blob: bfe64b2702817ea8c356de622e82de11412de783 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
|
device: 0.877
other: 0.868
graphic: 0.861
instruction: 0.833
semantic: 0.794
assembly: 0.782
boot: 0.781
KVM: 0.752
socket: 0.750
network: 0.687
mistranslation: 0.665
vnc: 0.626
[BUG Report] Got a use-after-free error while start arm64 VM with lots of pci controllers
Hi,
We got a use-after-free report in our Euler Robot Test, it is can be reproduced
quite easily,
It can be reproduced by start VM with lots of pci controller and virtio-scsi
devices.
You can find the full qemu log from attachment.
We have analyzed the log and got the rough process how it happened, but don't
know how to fix it.
Could anyone help to fix it ?
The key message shows bellow:
har device redirected to /dev/pts/1 (label charserial0)
==1517174==WARNING: ASan doesn't fully support makecontext/swapcontext
functions and may produce false positives in some cases!
=================================================================
==1517174==ERROR: AddressSanitizer: heap-use-after-free on address
0xfffc31a002a0 at pc 0xaaad73e1f668 bp 0xfffc319fddb0 sp 0xfffc319fddd0
READ of size 8 at 0xfffc31a002a0 thread T1
#0 0xaaad73e1f667 in memory_region_unref /home/qemu/memory.c:1771
#1 0xaaad73e1f667 in flatview_destroy /home/qemu/memory.c:291
#2 0xaaad74adc85b in call_rcu_thread util/rcu.c:283
#3 0xaaad74ab31db in qemu_thread_start util/qemu-thread-posix.c:519
#4 0xfffc3a1678bb (/lib64/libpthread.so.0+0x78bb)
#5 0xfffc3a0a616b (/lib64/libc.so.6+0xd616b)
0xfffc31a002a0 is located 544 bytes inside of 1440-byte region
[0xfffc31a00080,0xfffc31a00620)
freed by thread T37 (CPU 0/KVM) here:
#0 0xfffc3c102e23 in free (/lib64/libasan.so.4+0xd2e23)
#1 0xfffc3bbc729f in g_free (/lib64/libglib-2.0.so.0+0x5729f)
#2 0xaaad745cce03 in pci_bridge_update_mappings hw/pci/pci_bridge.c:245
#3 0xaaad745ccf33 in pci_bridge_write_config hw/pci/pci_bridge.c:271
#4 0xaaad745ba867 in pci_bridge_dev_write_config
hw/pci-bridge/pci_bridge_dev.c:153
#5 0xaaad745d6013 in pci_host_config_write_common hw/pci/pci_host.c:81
#6 0xaaad73e2346f in memory_region_write_accessor /home/qemu/memory.c:483
#7 0xaaad73e1d9ff in access_with_adjusted_size /home/qemu/memory.c:544
#8 0xaaad73e28d1f in memory_region_dispatch_write /home/qemu/memory.c:1482
#9 0xaaad73d7274f in flatview_write_continue /home/qemu/exec.c:3167
#10 0xaaad73d72a53 in flatview_write /home/qemu/exec.c:3207
#11 0xaaad73d7c8c3 in address_space_write /home/qemu/exec.c:3297
#12 0xaaad73e5059b in kvm_cpu_exec /home/qemu/accel/kvm/kvm-all.c:2386
#13 0xaaad73e07ac7 in qemu_kvm_cpu_thread_fn /home/qemu/cpus.c:1246
#14 0xaaad74ab31db in qemu_thread_start util/qemu-thread-posix.c:519
#15 0xfffc3a1678bb (/lib64/libpthread.so.0+0x78bb)
#16 0xfffc3a0a616b (/lib64/libc.so.6+0xd616b)
previously allocated by thread T0 here:
