by 0xA04EBCD: g_free (in /usr/lib64/libglib-2.0.so.0.5000.3)
> ==6604==    by 0x50100E: pci_ich9_uninit (ich.c:161)
> ==6604==    by 0x5428AB: pci_qdev_unrealize (pci.c:1083)
> ==6604==    by 0x4C5EE9: device_set_realized (qdev.c:988)
> ==6604==    by 0x608DCD: property_set_bool (object.c:1886)
> ==6604==    by 0x60CEBE: object_property_set_qobject (qom-qobject.c:27)
> ==6604==    by 0x60AB6F: object_property_set_bool (object.c:1162)
> ==6604==    by 0x4516F3: qdev_device_add (qdev-monitor.c:630)
> ==6604==    by 0x451C82: qmp_device_add (qdev-monitor.c:807)
> ==6604==    by 0x46B689: hmp_device_add (hmp.c:1925)
> ==6604==    by 0x364083: handle_hmp_command (monitor.c:3119)
> ==6604==  Block was alloc'd at
> ==6604==    at 0x4C2B975: calloc (vg_replace_malloc.c:711)
> ==6604==    by 0xA04EB15: g_malloc0 (in /usr/lib64/libglib-2.0.so.0.5000.3)
> ==6604==    by 0x50094F: ahci_realize (ahci.c:1468)
> ==6604==    by 0x501098: pci_ich9_ahci_realize (ich.c:115)
> ==6604==    by 0x543E6D: pci_qdev_realize (pci.c:2002)
> ==6604==    by 0x4C5E69: device_set_realized (qdev.c:914)
> ==6604==    by 0x608DCD: property_set_bool (object.c:1886)
> ==6604==    by 0x60CEBE: object_property_set_qobject (qom-qobject.c:27)
> ==6604==    by 0x60AB6F: object_property_set_bool (object.c:1162)
> ==6604==    by 0x4516F3: qdev_device_add (qdev-monitor.c:630)
> ==6604==    by 0x451C82: qmp_device_add (qdev-monitor.c:807)
> ==6604==    by 0x46B689: hmp_device_add (hmp.c:1925)
> ==6604== 
> ==6604== Invalid read of size 8
> ==6604==    at 0x4C87C8: bus_unparent (bus.c:123)
> ==6604==    by 0x60A364: object_finalize_child_property (object.c:1396)
> ==6604==    by 0x6092A6: object_property_del_child.isra.7 (object.c:427)
> ==6604==    by 0x4C4478: device_unparent (qdev.c:1095)
> ==6604==    by 0x60A364: object_finalize_child_property (object.c:1396)
> ==6604==    by 0x6092A6: object_property_del_child.isra.7 (object.c:427)
> ==6604==    by 0x451728: qdev_device_add (qdev-monitor.c:634)
> ==6604==    by 0x451C82: qmp_device_add (qdev-monitor.c:807)
> Unsupported bus. Bus doesn't have property 'acpi-pcihp-bsel' set
> 
> Does anybody have an idea what could be wrong here?
> 

Is it expected that this should be addable to these old boards?

Best guess is some code that we added to unrealize the AHCI device does
not work exactly correctly; I've no clue about the acpi-pcihp-bsel
property, though.

>  Thanks,
>   Thomas
>
[Prev in Thread]
Current Thread
[Next in Thread]
[Qemu-devel] Use after free problem somewhere in ahci.c or ich.c code, Thomas Huth, 2017/08/22
- Re: [Qemu-devel] Use after free problem somewhere in ahci.c or ich.c code, John Snow <=
  - Re: [Qemu-devel] Use after free problem somewhere in ahci.c or ich.c code, Philippe Mathieu-Daudé, 2017/08/22
    - Re: [Qemu-devel] Use after free problem somewhere in ahci.c or ich.c code, John Snow, 2017/08/22
Prev by Date: Re: [Qemu-devel] [PATCH] hw/misc/auxbus.c: Mark the aux-to-i2c-bridge device as non-hotpluggable
Next by Date: Re: [Qemu-devel] [PATCH v2 53/54] qapi: make query-cpu-model-expansion depend on s390 or x86
Previous by thread: [Qemu-devel] Use after free problem somewhere in ahci.c or ich.c code
Next by thread: Re: [Qemu-devel] Use after free problem somewhere in ahci.c or ich.c code
Index(es):
- Date
- Thread