Clang's sanitizer reports a runtime error when booting with
'-net nic -net user', due to a null pointer being passed
to memory_region_find(), which subsequently triggers a crash in
flatview_lookup().
Root cause:
- Missing NIC configuration in the CA35 initialization.
Fix:
- Reduce ca35 ram size from 2GiB to 1GiB to align with ast2700a1-evb,
where the ram-container is defined as 1GiB in its class.
- Add nic configuration in ast2700fc's ca35 init function.
Signed-off-by: Steven Lee <steven_lee@aspeedtech.com>
---
hw/arm/aspeed_ast27x0-fc.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/hw/arm/aspeed_ast27x0-fc.c b/hw/arm/aspeed_ast27x0-fc.c
index 125a3ade40..ff64605663 100644
--- a/hw/arm/aspeed_ast27x0-fc.c
+++ b/hw/arm/aspeed_ast27x0-fc.c
@@ -48,7 +48,7 @@ struct Ast2700FCState {
bool mmio_exec;
};
-#define AST2700FC_BMC_RAM_SIZE (2 * GiB)
+#define AST2700FC_BMC_RAM_SIZE (1 * GiB)
#define AST2700FC_CM4_DRAM_SIZE (32 * MiB)
#define AST2700FC_HW_STRAP1 0x000000C0
@@ -59,6 +59,7 @@ struct Ast2700FCState {
static void ast2700fc_ca35_init(MachineState *machine)
{
Ast2700FCState *s = AST2700A1FC(machine);
+ AspeedMachineClass *amc = ASPEED_MACHINE_GET_CLASS(machine);
AspeedSoCState *soc;
AspeedSoCClass *sc;
@@ -86,6 +87,14 @@ static void ast2700fc_ca35_init(MachineState *machine)
AST2700FC_BMC_RAM_SIZE, &error_abort)) {
return;
}
+
+ for (int i = 0; i < sc->macs_num; i++) {
+ if ((amc->macs_mask & (1 << i)) &&
+ !qemu_configure_nic_device(DEVICE(&soc->ftgmac100[i]),
+ true, NULL)) {
+ break;
+ }
+ }
if (!object_property_set_int(OBJECT(&s->ca35), "hw-strap1",
AST2700FC_HW_STRAP1, &error_abort)) {
return;
@@ -171,6 +180,7 @@ static void ast2700fc_init(MachineState *machine)
static void ast2700fc_class_init(ObjectClass *oc, const void *data)
{
MachineClass *mc = MACHINE_CLASS(oc);
+ AspeedMachineClass *amc = ASPEED_MACHINE_CLASS(oc);
mc->alias = "ast2700fc";
mc->desc = "ast2700 full core support";
@@ -178,12 +188,13 @@ static void ast2700fc_class_init(ObjectClass *oc, const void *data)
mc->no_floppy = 1;
mc->no_cdrom = 1;
mc->min_cpus = mc->max_cpus = mc->default_cpus = 6;
+ amc->macs_mask = ASPEED_MAC0_ON | ASPEED_MAC1_ON | ASPEED_MAC2_ON;
}
static const TypeInfo ast2700fc_types[] = {
{
.name = MACHINE_TYPE_NAME("ast2700fc"),
- .parent = TYPE_MACHINE,
+ .parent = TYPE_ASPEED_MACHINE,
.class_init = ast2700fc_class_init,
.instance_size = sizeof(Ast2700FCState),
},
--
2.43.0On 5/14/25 11:03, Steven Lee wrote:
> Clang's sanitizer reports a runtime error when booting with
> '-net nic -net user', due to a null pointer being passed
> to memory_region_find(), which subsequently triggers a crash in
> flatview_lookup().
>
> Root cause:
> - Missing NIC configuration in the CA35 initialization.
>
> Fix:
> - Reduce ca35 ram size from 2GiB to 1GiB to align with ast2700a1-evb,
> where the ram-container is defined as 1GiB in its class.
> - Add nic configuration in ast2700fc's ca35 init function.