#0 0xfffc3c1031cb in __interceptor_malloc (/lib64/libasan.so.4+0xd31cb)
#1 0xfffc3bbc7163 in g_malloc (/lib64/libglib-2.0.so.0+0x57163)
#2 0xaaad745ccb57 in pci_bridge_region_init hw/pci/pci_bridge.c:188
#3 0xaaad745cd8cb in pci_bridge_initfn hw/pci/pci_bridge.c:385
#4 0xaaad745baaf3 in pci_bridge_dev_realize
hw/pci-bridge/pci_bridge_dev.c:64
#5 0xaaad745cacd7 in pci_qdev_realize hw/pci/pci.c:2095
#6 0xaaad7439d9f7 in device_set_realized hw/core/qdev.c:865
#7 0xaaad7485ed23 in property_set_bool qom/object.c:2102
#8 0xaaad74868f4b in object_property_set_qobject qom/qom-qobject.c:26
#9 0xaaad74863a43 in object_property_set_bool qom/object.c:1360
#10 0xaaad742a53b7 in qdev_device_add /home/qemu/qdev-monitor.c:675
#11 0xaaad742a9c7b in device_init_func /home/qemu/vl.c:2074
#12 0xaaad74ad4d33 in qemu_opts_foreach util/qemu-option.c:1170
#13 0xaaad73d60c17 in main /home/qemu/vl.c:4313
#14 0xfffc39ff0b9f in __libc_start_main (/lib64/libc.so.6+0x20b9f)
#15 0xaaad73d6db33
(/home/qemu/aarch64-softmmu/qemu-system-aarch64+0x98db33)
Thread T1 created by T0 here:
#0 0xfffc3c068f6f in __interceptor_pthread_create
(/lib64/libasan.so.4+0x38f6f)
#1 0xaaad74ab54ab in qemu_thread_create util/qemu-thread-posix.c:556
#2 0xaaad74adc6a7 in rcu_init_complete util/rcu.c:326
#3 0xaaad74bab2a7 in __libc_csu_init
(/home/qemu/aarch64-softmmu/qemu-system-aarch64+0x17cb2a7)
#4 0xfffc39ff0b47 in __libc_start_main (/lib64/libc.so.6+0x20b47)
#5 0xaaad73d6db33 (/home/qemu/aarch64-softmmu/qemu-system-aarch64+0x98db33)
Thread T37 (CPU 0/KVM) created by T0 here:
#0 0xfffc3c068f6f in __interceptor_pthread_create
(/lib64/libasan.so.4+0x38f6f)
#1 0xaaad74ab54ab in qemu_thread_create util/qemu-thread-posix.c:556
#2 0xaaad73e09b0f in qemu_dummy_start_vcpu /home/qemu/cpus.c:2045
#3 0xaaad73e09b0f in qemu_init_vcpu /home/qemu/cpus.c:2077
#4 0xaaad740d36b7 in arm_cpu_realizefn /home/qemu/target/arm/cpu.c:1712
#5 0xaaad7439d9f7 in device_set_realized hw/core/qdev.c:865
#6 0xaaad7485ed23 in property_set_bool qom/object.c:2102
#7 0xaaad74868f4b in object_property_set_qobject qom/qom-qobject.c:26
#8 0xaaad74863a43 in object_property_set_bool qom/object.c:1360
#9 0xaaad73fe3e67 in machvirt_init /home/qemu/hw/arm/virt.c:1682
#10 0xaaad743acfc7 in machine_run_board_init hw/core/machine.c:1077
#11 0xaaad73d60b73 in main /home/qemu/vl.c:4292
#12 0xfffc39ff0b9f in __libc_start_main (/lib64/libc.so.6+0x20b9f)
#13 0xaaad73d6db33
(/home/qemu/aarch64-softmmu/qemu-system-aarch64+0x98db33)
SUMMARY: AddressSanitizer: heap-use-after-free /home/qemu/memory.c:1771 in
memory_region_unref
Thanks
use-after-free-qemu.log
Description:
Text document
Cc: address@hidden
On 1/17/2020 4:18 PM, Pan Nengyuan wrote:
>
Hi,
>
>
We got a use-after-free report in our Euler Robot Test, it is can be
>
reproduced quite easily,
>
It can be reproduced by start VM with lots of pci controller and virtio-scsi
>
devices.
