From nobody Sat Nov 15 00:45:08 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=linaro.org ARC-Seal: i=1; a=rsa-sha256; t=1758195847; cv=none; d=zohomail.com; s=zohoarc; b=EJ4zKHobcAcnkiOsc9EsdgpUDRenb8moyaVPXRCJ9bo0zBgeAFn6BOExrl9jRWsoavpk3K8a0D6gkIAG3EiCIR5ohuGFJRM3hZWmhjJ9+uB4kDgZEeUdbJ/cTNCsILCiGwpMzpIBhLkq+5zjF52FUSwf9WQDbR9jqYNgHIbo2q8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758195847; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=NWkgFNC+jur1aVnj5eLcsF5YoLOAdEb5+NXpGnTJPbE=; b=aJ1OiVY2ytreCcyOP1a4Vjmu2jT5JmcFCs7+DXSOmltPh1kOfZ/7enagpOevWlKhfD7zLthZWiia1lfrUlTDluBbXJXRRI2T3YedvXg5WOBvKsano04iwu8J5fh6aEbcHOhwLKZ933yEdoY0Z/Xk1oCsZixKZ1ke8qVAuXEOUFU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758195846797275.15371965272493; Thu, 18 Sep 2025 04:44:06 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uzD2r-0001IH-O5; Thu, 18 Sep 2025 07:43:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uzD2a-0001As-3l for qemu-devel@nongnu.org; Thu, 18 Sep 2025 07:43:12 -0400 Received: from mail-wr1-x42c.google.com ([2a00:1450:4864:20::42c]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1uzD2X-0003Fa-3c for qemu-devel@nongnu.org; Thu, 18 Sep 2025 07:43:07 -0400 Received: by mail-wr1-x42c.google.com with SMTP id ffacd0b85a97d-3ee1317b1f7so316330f8f.2 for ; Thu, 18 Sep 2025 04:43:04 -0700 (PDT) Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-46139122cb5sm76942665e9.8.2025.09.18.04.43.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Sep 2025 04:43:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1758195783; x=1758800583; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=NWkgFNC+jur1aVnj5eLcsF5YoLOAdEb5+NXpGnTJPbE=; b=UpECUGDF45l8emj4zAYXoAeyat03nCmtcOtpPKnSASaWOrXnRjHBFyILqnClZ0e7hY g+nqUfT987xygZhp3d+6cMvjLYhDApPtvE4FDrIqg8F/N9JyzrQDnnseO52aFFT0fXNN K9lp+Ugo7h9UpYhO6zqrC2SQTHsP4ar/afEyMwmKSgtMzUsUSUhMgGtZTvda6CaMxPjM +4ihH7zauH6PJbTsINtOOvldS/0v5foNvtr23CUaNRcsZeOvQkiJZr1R/OFRgFQ9QWqo XWgBT+hi6vbvPwCE/bPbOG+0Wf5XhMf5K6XzEXMt76+9vkxTZsOmvl1AFEleleWYoxrx s1XA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758195783; x=1758800583; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NWkgFNC+jur1aVnj5eLcsF5YoLOAdEb5+NXpGnTJPbE=; b=qU2mBr8liISMIcxC+A41Ww6q/J+Bi+MtTlpu8cqUPpzfLsjJH75O5tb6R9k5F743// fKykQQmqxROq9CqVJrHb5H+lZfeEKeZdpyENAp8ChUhrf+KvnYj4O16W6zGVFuxoxZo1 iVWEyrSBBNOhKngqXMb9VgSG3O9tk+80wHkpw+6v1CsZBCUCOQ6+cwmlb87H46Q26hO+ gdYsrGR3rA9fHnnBqTsmm2hrB1LcWSzyxUkMb+/Ce5RBqF1mImEe3y/cDykU4EdbAqFK jPt9/P0IW6Y+TiZqpDMF90WzJMAOTkDdpTelc05KGN1NGwcTbVUhQ2ks4Ut0ZvbJyG8m ovqQ== X-Gm-Message-State: AOJu0Yyak6hhbpJw1/nCF2spH8QG1MeJ4edwT1jKrqCaRd0quzZUDHJF fuN4f3uRSbzcNVM0O9Do9OLtRVRdOfEgko2NB7uqDYks+O6qluxqKX040xQVa8exz2qrEUpUWvk zYheD X-Gm-Gg: ASbGnctwv59G4u0ba+vVkKV+aupd/6GzCXsiBC0vuA4V5q8QCk+TRApddVwRXMOoEWp Hc28NMyUgp1WbJtArWNHzbSBP11vEtwLDMpZ5PRlmUiEHS7Cdn2gV1vaQDtzpunpYR7OA1lIsuu