>
> Signed-off-by: Steven Lee <steven_lee@aspeedtech.com>
> ---
> hw/arm/aspeed_ast27x0-fc.c | 15 +++++++++++++--
> 1 file changed, 13 insertions(+), 2 deletions(-)
>
> diff --git a/hw/arm/aspeed_ast27x0-fc.c b/hw/arm/aspeed_ast27x0-fc.c
> index 125a3ade40..ff64605663 100644
> --- a/hw/arm/aspeed_ast27x0-fc.c
> +++ b/hw/arm/aspeed_ast27x0-fc.c
> @@ -48,7 +48,7 @@ struct Ast2700FCState {
> bool mmio_exec;
> };
>
> -#define AST2700FC_BMC_RAM_SIZE (2 * GiB)
> +#define AST2700FC_BMC_RAM_SIZE (1 * GiB)
> #define AST2700FC_CM4_DRAM_SIZE (32 * MiB)
>
> #define AST2700FC_HW_STRAP1 0x000000C0
> @@ -59,6 +59,7 @@ struct Ast2700FCState {
> static void ast2700fc_ca35_init(MachineState *machine)
> {
> Ast2700FCState *s = AST2700A1FC(machine);
> + AspeedMachineClass *amc = ASPEED_MACHINE_GET_CLASS(machine);
> AspeedSoCState *soc;
> AspeedSoCClass *sc;
>
> @@ -86,6 +87,14 @@ static void ast2700fc_ca35_init(MachineState *machine)
> AST2700FC_BMC_RAM_SIZE, &error_abort)) {
> return;
> }
> +
> + for (int i = 0; i < sc->macs_num; i++) {
> + if ((amc->macs_mask & (1 << i)) &&
> + !qemu_configure_nic_device(DEVICE(&soc->ftgmac100[i]),
> + true, NULL)) {
> + break;
> + }
> + }
> if (!object_property_set_int(OBJECT(&s->ca35), "hw-strap1",
> AST2700FC_HW_STRAP1, &error_abort)) {
> return;
> @@ -171,6 +180,7 @@ static void ast2700fc_init(MachineState *machine)
> static void ast2700fc_class_init(ObjectClass *oc, const void *data)
> {
> MachineClass *mc = MACHINE_CLASS(oc);
> + AspeedMachineClass *amc = ASPEED_MACHINE_CLASS(oc);
>
> mc->alias = "ast2700fc";
> mc->desc = "ast2700 full core support";
> @@ -178,12 +188,13 @@ static void ast2700fc_class_init(ObjectClass *oc, const void *data)
> mc->no_floppy = 1;
> mc->no_cdrom = 1;
> mc->min_cpus = mc->max_cpus = mc->default_cpus = 6;
> + amc->macs_mask = ASPEED_MAC0_ON | ASPEED_MAC1_ON | ASPEED_MAC2_ON;
> }
>
> static const TypeInfo ast2700fc_types[] = {
> {
> .name = MACHINE_TYPE_NAME("ast2700fc"),
> - .parent = TYPE_MACHINE,
> + .parent = TYPE_ASPEED_MACHINE,
> .class_init = ast2700fc_class_init,
> .instance_size = sizeof(Ast2700FCState),
> },
The "ast2700fc" machine cannot inherit from TYPE_ASPEED_MACHINE.
These are two different type of machines.
An "ast2700fc" machine state is described by :
struct Ast2700FCState {
MachineState parent_obj;
MemoryRegion ca35_memory;
MemoryRegion ca35_dram;
MemoryRegion ssp_memory;
MemoryRegion tsp_memory;
Clock *ssp_sysclk;
Clock *tsp_sysclk;
Aspeed27x0SoCState ca35;
Aspeed27x0SSPSoCState ssp;
Aspeed27x0TSPSoCState tsp;
bool mmio_exec;
};
and a TYPE_ASPEED_MACHINE machine state is described by :
struct AspeedMachineState {
/* Private */
MachineState parent_obj;
/* Public */
AspeedSoCState *soc;
MemoryRegion boot_rom;
bool mmio_exec;
uint32_t uart_chosen;
char *fmc_model;
char *spi_model;
uint32_t hw_strap1;
};
These are not compatible.
You will need to redefine the attributes (state and class) you need
in the "ast2700fc" machine.
Thanks,
C.
Hi Cédric,
> -----Original Message-----
> From: Cédric Le Goater <clg@redhat.com>
> Sent: Wednesday, May 14, 2025 9:28 PM
> To: Steven Lee <steven_lee@aspeedtech.com>; Peter Maydell
> <peter.maydell@linaro.org>; Troy Lee <leetroy@gmail.com>; Jamin Lin
> <jamin_lin@aspeedtech.com>; Andrew Jeffery
> <andrew@codeconstruct.com.au>; Joel Stanley <joel@jms.id.au>; open
> list:ASPEED BMCs <qemu-arm@nongnu.org>; open list:All patches CC here
> <qemu-devel@nongnu.org>
> Cc: Troy Lee <troy_lee@aspeedtech.com>; longzl2@lenovo.com; Yunlin Tang
> <yunlin.tang@aspeedtech.com>
> Subject: Re: [PATCH v2 1/5] hw/arm/aspeed_ast2700-fc: Fix null pointer
> dereference in ca35 init
>
> On 5/14/25 11:03, Steven Lee wrote:
> > Clang's sanitizer reports a runtime error when booting with '-net nic
> > -net user', due to a null pointer being passed to
> > memory_region_find(), which subsequently triggers a crash in
> > flatview_lookup().
> >
> > Root cause:
> > - Missing NIC configuration in the CA35 initialization.
> >
> > Fix:
> > - Reduce ca35 ram size from 2GiB to 1GiB to align with ast2700a1-evb,
> > where the ram-container is defined as 1GiB in its class.
