hw/pci-host: fix use-after-free in hppa pci-host devices

[PATCH 0/2] hw/pci-host: fix use-after-free in hppa pci-host devices

Peter Maydell posted 2 patches 1 month, 3 weeks ago

Download series mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20250918114259.1802337-1-peter.maydell@linaro.org

Maintainers: Richard Henderson <richard.henderson@linaro.org>, Helge Deller <deller@gmx.de>

hw/pci-host/astro.c | 27 +++++++-------
hw/pci-host/dino.c  | 90 +++++++++++++++++++++------------------------
2 files changed, 55 insertions(+), 62 deletions(-)

Expand all Fold all

[PATCH 0/2] hw/pci-host: fix use-after-free in hppa pci-host devices

Posted by Peter Maydell 1 month, 3 weeks ago

This patchset fixes use-after-free bugs which show up if you put
some of the hppa pci-host devices through an "init -> deinit" lifecycle,
as the device-introspect-test does.

The problem in both cases is that we were calling pci_register_root_bus()
in instance_init: we should only call this in realize, as all the
other callers do.

These bugs show up if you run 'make check' with an ASAN enabled
build; they are also likely behind the intermittent segfaults
on s390 that RTH has noticed recently.

thanks
-- PMM

Peter Maydell (2):
  hw/pci-host/dino: Don't call pci_register_root_bus() in init
  hw/pci-host/astro: Don't call pci_regsiter_root_bus() in init

 hw/pci-host/astro.c | 27 +++++++-------
 hw/pci-host/dino.c  | 90 +++++++++++++++++++++------------------------
 2 files changed, 55 insertions(+), 62 deletions(-)

-- 
2.43.0

Re: [PATCH 0/2] hw/pci-host: fix use-after-free in hppa pci-host devices

Posted by Richard Henderson 1 month, 3 weeks ago

On 9/18/25 04:42, Peter Maydell wrote:
> This patchset fixes use-after-free bugs which show up if you put
> some of the hppa pci-host devices through an "init -> deinit" lifecycle,
> as the device-introspect-test does.
> 
> The problem in both cases is that we were calling pci_register_root_bus()
> in instance_init: we should only call this in realize, as all the
> other callers do.
> 
> These bugs show up if you run 'make check' with an ASAN enabled
> build; they are also likely behind the intermittent segfaults
> on s390 that RTH has noticed recently.
> 
> thanks
> -- PMM
> 
> Peter Maydell (2):
>    hw/pci-host/dino: Don't call pci_register_root_bus() in init
>    hw/pci-host/astro: Don't call pci_regsiter_root_bus() in init
> 
>   hw/pci-host/astro.c | 27 +++++++-------
>   hw/pci-host/dino.c  | 90 +++++++++++++++++++++------------------------
>   2 files changed, 55 insertions(+), 62 deletions(-)
> 

Queued, thanks.

r~

Re: [PATCH 0/2] hw/pci-host: fix use-after-free in hppa pci-host devices

Posted by Alex Bennée 1 month, 3 weeks ago

Peter Maydell <peter.maydell@linaro.org> writes:

> This patchset fixes use-after-free bugs which show up if you put
> some of the hppa pci-host devices through an "init -> deinit" lifecycle,
> as the device-introspect-test does.
>
> The problem in both cases is that we were calling pci_register_root_bus()
> in instance_init: we should only call this in realize, as all the
> other callers do.
>
> These bugs show up if you run 'make check' with an ASAN enabled
> build; they are also likely behind the intermittent segfaults
> on s390 that RTH has noticed recently.

Tested-by: Alex Bennée <alex.bennee@linaro.org>

-- 
Alex Bennée
Virtualisation Tech Lead @ Linaro