>
You can find the full qemu log from attachment.
>
We have analyzed the log and got the rough process how it happened, but don't
>
know how to fix it.
>
>
Could anyone help to fix it ?
>
>
The key message shows bellow:
>
har device redirected to /dev/pts/1 (label charserial0)
>
==1517174==WARNING: ASan doesn't fully support makecontext/swapcontext
>
functions and may produce false positives in some cases!
>
=================================================================
>
==1517174==ERROR: AddressSanitizer: heap-use-after-free on address
>
0xfffc31a002a0 at pc 0xaaad73e1f668 bp 0xfffc319fddb0 sp 0xfffc319fddd0
>
READ of size 8 at 0xfffc31a002a0 thread T1
>
#0 0xaaad73e1f667 in memory_region_unref /home/qemu/memory.c:1771
>
#1 0xaaad73e1f667 in flatview_destroy /home/qemu/memory.c:291
>
#2 0xaaad74adc85b in call_rcu_thread util/rcu.c:283
>
#3 0xaaad74ab31db in qemu_thread_start util/qemu-thread-posix.c:519
>
#4 0xfffc3a1678bb (/lib64/libpthread.so.0+0x78bb)
>
#5 0xfffc3a0a616b (/lib64/libc.so.6+0xd616b)
>
>
0xfffc31a002a0 is located 544 bytes inside of 1440-byte region
>
[0xfffc31a00080,0xfffc31a00620)
>
freed by thread T37 (CPU 0/KVM) here:
>
#0 0xfffc3c102e23 in free (/lib64/libasan.so.4+0xd2e23)
>
#1 0xfffc3bbc729f in g_free (/lib64/libglib-2.0.so.0+0x5729f)
>
#2 0xaaad745cce03 in pci_bridge_update_mappings hw/pci/pci_bridge.c:245
>
#3 0xaaad745ccf33 in pci_bridge_write_config hw/pci/pci_bridge.c:271
>
#4 0xaaad745ba867 in pci_bridge_dev_write_config
>
hw/pci-bridge/pci_bridge_dev.c:153
>
#5 0xaaad745d6013 in pci_host_config_write_common hw/pci/pci_host.c:81
>
#6 0xaaad73e2346f in memory_region_write_accessor /home/qemu/memory.c:483
>
#7 0xaaad73e1d9ff in access_with_adjusted_size /home/qemu/memory.c:544
>
#8 0xaaad73e28d1f in memory_region_dispatch_write /home/qemu/memory.c:1482
>
#9 0xaaad73d7274f in flatview_write_continue /home/qemu/exec.c:3167
>
#10 0xaaad73d72a53 in flatview_write /home/qemu/exec.c:3207
>
#11 0xaaad73d7c8c3 in address_space_write /home/qemu/exec.c:3297
>
#12 0xaaad73e5059b in kvm_cpu_exec /home/qemu/accel/kvm/kvm-all.c:2386
>
#13 0xaaad73e07ac7 in qemu_kvm_cpu_thread_fn /home/qemu/cpus.c:1246
>
#14 0xaaad74ab31db in qemu_thread_start util/qemu-thread-posix.c:519
>
#15 0xfffc3a1678bb (/lib64/libpthread.so.0+0x78bb)
>
#16 0xfffc3a0a616b (/lib64/libc.so.6+0xd616b)
>
>
previously allocated by thread T0 here:
>
#0 0xfffc3c1031cb in __interceptor_malloc (/lib64/libasan.so.4+0xd31cb)
>
#1 0xfffc3bbc7163 in g_malloc (/lib64/libglib-2.0.so.0+0x57163)
>
#2 0xaaad745ccb57 in pci_bridge_region_init hw/pci/pci_bridge.c:188
