From nobody Thu May 2 00:24:18 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 15034382986881002.1574429397621; Tue, 22 Aug 2017 14:44:58 -0700 (PDT) Received: from localhost ([::1]:59485 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dkGym-0006E5-J1 for importer@patchew.org; Tue, 22 Aug 2017 17:44:56 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42615) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dkGxn-0005kt-O8 for qemu-devel@nongnu.org; Tue, 22 Aug 2017 17:43:56 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dkGxk-0003pS-KP for qemu-devel@nongnu.org; Tue, 22 Aug 2017 17:43:55 -0400 Received: from mail-qt0-x241.google.com ([2607:f8b0:400d:c0d::241]:35146) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dkGxk-0003pC-Et; Tue, 22 Aug 2017 17:43:52 -0400 Received: by mail-qt0-x241.google.com with SMTP id e2so4868633qta.2; Tue, 22 Aug 2017 14:43:52 -0700 (PDT) Received: from yoga.offpageads.com ([181.93.89.178]) by smtp.gmail.com with ESMTPSA id j185sm10034891qkf.62.2017.08.22.14.43.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 22 Aug 2017 14:43:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=/DdKV9sWwMxaE6M+x5KshaoOBa8uSey4KY6k2FpfP7o=; b=DCyHEj76wG0AGVTc7WTJIFwCCPAUATCNmZJd/YrefpXBhIuhSJk7vkEfb2jeUWi7oz v8z9dOQp34E0p8uG+qve5dAuBzLGGcK4oqiXNxqLZuZZD4BGZI8TALyp/9FX/o3Kw3AT EWkNJwjPbIgMLDclixg+0XvuBhoBDDxcxCqPcXCZ/6uqOAv+Gl559GNrw0+YN26kbnug 0O3XFLlZRczEWhPGVP5K8wRfoZZMT29A+vLdrhSzS/s7xUIV8ZhhL36f6OWDXPdTv2k5 gjbxMsnQTsaKWQI/D/FkoVD1erevWpuY/UfgfAhbgzaynI7S1w+MR7amBmWwh8c0M6GI FZKw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :mime-version:content-transfer-encoding; bh=/DdKV9sWwMxaE6M+x5KshaoOBa8uSey4KY6k2FpfP7o=; b=TZd+RvmqiVvmUBelKTi7gaEkkKm7Xi4bURr+PhCw/Xrl5hlVTbE0uHadQKNwGtkvdb 4A1T1IUy9nTLBhHPP4yLbF2ZZmFPt4OxETNbRpcvhdCDlB6O6w0WI0GowSCuuWUoLI04 jLU68DM3sw6yu+dZistxaKOxl6oKgemVlbRGJTmD0c5ZeLeZHZ8FkXwlyNBAeCZLMV+C 2gwxOZJGTpzPMgxoTlDY9cFZaasydlwCZ4MtzT+NXsDTorWnIg2boKbsU4RcKqB1qS2m inYTCLaLdyxOwu1dZ8TuMz28oTo9ZfvX4m73t3fsK51Ic+AYyuNekam86Il3qNP/ijTJ Gv9w== X-Gm-Message-State: AHYfb5h2wkPg6SUIXTJwsa1Wo18+KI0FnPMuU/a2Mm+Xmv9xhD3fKgA6 4YJ5+rqBPJI43g== X-Received: by 10.237.57.194 with SMTP id m60mr813028qte.186.1503438231783; Tue, 22 Aug 2017 14:43:51 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: Igor Mammedov , "Michael S . Tsirkin" , Thomas Huth , John Snow Date: Tue, 22 Aug 2017 18:43:43 -0300 Message-Id: <20170822214343.31385-1-f4bug@amsat.org> X-Mailer: git-send-email 2.14.1 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:400d:c0d::241 Subject: [Qemu-devel] [PATCH for-2.10-rc4?] acpi: pcihp: fix use-after-free for machines previous pc-1.7 compat X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Qemu-block , qemu-devel@nongnu.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZohoMail: RDKM_2 RSF_0 Z_629925259 SPT_0 9e047b982452 "piix4: add acpi pci hotplug support" introduced a new property 'use_acpi_pci_hotplug' for pc-1.7 and older machines. c24d5e0b91d1 "convert ACPI PCI hotplug to use hotplug-handler API" added the qbus hotplug handlers but forgot to check for the 'use_acpi_pci_hotplug' property. Check for use_acpi_pci_hotplug before calling acpi_pcihp_device_[un]plug_cb= (). If Xen is enabled, piix4_pm_init() disables use_acpi_pci_hotplug. The following valgrind Trace equivs: qdev_device_add( "ich9-ahci" ) -> device_set_realized() -> hotplug_handler_plug() -> piix4_device_plug_cb() -> acpi_pcihp_device_plug_cb() -> acpi_pcihp_get_bsel() "Property ACPI_PCIHP_PROP_BSEL not found" -> object_unparent() <- "Bus doesn't have property ACPI_PCIHP_PROP_BSEL set" $ valgrind x86_64-softmmu/qemu-system-x86_64 -M pc-1.2 -nographic -S (qemu) device_add ich9-ahci,id=3Dich9-ahci =3D=3D6604=3D=3D Invalid read of size 8 =3D=3D6604=3D=3D at 0x609AB0: object_unparent (object.c:445) =3D=3D6604=3D=3D by 0x4C4478: device_unparent (qdev.c:1095) =3D=3D6604=3D=3D by 0x60A364: object_finalize_child_property (object.c:1= 396) =3D=3D6604=3D=3D by 0x6092A6: object_property_del_child.isra.7 (object.c= :427) =3D=3D6604=3D=3D by 0x451728: qdev_device_add (qdev-monitor.c:634) =3D=3D6604=3D=3D by 0x451C82: qmp_device_add (qdev-monitor.c:807) =3D=3D6604=3D=3D by 0x46B689: hmp_device_add (hmp.c:1925) =3D=3D6604=3D=3D by 0x364083: handle_hmp_command (monitor.c:3119) =3D=3D6604=3D=3D by 0x365439: monitor_command_cb (monitor.c:3922) =3D=3D6604=3D=3D by 0x6E5D27: readline_handle_byte (readline.c:393) =3D=3D6604=3D=3D by 0x364311: monitor_read (monitor.c:3905) =3D=3D6604=3D=3D by 0x67C573: mux_chr_read (char-mux.c:216) =3D=3D6604=3D=3D Address 0x15fc5448 is 30,328 bytes inside a block of size= 36,288 free'd =3D=3D6604=3D=3D at 0x4C2ACDD: free (vg_replace_malloc.c:530) =3D=3D6604=3D=3D by 0xA04EBCD: g_free (in /usr/lib64/libglib-2.0.so.0.50= 00.3) =3D=3D6604=3D=3D by 0x50100E: pci_ich9_uninit (ich.c:161) =3D=3D6604=3D=3D by 0x5428AB: pci_qdev_unrealize (pci.c:1083) =3D=3D6604=3D=3D by 0x4C5EE9: device_set_realized (qdev.c:988) =3D=3D6604=3D=3D by 0x608DCD: property_set_bool (object.c:1886) =3D=3D6604=3D=3D by 0x60CEBE: object_property_set_qobject (qom-qobject.c= :27) =3D=3D6604=3D=3D by 0x60AB6F: object_property_set_bool (object.c:1162) =3D=3D6604=3D=3D by 0x4516F3: qdev_device_add (qdev-monitor.c:630) =3D=3D6604=3D=3D by 0x451C82: qmp_device_add (qdev-monitor.c:807) =3D=3D6604=3D=3D by 0x46B689: hmp_device_add (hmp.c:1925) =3D=3D6604=3D=3D by 0x364083: handle_hmp_command (monitor.c:3119) =3D=3D6604=3D=3D Block was alloc'd at =3D=3D6604=3D=3D at 0x4C2B975: calloc (vg_replace_malloc.c:711) =3D=3D6604=3D=3D by 0xA04EB15: g_malloc0 (in /usr/lib64/libglib-2.0.so.0= .5000.3) =3D=3D6604=3D=3D by 0x50094F: ahci_realize (ahci.c:1468) =3D=3D6604=3D=3D by 0x501098: pci_ich9_ahci_realize (ich.c:115) =3D=3D6604=3D=3D by 0x543E6D: pci_qdev_realize (pci.c:2002) =3D=3D6604=3D=3D by 0x4C5E69: device_set_realized (qdev.c:914) =3D=3D6604=3D=3D by 0x608DCD: property_set_bool (object.c:1886) =3D=3D6604=3D=3D by 0x60CEBE: object_property_set_qobject (qom-qobject.c= :27) =3D=3D6604=3D=3D by 0x60AB6F: object_property_set_bool (object.c:1162) =3D=3D6604=3D=3D by 0x4516F3: qdev_device_add (qdev-monitor.c:630) =3D=3D6604=3D=3D by 0x451C82: qmp_device_add (qdev-monitor.c:807) =3D=3D6604=3D=3D by 0x46B689: hmp_device_add (hmp.c:1925) Reported-by: Thomas Huth Message-Id: <59a56959-ca12-ea75-33fa-ff07eba1b090@redhat.com> Signed-off-by: Philippe Mathieu-Daud=C3=A9 Tested-by: Thomas Huth --- hw/acpi/piix4.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/acpi/piix4.c b/hw/acpi/piix4.c index f276967365..d4df209a2e 100644 --- a/hw/acpi/piix4.c +++ b/hw/acpi/piix4.c @@ -385,7 +385,7 @@ static void piix4_device_plug_cb(HotplugHandler *hotplu= g_dev, dev, errp); } } else if (object_dynamic_cast(OBJECT(dev), TYPE_PCI_DEVICE)) { - if (!xen_enabled()) { + if (s->use_acpi_pci_hotplug) { acpi_pcihp_device_plug_cb(hotplug_dev, &s->acpi_pci_hotplug, d= ev, errp); } @@ -411,7 +411,7 @@ static void piix4_device_unplug_request_cb(HotplugHandl= er *hotplug_dev, acpi_memory_unplug_request_cb(hotplug_dev, &s->acpi_memory_hotplug, dev, errp); } else if (object_dynamic_cast(OBJECT(dev), TYPE_PCI_DEVICE)) { - if (!xen_enabled()) { + if (s->use_acpi_pci_hotplug) { acpi_pcihp_device_unplug_cb(hotplug_dev, &s->acpi_pci_hotplug,= dev, errp); } --=20 2.14.1