> > - Add nic configuration in ast2700fc's ca35 init function.
> >
> > Signed-off-by: Steven Lee <steven_lee@aspeedtech.com>
> > ---
> > hw/arm/aspeed_ast27x0-fc.c | 15 +++++++++++++--
> > 1 file changed, 13 insertions(+), 2 deletions(-)
> >
> > diff --git a/hw/arm/aspeed_ast27x0-fc.c b/hw/arm/aspeed_ast27x0-fc.c
> > index 125a3ade40..ff64605663 100644
> > --- a/hw/arm/aspeed_ast27x0-fc.c
> > +++ b/hw/arm/aspeed_ast27x0-fc.c
> > @@ -48,7 +48,7 @@ struct Ast2700FCState {
> > bool mmio_exec;
> > };
> >
> > -#define AST2700FC_BMC_RAM_SIZE (2 * GiB)
> > +#define AST2700FC_BMC_RAM_SIZE (1 * GiB)
> > #define AST2700FC_CM4_DRAM_SIZE (32 * MiB)
> >
> > #define AST2700FC_HW_STRAP1 0x000000C0 @@ -59,6 +59,7 @@ struct
> > Ast2700FCState {
> > static void ast2700fc_ca35_init(MachineState *machine)
> > {
> > Ast2700FCState *s = AST2700A1FC(machine);
> > + AspeedMachineClass *amc =
> ASPEED_MACHINE_GET_CLASS(machine);
> > AspeedSoCState *soc;
> > AspeedSoCClass *sc;
> >
> > @@ -86,6 +87,14 @@ static void ast2700fc_ca35_init(MachineState
> *machine)
> > AST2700FC_BMC_RAM_SIZE,
> &error_abort)) {
> > return;
> > }
> > +
> > + for (int i = 0; i < sc->macs_num; i++) {
> > + if ((amc->macs_mask & (1 << i)) &&
> > + !qemu_configure_nic_device(DEVICE(&soc->ftgmac100[i]),
> > + true, NULL)) {
> > + break;
> > + }
> > + }
> > if (!object_property_set_int(OBJECT(&s->ca35), "hw-strap1",
> > AST2700FC_HW_STRAP1,
> &error_abort)) {
> > return;
> > @@ -171,6 +180,7 @@ static void ast2700fc_init(MachineState *machine)
> > static void ast2700fc_class_init(ObjectClass *oc, const void *data)
> > {
> > MachineClass *mc = MACHINE_CLASS(oc);
> > + AspeedMachineClass *amc = ASPEED_MACHINE_CLASS(oc);
> >
> > mc->alias = "ast2700fc";
> > mc->desc = "ast2700 full core support"; @@ -178,12 +188,13 @@
> > static void ast2700fc_class_init(ObjectClass *oc, const void *data)
> > mc->no_floppy = 1;
> > mc->no_cdrom = 1;
> > mc->min_cpus = mc->max_cpus = mc->default_cpus = 6;
> > + amc->macs_mask = ASPEED_MAC0_ON | ASPEED_MAC1_ON |
> > + ASPEED_MAC2_ON;
> > }
> >
> > static const TypeInfo ast2700fc_types[] = {
> > {
> > .name = MACHINE_TYPE_NAME("ast2700fc"),
> > - .parent = TYPE_MACHINE,
> > + .parent = TYPE_ASPEED_MACHINE,
> > .class_init = ast2700fc_class_init,
> > .instance_size = sizeof(Ast2700FCState),
> > },
>
> The "ast2700fc" machine cannot inherit from TYPE_ASPEED_MACHINE.
> These are two different type of machines.
>
> An "ast2700fc" machine state is described by :
>
> struct Ast2700FCState {
> MachineState parent_obj;
>
> MemoryRegion ca35_memory;
> MemoryRegion ca35_dram;
> MemoryRegion ssp_memory;
> MemoryRegion tsp_memory;
>
> Clock *ssp_sysclk;
> Clock *tsp_sysclk;
>
> Aspeed27x0SoCState ca35;
> Aspeed27x0SSPSoCState ssp;
> Aspeed27x0TSPSoCState tsp;
>
> bool mmio_exec;
> };
>
> and a TYPE_ASPEED_MACHINE machine state is described by :
>
> struct AspeedMachineState {
> /* Private */
> MachineState parent_obj;
> /* Public */
>
> AspeedSoCState *soc;
> MemoryRegion boot_rom;
> bool mmio_exec;
> uint32_t uart_chosen;
> char *fmc_model;
> char *spi_model;
> uint32_t hw_strap1;
> };
>
> These are not compatible.
>
> You will need to redefine the attributes (state and class) you need in the
> "ast2700fc" machine.
>
Thanks for the review.
Will fix this in the next patch series.
Regards,
Steven
© 2016 - 2025 Red Hat, Inc.