Peter Maydell <[email protected]> writes: > In the astro PCI host bridge device, we call pci_register_root_bus() > in the device's instance_init. This is a problem for two reasons > * the PCI bridge is then available to the rest of the simulation > (e.g. via pci_qdev_find_device()), even though it hasn't > yet been realized > * we do not attempt to unregister in an instance_deinit, > which means that if you go through an instance_init -> deinit > lifecycle the freed memory for the host-bridge device is > left on the pci_host_bridges list > > ASAN reports the resulting use-after-free: > > ==1776584==ERROR: AddressSanitizer: heap-use-after-free on address > 0x51f00000cb00 at pc 0x5b2d460a89b5 bp 0x7ffef7617f50 sp 0x7ffef7617f48 > WRITE of size 8 at 0x51f00000cb00 thread T0 > #0 0x5b2d460a89b4 in pci_host_bus_register > /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:608:5 > #1 0x5b2d46093566 in pci_root_bus_internal_init > /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:677:5 > #2 0x5b2d460935e0 in pci_root_bus_new > /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:706:5 > #3 0x5b2d46093fe5 in pci_register_root_bus > /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:751:11 > #4 0x5b2d46fe2335 in elroy_pcihost_init > /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci-host/astro.c:455:16 > > 0x51f00000cb00 is located 1664 bytes inside of 3456-byte region > [0x51f00000c480,0x51f00000d200) > freed by thread T0 here: > #0 0x5b2d4582385a in free > (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qemu-system-hppa+0x17ad85a) > (BuildId: 692b49eedc6fb0ef618bbb6784a09311b3b7f1e8) > #1 0x5b2d47160723 in object_finalize > /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:734:9 > #2 0x5b2d471589db in object_unref > /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:1232:9 > #3 0x5b2d477d373c in qmp_device_list_properties > /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/qom-qmp-cmds.c:237:5 > > previously allocated by thread T0 here: > #0 0x5b2d45823af3 in malloc > (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qemu-system-hppa+0x17adaf3) > (BuildId: 692b49eedc6fb0ef618bbb6784a09311b3b7f1e8) > #1 0x79728fa08b09 in g_malloc > (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62b09) (BuildId: > 1eb6131419edb83b2178b682829a6913cf682d75) > #2 0x5b2d471595fc in object_new_with_type > /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:767:15 > #3 0x5b2d47159409 in object_new_with_class > /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:782:12 > #4 0x5b2d477d29a5 in qmp_device_list_properties > /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/qom-qmp-cmds.c:206:11 > > Cc: [email protected] > Fixes: e029bb00a79be ("hw/pci-host: Add Astro system bus adapter found on > PA-RISC machines") > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3118 > Signed-off-by: Peter Maydell <[email protected]>
with the typo fix: Reviewed-by: Alex Bennée <[email protected]> -- Alex Bennée Virtualisation Tech Lead @ Linaro