b22AYnd7pyJve/Li1ov9Srq3wiUyKcs81QCnWs+QTIp4VXeEX3OBoAgdgpjO4/50O7xnpZCGiV8 5OlhEZs01Q2d3u4tENcnbuqxMyCCV9GbW3F7A9gtXfvRlbHYDIV+QyKzKzE7tXj+eGca99XZs7n rvLWGKJi04p0foJ6xvEyknfVi8QjwMP0e8nq+8tAuVgzNSQfTUHpJeBZu1V7hssX0xOBLF+Jdzo wc5SiMtGe35/qbnrwU5A2ImZKgf5vNrHZAY9r8AOJ3UgIwDw= X-Google-Smtp-Source: AGHT+IHES93PHIesoKtD6QTjYMqSXi6h58qw9jGDGIa57HovkdWrI77fpVYNjMl3Sqtx5Aus1rnGSQ== X-Received: by 2002:a5d:5f96:0:b0:3ee:1357:e18f with SMTP id ffacd0b85a97d-3ee1357e41emr1390985f8f.12.1758195783277; Thu, 18 Sep 2025 04:43:03 -0700 (PDT) From: Peter Maydell To: qemu-devel@nongnu.org Cc: Richard Henderson , Helge Deller Subject: [PATCH 1/2] hw/pci-host/dino: Don't call pci_register_root_bus() in init Date: Thu, 18 Sep 2025 12:42:58 +0100 Message-ID: <20250918114259.1802337-2-peter.maydell@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250918114259.1802337-1-peter.maydell@linaro.org> References: <20250918114259.1802337-1-peter.maydell@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::42c; envelope-from=peter.maydell@linaro.org; helo=mail-wr1-x42c.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @linaro.org) X-ZM-MESSAGEID: 1758195848986116600 Content-Type: text/plain; charset="utf-8" In the dino PCI host bridge device, we call pci_register_root_bus() in the device's instance_init. This is a problem for two reasons * the PCI bridge is then available to the rest of the simulation (e.g. via pci_qdev_find_device()), even though it hasn't yet been realized * we do not attempt to unregister in an instance_deinit, which means that if you go through an instance_init -> deinit lifecycle the freed memory for the host-bridge device is left on the pci_host_bridges list ASAN reports the resulting use-after-free: =3D=3D1771223=3D=3DERROR: AddressSanitizer: heap-use-after-free on address = 0x527000018f80 at pc 0x5b4b9d3369b5 bp 0x7ffd01929980 sp 0x7ffd01929978 WRITE of size 8 at 0x527000018f80 thread T0 #0 0x5b4b9d3369b4 in pci_host_bus_register /mnt/nvmedisk/linaro/qemu-fr= om-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:608:5 #1 0x5b4b9d321566 in pci_root_bus_internal_init /mnt/nvmedisk/linaro/qe= mu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:677:5 #2 0x5b4b9d3215e0 in pci_root_bus_new /mnt/nvmedisk/linaro/qemu-from-la= ptop/qemu/build/hppa-asan/../../hw/pci/pci.c:706:5 #3 0x5b4b9d321fe5 in pci_register_root_bus /mnt/nvmedisk/linaro/qemu-fr= om-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:751:11 #4 0x5b4b9d390521 in dino_pcihost_init /mnt/nvmedisk/linaro/qemu-from-l= aptop/qemu/build/hppa-asan/../../hw/pci-host/dino.c:473:16 0x527000018f80 is located 1664 bytes inside of 12384-byte region [0x5270000= 18900,0x52700001b960) freed by thread T0 here: #0 0x5b4b9cab185a in free (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/b= uild/hppa-asan/qemu-system-hppa+0x17ad85a) (BuildId: ca496bb2e4fc750ebd289b= 448bad8d99c0ecd140) #1 0x5b4b9e3ee723 in