>
#3 0xaaad745cd8cb in pci_bridge_initfn hw/pci/pci_bridge.c:385
>
#4 0xaaad745baaf3 in pci_bridge_dev_realize
>
hw/pci-bridge/pci_bridge_dev.c:64
>
#5 0xaaad745cacd7 in pci_qdev_realize hw/pci/pci.c:2095
>
#6 0xaaad7439d9f7 in device_set_realized hw/core/qdev.c:865
>
#7 0xaaad7485ed23 in property_set_bool qom/object.c:2102
>
#8 0xaaad74868f4b in object_property_set_qobject qom/qom-qobject.c:26
>
#9 0xaaad74863a43 in object_property_set_bool qom/object.c:1360
>
#10 0xaaad742a53b7 in qdev_device_add /home/qemu/qdev-monitor.c:675
>
#11 0xaaad742a9c7b in device_init_func /home/qemu/vl.c:2074
>
#12 0xaaad74ad4d33 in qemu_opts_foreach util/qemu-option.c:1170
>
#13 0xaaad73d60c17 in main /home/qemu/vl.c:4313
>
#14 0xfffc39ff0b9f in __libc_start_main (/lib64/libc.so.6+0x20b9f)
>
#15 0xaaad73d6db33
>
(/home/qemu/aarch64-softmmu/qemu-system-aarch64+0x98db33)
>
>
Thread T1 created by T0 here:
>
#0 0xfffc3c068f6f in __interceptor_pthread_create
>
(/lib64/libasan.so.4+0x38f6f)
>
#1 0xaaad74ab54ab in qemu_thread_create util/qemu-thread-posix.c:556
>
#2 0xaaad74adc6a7 in rcu_init_complete util/rcu.c:326
>
#3 0xaaad74bab2a7 in __libc_csu_init
>
(/home/qemu/aarch64-softmmu/qemu-system-aarch64+0x17cb2a7)
>
#4 0xfffc39ff0b47 in __libc_start_main (/lib64/libc.so.6+0x20b47)
>
#5 0xaaad73d6db33
>
(/home/qemu/aarch64-softmmu/qemu-system-aarch64+0x98db33)
>
>
Thread T37 (CPU 0/KVM) created by T0 here:
>
#0 0xfffc3c068f6f in __interceptor_pthread_create
>
(/lib64/libasan.so.4+0x38f6f)
>
#1 0xaaad74ab54ab in qemu_thread_create util/qemu-thread-posix.c:556
>
#2 0xaaad73e09b0f in qemu_dummy_start_vcpu /home/qemu/cpus.c:2045
>
#3 0xaaad73e09b0f in qemu_init_vcpu /home/qemu/cpus.c:2077
>
#4 0xaaad740d36b7 in arm_cpu_realizefn /home/qemu/target/arm/cpu.c:1712
>
#5 0xaaad7439d9f7 in device_set_realized hw/core/qdev.c:865
>
#6 0xaaad7485ed23 in property_set_bool qom/object.c:2102
>
#7 0xaaad74868f4b in object_property_set_qobject qom/qom-qobject.c:26
>
#8 0xaaad74863a43 in object_property_set_bool qom/object.c:1360
>
#9 0xaaad73fe3e67 in machvirt_init /home/qemu/hw/arm/virt.c:1682
>
#10 0xaaad743acfc7 in machine_run_board_init hw/core/machine.c:1077
>
#11 0xaaad73d60b73 in main /home/qemu/vl.c:4292
>
#12 0xfffc39ff0b9f in __libc_start_main (/lib64/libc.so.6+0x20b9f)
>
#13 0xaaad73d6db33
>
(/home/qemu/aarch64-softmmu/qemu-system-aarch64+0x98db33)
>
>
SUMMARY: AddressSanitizer: heap-use-after-free /home/qemu/memory.c:1771 in
>
memory_region_unref
>
>
Thanks
>
use-after-free-qemu.log
Description:
Text document
|