From nobody Tue Nov 4 12:05:11 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1503938157539975.518473070029; Mon, 28 Aug 2017 09:35:57 -0700 (PDT) Received: from localhost ([::1]:40601 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dmN0z-0001Nh-Ss for importer@patchew.org; Mon, 28 Aug 2017 12:35:53 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43568) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dmN08-0000vI-LP for qemu-devel@nongnu.org; Mon, 28 Aug 2017 12:35:02 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dmN07-0005yD-HL for qemu-devel@nongnu.org; Mon, 28 Aug 2017 12:35:00 -0400 Received: from mx1.redhat.com ([209.132.183.28]:59824) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dmN01-0005Vx-L7; Mon, 28 Aug 2017 12:34:53 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7E5C17EA84; Mon, 28 Aug 2017 16:34:52 +0000 (UTC) Received: from dell-r430-03.lab.eng.brq.redhat.com (dell-r430-03.lab.eng.brq.redhat.com [10.34.112.60]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5C2CF60605; Mon, 28 Aug 2017 16:34:46 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 7E5C17EA84 Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=imammedo@redhat.com From: Igor Mammedov To: qemu-devel@nongnu.org Date: Mon, 28 Aug 2017 18:34:45 +0200 Message-Id: <1503938085-169486-1-git-send-email-imammedo@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Mon, 28 Aug 2017 16:34:52 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH for-2.11] ide: ahci: unparent children buses before freeing their memory X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: thuth@redhat.com, jsnow@redhat.com, f4bug@amsat.org, qemu-block@nongnu.org, mst@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Fixes read after freeing error reported https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg04243.html Message-Id: <59a56959-ca12-ea75-33fa-ff07eba1b090@redhat.com> ich9-ahci device creates ide buses and attaches them as QOM children at realize time, however it forgets to properly clean them up at unrealize time and frees memory containing these children, with following call-chain: qdev_device_add() object_property_set_bool('realized', true) device_set_realized() ... pci_qdev_realize() -> pci_ich9_ahci_realize() -> ahci_realize() ... s->dev =3D g_new0(AHCIDevice, ports); ... AHCIDevice *ad =3D &s->dev[i]; ide_bus_new(&ad->port, sizeof(ad->port), qdev, i, 1); ^^^ creates bus in memory allocated by above gnew() and adds it as child propety to ahci device ... hotplug_handler_plug(); -> goto post_realize_fail; pci_qdev_unrealize() -> pci_ich9_uninit() -> ahci_uninit() ... g_free(s->dev); ^^^ free memory that holds children busses return with error from device_set_realized() As result later when qdev_device_add() tries to unparent ich9-ahci after failed device_set_realized(), object_unparent() -> object_property_del_child() iterates over existing QOM children including buses added by ide_bus_new() and tries to unparent them, which causes access to freed memory where they where located. Reported-by: Thomas Huth Signed-off-by: Igor Mammedov Reviewed-by: John Snow Reviewed-by: Michael S. Tsirkin Reviewed-by: Philippe Mathieu-Daud=C3=A9 Tested-by: Thomas Huth --- hw/ide/ahci.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c index 406a1b5..ccbe091 100644 --- a/hw/ide/ahci.c +++ b/hw/ide/ahci.c @@ -1495,6 +1495,7 @@ void ahci_uninit(AHCIState *s) =20 ide_exit(s); } + object_unparent(OBJECT(&ad->port)); } =20 g_free(s->dev); --=20 2.7.4