object_finalize /mnt/nvmedisk/linaro/qemu-from-lap= top/qemu/build/hppa-asan/../../qom/object.c:734:9 #2 0x5b4b9e3e69db in object_unref /mnt/nvmedisk/linaro/qemu-from-laptop= /qemu/build/hppa-asan/../../qom/object.c:1232:9 #3 0x5b4b9ea6173c in qmp_device_list_properties /mnt/nvmedisk/linaro/qe= mu-from-laptop/qemu/build/hppa-asan/../../qom/qom-qmp-cmds.c:237:5 #4 0x5b4b9ec4e0f3 in qmp_marshal_device_list_properties /mnt/nvmedisk/l= inaro/qemu-from-laptop/qemu/build/hppa-asan/qapi/qapi-commands-qdev.c:65:14 previously allocated by thread T0 here: #0 0x5b4b9cab1af3 in malloc (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu= /build/hppa-asan/qemu-system-hppa+0x17adaf3) (BuildId: ca496bb2e4fc750ebd28= 9b448bad8d99c0ecd140) #1 0x799d8270eb09 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0= x62b09) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75) #2 0x5b4b9e3e75fc in object_new_with_type /mnt/nvmedisk/linaro/qemu-fro= m-laptop/qemu/build/hppa-asan/../../qom/object.c:767:15 #3 0x5b4b9e3e7409 in object_new_with_class /mnt/nvmedisk/linaro/qemu-fr= om-laptop/qemu/build/hppa-asan/../../qom/object.c:782:12 #4 0x5b4b9ea609a5 in qmp_device_list_properties /mnt/nvmedisk/linaro/qe= mu-from-laptop/qemu/build/hppa-asan/../../qom/qom-qmp-cmds.c:206:11 where we allocated one instance of the dino device, put it on the list, freed it, and then trying to allocate a second instance touches the freed memory on the pci_host_bridges list. Fix this by deferring all the setup of memory regions and registering the PCI bridge to the device's realize method. This brings it into line with almost all other PCI host bridges, which call pci_register_root_bus() in realize. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3118 Fixes: 63901b6cc4d8b4 ("dino: move PCI bus initialisation to dino_pcihost_i= nit()") Signed-off-by: Peter Maydell Reviewed-by: Alex Benn=C3=A9e Tested-by: Alex Benn=C3=A9e --- hw/pci-host/dino.c | 90 +++++++++++++++++++++------------------------- 1 file changed, 41 insertions(+), 49 deletions(-) diff --git a/hw/pci-host/dino.c b/hw/pci-host/dino.c index 11b353be2ea..924053499c1 100644 --- a/hw/pci-host/dino.c +++ b/hw/pci-host/dino.c @@ -413,6 +413,47 @@ static void dino_pcihost_reset(DeviceState *dev) static void dino_pcihost_realize(DeviceState *dev, Error **errp) { DinoState *s =3D DINO_PCI_HOST_BRIDGE(dev); + PCIHostState *phb =3D PCI_HOST_BRIDGE(dev); + + /* Dino PCI access from main memory. */ + memory_region_init_io(&s->this_mem, OBJECT(s), &dino_chip_ops, + s, "dino", 4096); + + /* Dino PCI config. */ + memory_region_init_io(&phb->conf_mem, OBJECT(phb), + &dino_config_addr_ops, DEVICE(s), + "pci-conf-idx", 4); + memory_region_init_io(&phb->data_mem, OBJECT(phb), + &dino_config_data_ops, DEVICE(s), + "pci-conf-data", 4); + memory_region_add_subregion(&s->this_mem, DINO_PCI_CONFIG_ADDR, + &phb->conf_mem); + memory_region_add_subregion(&s->this_mem, DINO_CONFIG_DATA, + &phb->data_mem); + + /* Dino