From nobody Wed May  1 09:23:05 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as
 permitted sender) client-ip=208.118.235.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted
 sender)  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by
 mx.zohomail.com
	with SMTPS id 1544453875067525.342955554028;
 Mon, 10 Dec 2018 06:57:55 -0800 (PST)
Received: from localhost ([::1]:33185 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1gWN0K-00087h-HD
	for importer@patchew.org; Mon, 10 Dec 2018 09:57:52 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:60356)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1gWMzX-0007r2-1G
	for qemu-devel@nongnu.org; Mon, 10 Dec 2018 09:57:04 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1gWMzV-0004ur-Rw
	for qemu-devel@nongnu.org; Mon, 10 Dec 2018 09:57:03 -0500
Received: from mx1.redhat.com ([209.132.183.28]:42408)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <kwolf@redhat.com>) id 1gWMzV-0004u7-GI
	for qemu-devel@nongnu.org; Mon, 10 Dec 2018 09:57:01 -0500
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
	[10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id BBC96308FBAC;
	Mon, 10 Dec 2018 14:57:00 +0000 (UTC)
Received: from localhost.localdomain (ovpn-116-48.ams2.redhat.com
	[10.36.116.48])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 7C54E5DD6B;
	Mon, 10 Dec 2018 14:56:55 +0000 (UTC)
Date: Mon, 10 Dec 2018 15:56:53 +0100
From: Kevin Wolf <kwolf@redhat.com>
To: qemu-devel@nongnu.org
Message-ID: <20181210145653.GE5000@localhost.localdomain>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
	(mx1.redhat.com [10.5.110.43]);
	Mon, 10 Dec 2018 14:57:00 +0000 (UTC)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
	[fuzzy]
X-Received-From: 209.132.183.28
Subject: [Qemu-devel] Fwd: [PATCH] QEMU patch for PCI handling bug (invalid
 free)
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: matthias@weckbecker.name, mst@redhat.com
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Am 10.12.2018 um 14:38 hat Matthias Weckbecker geschrieben:
> Hi Kevin,
>=20
> I'm attaching a patch for qemu. Read below for details.
>=20
> There's a bug in qemu in the PCI bridge handling that can be triggered wh=
en
> following the steps below:
>=20
>   1) Create some VM (e.g. w/ virsh define)
>   2) Ensure there is a PCI bridge attached, e.g. w/ libvirt like this:
>=20
>      <controller type=3D'pci' index=3D'1' model=3D'pci-bridge'>
>       <model name=3D'pci-bridge'/>
>       <target chassisNr=3D'1'/>
>       <alias name=3D'pci'/>
>       <address type=3D'pci' domain=3D'0x0000' bus=3D'0x00' slot=3D'0x01' =
function=3D'0x1'/>
>      </controller>
>=20
>   3) Take a snapshot while it's *running*, like this:
>=20
>      % virsh start mips64el-vm
>      % virsh snapshot-create-as mips64el-vm mips64el-snap
>=20
>   4) Destroy the VM and revert from snapshot:
>=20
>      % virsh destroy mips64el-vm
>      % virsh snapshot-revert mips64el-vm mips64el-snap --running
>        error: internal error: process exited while connecting to monitor:=
 corrupted size vs. prev_size
>=20
>   5) qemu-system-mips64el crashes
>=20
> The attached patch resolves the issue. Can you maybe review+commit, pleas=
e?

Hi Matthias,

thanks for sending the patch. The next step is that it needs to be
reviewed on the qemu-devel mailing list (CCed) and then the PCI
subsystem maintainers (Michael and Marcel, CCed as well) can commit it.

Maybe some of the explanation above should actually be moved to the
commit message of the patch itself?

Kevin

----- Forwarded message from Matthias Weckbecker <matthias@weckbecker.name>=
 -----

(gdb) bt
#0  __GI_raise (sig=3Dsig@entry=3D6) at ../sysdeps/unix/sysv/linux/raise.c:=
51
#1  0x00007fde12dfc801 in __GI_abort () at abort.c:79
#2  0x00007fde12e45897 in __libc_message (action=3Daction@entry=3Ddo_abort,=
 fmt=3Dfmt@entry=3D0x7fde12f72b9a "%s\n") at ../sysdeps/posix/libc_fatal.c:=
181
#3  0x00007fde12e4c90a in malloc_printerr (str=3Dstr@entry=3D0x7fde12f70c9d=
 "corrupted size vs. prev_size") at malloc.c:5350
#4  0x00007fde12e4cb0c in malloc_consolidate (av=3Dav@entry=3D0x7fde131a7c4=
0 <main_arena>) at malloc.c:4456
#5  0x00007fde12e5403b in _int_free (have_lock=3D0, p=3D<optimized out>, av=
=3D0x7fde131a7c40 <main_arena>) at malloc.c:4362
#6  __GI___libc_free (mem=3D0x55f089173c20) at malloc.c:3124
#7  0x000055f086c85062 in phys_section_destroy (mr=3D0x55f089173c20) at ./e=
xec.c:1317
#8  phys_sections_free (map=3D0x55f0890f1560) at ./exec.c:1325
#9  address_space_dispatch_free (d=3D0x55f0890f1550) at ./exec.c:2777
#10 0x000055f086cc0509 in flatview_destroy (view=3D0x55f088a5caf0) at ./mem=
ory.c:301
#11 0x000055f087031dc0 in call_rcu_thread (opaque=3D<optimized out>) at ./u=
til/rcu.c:272
#12 0x00007fde131b46db in start_thread (arg=3D0x7fde0aa39700) at pthread_cr=
eate.c:463
#13 0x00007fde12edd88f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clo=
ne.S:95