PCI bus memory. */ + memory_region_init(&s->pci_mem, OBJECT(s), "pci-memory", 4 * GiB); + + phb->bus =3D pci_register_root_bus(DEVICE(s), "pci", + dino_set_irq, dino_pci_map_irq, s, + &s->pci_mem, get_system_io(), + PCI_DEVFN(0, 0), 32, TYPE_PCI_BUS); + + /* Set up windows into PCI bus memory. */ + for (int i =3D 1; i < 31; i++) { + uint32_t addr =3D 0xf0000000 + i * DINO_MEM_CHUNK_SIZE; + char *name =3D g_strdup_printf("PCI Outbound Window %d", i); + memory_region_init_alias(&s->pci_mem_alias[i], OBJECT(s), + name, &s->pci_mem, addr, + DINO_MEM_CHUNK_SIZE); + g_free(name); + } + + pci_setup_iommu(phb->bus, &dino_iommu_ops, s); + + sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->this_mem); + + qdev_init_gpio_in(dev, dino_set_irq, DINO_IRQS); =20 /* Set up PCI view of memory: Bus master address space. */ memory_region_init(&s->bm, OBJECT(s), "bm-dino", 4 * GiB); @@ -444,54 +485,6 @@ static void dino_pcihost_unrealize(DeviceState *dev) address_space_destroy(&s->bm_as); } =20 -static void dino_pcihost_init(Object *obj) -{ - DinoState *s =3D DINO_PCI_HOST_BRIDGE(obj); - PCIHostState *phb =3D PCI_HOST_BRIDGE(obj); - SysBusDevice *sbd =3D SYS_BUS_DEVICE(obj); - int i; - - /* Dino PCI access from main memory. */ - memory_region_init_io(&s->this_mem, OBJECT(s), &dino_chip_ops, - s, "dino", 4096); - - /* Dino PCI config. */ - memory_region_init_io(&phb->conf_mem, OBJECT(phb), - &dino_config_addr_ops, DEVICE(s), - "pci-conf-idx", 4); - memory_region_init_io(&phb->data_mem, OBJECT(phb), - &dino_config_data_ops, DEVICE(s), - "pci-conf-data", 4); - memory_region_add_subregion(&s->this_mem, DINO_PCI_CONFIG_ADDR, - &phb->conf_mem); - memory_region_add_subregion(&s->this_mem, DINO_CONFIG_DATA, - &phb->data_mem); - - /* Dino PCI bus memory. */ - memory_region_init(&s->pci_mem, OBJECT(s), "pci-memory", 4 * GiB); - - phb->bus =3D pci_register_root_bus(DEVICE(s), "pci", - dino_set_irq, dino_pci_map_irq, s, - &s->pci_mem, get_system_io(), - PCI_DEVFN(0, 0), 32, TYPE_PCI_BUS); - - /* Set up windows into PCI bus memory. */ - for (i =3D 1; i < 31; i++) { - uint32_t addr =3D 0xf0000000 + i * DINO_MEM_CHUNK_SIZE; - char *name =3D g_strdup_printf("PCI Outbound Window %d", i); - memory_region_init_alias(&s->pci_mem_alias[i], OBJECT(s), - name, &s->pci_mem, addr, - DINO_MEM_CHUNK_SIZE); - g_free(name); - } - - pci_setup_iommu(phb->bus, &dino_iommu_ops, s); - - sysbus_init_mmio(sbd, &s->this_mem); - - qdev_init_gpio_in(DEVICE(obj), dino_set_irq, DINO_IRQS); -} - static const Property dino_pcihost_properties[] =3D { DEFINE_PROP_LINK("memory-as", DinoState, memory_as, TYPE_MEMORY_REGION, MemoryRegion *), @@ -511,7 +504,6 @@ static void dino_pcihost_class_init(ObjectClass *klass,= const void *data) static const TypeInfo dino_pcihost_info =3D { .name =3D TYPE_DINO_PCI_HOST_BRIDGE, .parent =3D