=3D=3D13641=3D=3D Thread 2:                                                =
                                                                           =
                                                        [0/5041]
=3D=3D13641=3D=3D Invalid read of size 8
=3D=3D13641=3D=3D    at 0x42755B: memory_region_unref (memory.c:1749)
=3D=3D13641=3D=3D    by 0x42755B: flatview_destroy (memory.c:307)
=3D=3D13641=3D=3D    by 0x798DBF: call_rcu_thread (rcu.c:272)
=3D=3D13641=3D=3D    by 0x97BF6DA: start_thread (pthread_create.c:463)
=3D=3D13641=3D=3D    by 0x9AF888E: clone (clone.S:95)
=3D=3D13641=3D=3D  Address 0x408e4670 is 64 bytes inside a block of size 1,=
440 free'd
=3D=3D13641=3D=3D    at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_mem=
check-amd64-linux.so)
=3D=3D13641=3D=3D    by 0x5E988B: get_pci_config_device (pci.c:491)
=3D=3D13641=3D=3D    by 0x660069: vmstate_load_state (vmstate.c:140)
=3D=3D13641=3D=3D    by 0x660236: vmstate_load_state (vmstate.c:137)
=3D=3D13641=3D=3D    by 0x659994: vmstate_load (savevm.c:748)
=3D=3D13641=3D=3D    by 0x65A7B1: qemu_loadvm_section_start_full.isra.11 (s=
avevm.c:1918)
=3D=3D13641=3D=3D    by 0x65AA67: qemu_loadvm_state_main.isra.13 (savevm.c:=
2013)
=3D=3D13641=3D=3D    by 0x65D7CE: qemu_loadvm_state (savevm.c:2092)
=3D=3D13641=3D=3D    by 0x65E40D: load_snapshot (savevm.c:2406)
=3D=3D13641=3D=3D    by 0x3E28C2: main (vl.c:4918)
=3D=3D13641=3D=3D  Block was alloc'd at
=3D=3D13641=3D=3D    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_m=
emcheck-amd64-linux.so)
=3D=3D13641=3D=3D    by 0x8D35A28: g_malloc (in /usr/lib/x86_64-linux-gnu/l=
ibglib-2.0.so.0.5600.3)
=3D=3D13641=3D=3D    by 0x5ECA8A: pci_bridge_region_init (pci_bridge.c:187)
=3D=3D13641=3D=3D    by 0x5ECEFC: pci_bridge_initfn (pci_bridge.c:384)
=3D=3D13641=3D=3D    by 0x5E654F: pci_bridge_dev_realize (pci_bridge_dev.c:=
59)
=3D=3D13641=3D=3D    by 0x5EBED0: pci_qdev_realize (pci.c:2034)
=3D=3D13641=3D=3D    by 0x5742D8: device_set_realized (qdev.c:914)
=3D=3D13641=3D=3D    by 0x6B8F96: property_set_bool (object.c:1906)
=3D=3D13641=3D=3D    by 0x6BD11E: object_property_set_qobject (qom-qobject.=
c:27)
=3D=3D13641=3D=3D    by 0x6BAD7F: object_property_set_bool (object.c:1171)
=3D=3D13641=3D=3D    by 0x4FA75D: qdev_device_add (qdev-monitor.c:629)
=3D=3D13641=3D=3D    by 0x4FCD36: device_init_func (vl.c:2432)
=3D=3D13641=3D=3D


From 8229eb9cb97a1806e264290e2935261bf23c7f34 Mon Sep 17 00:00:00 2001
From: Matthias Weckbecker <matthias@weckbecker.name>
Date: Mon, 10 Dec 2018 14:00:48 +0100
Subject: [PATCH] hw/pci-bridge: Fix invalid free()

When loadvm'ing a *running* snapshot qemu crashes due to an invalid
free. It's fortunately caught early by glibc heap memory corruption
protection and qemu gets killed with SIGABRT.

This commit fixes the issue.

Signed-off-by: Matthias Weckbecker <matthias@weckbecker.name>
---
 hw/pci/pci_bridge.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/pci/pci_bridge.c b/hw/pci/pci_bridge.c
index ee9dff2d3a..b9143ac88b 100644
--- a/hw/pci/pci_bridge.c
+++ b/hw/pci/pci_bridge.c
@@ -241,9 +241,9 @@ void pci_bridge_update_mappings(PCIBridge *br)
      * while another accesses an unaffected region. */
     memory_region_transaction_begin();
     pci_bridge_region_del(br, br->windows);
+    pci_bridge_region_cleanup(br, w);
     br->windows =3D pci_bridge_region_init(br);
     memory_region_transaction_commit();
-    pci_bridge_region_cleanup(br, w);
 }
=20
 /* default write_config function for PCI-to-PCI bridge */
--=20
2.11.0

----- End forwarded message -----