TYPE_PCI_HOST_BRIDGE, - .instance_init =3D dino_pcihost_init, .instance_size =3D sizeof(DinoState), .class_init =3D dino_pcihost_class_init, }; --=20 2.43.0 From nobody Sat Nov 15 00:45:08 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=linaro.org ARC-Seal: i=1; a=rsa-sha256; t=1758195848; cv=none; d=zohomail.com; s=zohoarc; b=OsPjSc627dlrMi9gPlczL/A4MtZ8QS9kuHCH0rWfeJumnbLJYCX4xlHz37sb8ywc5PjXgC0DLWmYBkpKTVsSq38MokXLk6DPvtJMHd3tiZQ8bAyy9Gm6H3OHBw0xrfcZY3lazq2nRYoIb2MN/5bIEC3QoIa5wM6WZBlONqhhELE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758195848; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=URz5a5pFm7pKh9X7FQk4P9+y/EuFGtM2lJtZiSfIZsI=; b=mo4tMn2nfGqO5QDlrCwgEP7gKdcLlIpV3T4tlpkQBQQPBZqVh9oiogL6EfcfD/0CyCOdJvgCBe2OfSvR76L3fiqQauMoKBZD5VeQOdkhysbI8iRw21MF4eIHgbgYQqZqvnG7FSM7heTCrBAcLpzl+I6HXTcBWP1f4U5AiyYUpK0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758195848317509.4208259873659; Thu, 18 Sep 2025 04:44:08 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uzD2t-0001Iy-0f; Thu, 18 Sep 2025 07:43:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uzD2c-0001B8-29 for qemu-devel@nongnu.org; Thu, 18 Sep 2025 07:43:12 -0400 Received: from mail-wm1-x32e.google.com ([2a00:1450:4864:20::32e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1uzD2Y-0003Fk-RU for qemu-devel@nongnu.org; Thu, 18 Sep 2025 07:43:08 -0400 Received: by mail-wm1-x32e.google.com with SMTP id 5b1f17b1804b1-45dd7b15a64so7894695e9.0 for ; Thu, 18 Sep 2025 04:43:06 -0700 (PDT) Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-46139122cb5sm76942665e9.8.2025.09.18.04.43.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Sep 2025 04:43:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1758195785; x=1758800585; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=URz5a5pFm7pKh9X7FQk4P9+y/EuFGtM2lJtZiSfIZsI=; b=N/gx0QPp1+AgWjUugpzkVogeXI2c1MAkrTOUPs4r+yQcERVqZ2x45sWXYiO42YoN3V YqRzdIAqs7gttqBYHFrDwnwgu/aGNRHjL4K8H11q+Q2GLpnw+bDUeCy5Akn0yab5JCip qZM13M2iKPVOhEH8ps05Ym+0/GZwdfRVQC7Rc2g5U/4VUPznp7hAkpX46tJwbVAY08la kHw8UInsCwKTl6JFNqvnu5Cd5iESvB08wPhkw1HHPQh4dF8DF+JjDDkqPSZdz7uXuU2G KCbD2oPTWU6nvljrHuimW5thVatbrMctU1brbPBN4QUBabaJZwy8dZsWnVClp6B72x3/ /Ujg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758195785; x=1758800585; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=URz5a5pFm7pKh9X7FQk4P9+y/EuFGtM2lJtZiSfIZsI=; b=lp7b7veyOttWXKdxRKudetEhV1og4U3eXnF2Jf5MmVYO0UOyNK7wEscF2krTXPR1XK zs+4P9b+eyA4VJymSnDyT9pif3hkfa2bXbT0u8EBSNd+9phrnwDhciRri1m02sSK9LAH r2s4e3nCaYf3LIVZ4lMADNENbJPIKk7XNIA6iNL6+tXlrtRHQiu2ptXLJyRNEiTfbnvB NVzll9OPhmayLqromIX6mX+zygzWuzNM7pqW2S2zX9TtOhfEETKaGbOn53amWg+g1Owp zp8eEPON1aLUNGkR8ex67E5bkfMhd8bHR1Egxh45Zr2XRjQyBL18xrLz6UCf9Xp7wuXY 16JQ== X-Gm-Message-State: AOJu0YwKEfdVrvH3z+B9sAoiJ0lTAC0Gen0yBRlcM7Wxx+3gs1voncLC b3OoYKGMSw1iI2IYyQl7tZGwX4F3gFF91I8kGsqCJbHeEffTrATrE8O0ls8D15ZYmCW8HwR3NhX Ndhus X-Gm-Gg: ASbGnctx/2FmqfNgeZtwvqPVZ4DKvdRWqc42/Xszj4CkYscO9SQgK5h6USEViP4UQk0 p9YKeDiwbz7uCfCYWP9Sdcefy6F/c4J61E2dLxz0d9hElA+ltB0NLd1NtR13Qp7kaBvfmkIftVK P4gBdVVkPEh8Qs3He7Hqw9DL/B4CUnu6QQXcdRKWvVuD5orCBmU87fQLJ/XJ2FnGkbQPJ5McYTv Scy5X7UkMs9YCUzXRv9UQpOF+o+DQK239b48ulcRGuGLVTPeXZsWrR/3sKcDvOFyCJwEpfKmaT4 1rTOBFDjxxeptTAcmF1odDdgfS2dgTFSjUQjY+fh+/Rz8HxqPBWrt0a/b5U+iEFyS56bJsjOD1Y 4h8Rk9/SSjk653O08FxcpxQ1pHxQYOTVlK3zC+os48i3IHik= X-Google-Smtp-Source: AGHT+IHLbeZqpnkcMoAdKVV3qqJjSrwZAzMOnrOyyRLIHJQH6aulYez40ieTHLKtOY/SeWY6EQKnHA== X-Received: by 2002:a05:600c:a415:b0:45b:92a6:63e3 with SMTP id 5b1f17b1804b1-4652c9ee679mr22650965e9.9.1758195784907; Thu, 18 Sep 2025 04:43:04 -0700 (PDT) From: Peter Maydell To: qemu-devel@nongnu.org Cc: Richard Henderson , Helge Deller Subject: [PATCH 2/2] hw/pci-host/astro: Don't call pci_regsiter_root_bus() in init Date: Thu, 18 Sep 2025 12:42:59 +0100 Message-ID: <20250918114259.1802337-3-peter.maydell@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250918114259.1802337-1-peter.maydell@linaro.org> References: <20250918114259.1802337-1-peter.maydell@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::32e; envelope-from=peter.maydell@linaro.org; helo=mail-wm1-x32e.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @linaro.org) X-ZM-MESSAGEID: 1758195848884116600 Content-Type: text/plain; charset="utf-8" In the astro PCI host bridge device, we call pci_register_root_bus() in the device's instance_init. This is a problem for two reasons * the PCI bridge is then available to the rest of the simulation (e.g. via pci_qdev_find_device()), even though it hasn't yet been realized * we do not attempt to unregister in an instance_deinit, which means that if you go through an instance_init -> deinit lifecycle the freed memory for the host-bridge device is left on the pci_host_bridges list ASAN reports the resulting use-after-free: =3D=3D1776584=3D=3DERROR: AddressSanitizer: heap-use-after-free on address = 0x51f00000cb00 at pc 0x5b2d460a89b5 bp 0x7ffef7617f50 sp 0x7ffef7617f48 WRITE of size 8 at 0x51f00000cb00 thread T0 #0 0x5b2d460a89b4 in pci_host_bus_register /mnt/nvmedisk/linaro/qemu-fr= om-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:608:5 #1 0x5b2d46093566 in pci_root_bus_internal_init /mnt/nvmedisk/linaro/qe= mu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:677:5 #2 0x5b2d460935e0 in pci_root_bus_new /mnt/nvmedisk/linaro/qemu-from-la= ptop/qemu/build/hppa-asan/../../hw/pci/pci.c:706:5 #3 0x5b2d46093fe5 in pci_register_root_bus /mnt/nvmedisk/linaro/qemu-fr= om-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:751:11 #4 0x5b2d46fe2335 in elroy_pcihost_init /mnt/nvmedisk/linaro/qemu-from-= laptop/qemu/build/hppa-asan/../../hw/pci-host/astro.c:455:16 0x51f00000cb00 is located 1664 bytes inside of 3456-byte region [0x51f00000= c480,0x51f00000d200) freed by thread T0 here: #0 0x5b2d4582385a in free (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/b= uild/hppa-asan/qemu-system-hppa+0x17ad85a) (BuildId: 692b49eedc6fb0ef618bbb= 6784a09311b3b7f1e8) #1 0x5b2d47160723 in object_finalize /mnt/nvmedisk/linaro/qemu-from-lap= top/qemu/build/hppa-asan/../../qom/object.c:734:9 #2 0x5b2d471589db in object_unref /mnt/nvmedisk/linaro/qemu-from-laptop= /qemu/build/hppa-asan/../../qom/object.c:1232:9 #3 0x5b2d477d373c in qmp_device_list_properties /mnt/nvmedisk/linaro/qe= mu-from-laptop/qemu/build/hppa-asan/../../qom/qom-qmp-cmds.c:237:5 previously allocated by thread T0 here: #0 0x5b2d45823af3 in malloc (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu= /build/hppa-asan/qemu-system-hppa+0x17adaf3) (BuildId: 692b49eedc6fb0ef618b= bb6784a09311b3b7f1e8) #1 0x79728fa08b09 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0= x62b09) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75) #2 0x5b2d471595fc in object_new_with_type /mnt/nvmedisk/linaro/qemu-fro= m-laptop/qemu/build/hppa-asan/../../qom/object.c:767:15 #3 0x5b2d47159409 in object_new_with_class /mnt/nvmedisk/linaro/qemu-fr= om-laptop/qemu/build/hppa-asan/../../qom/object.c:782:12 #4 0x5b2d477d29a5 in qmp_device_list_properties /mnt/nvmedisk/linaro/qe= mu-from-laptop/qemu/build/hppa-asan/../../qom/qom-qmp-cmds.c:206:11 Cc: qemu-stable@nongnu.org Fixes: e029bb00a79be ("hw/pci-host: Add Astro system bus adapter found on P= A-RISC machines") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3118 Signed-off-by: Peter Maydell Reviewed-by: Alex Benn=C3=A9e Tested-by: Alex Benn=C3=A9e --- hw/pci-host/astro.c | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/hw/pci-host/astro.c b/hw/pci-host/astro.c index 859e308c577..1024ede7b68 100644 --- a/hw/pci-host/astro.c +++ b/hw/pci-host/astro.c @@ -424,22 +424,23 @@ static void elroy_reset(DeviceState *dev) } } =20 -static void elroy_pcihost_init(Object *obj) +static void elroy_pcihost_realize(DeviceState *dev, Error **errp) { - ElroyState *s =3D ELROY_PCI_HOST_BRIDGE(obj); - PCIHostState *phb =3D PCI_HOST_BRIDGE(obj); - SysBusDevice *sbd =3D SYS_BUS_DEVICE(obj); + ElroyState *s =3D ELROY_PCI_HOST_BRIDGE(dev); + PCIHostState *phb =3D PCI_HOST_BRIDGE(dev); + SysBusDevice *sbd =3D SYS_BUS_DEVICE(dev); + Object *obj =3D OBJECT(s); =20 /* Elroy config access from CPU. */ - memory_region_init_io(&s->this_mem, OBJECT(s), &elroy_chip_ops, + memory_region_init_io(&s->this_mem, obj, &elroy_chip_ops, s, "elroy", 0x2000); =20 /* Elroy PCI config. */ - memory_region_init_io(&phb->conf_mem, OBJECT(phb), - &elroy_config_addr_ops, DEVICE(s), + memory_region_init_io(&phb->conf_mem, obj, + &elroy_config_addr_ops, dev, "pci-conf-idx", 8); - memory_region_init_io(&phb->data_mem, OBJECT(phb), - &elroy_config_data_ops, DEVICE(s), + memory_region_init_io(&phb->data_mem, obj, + &elroy_config_data_ops, dev, "pci-conf-data", 8); memory_region_add_subregion(&s->this_mem, 0x40, &phb->conf_mem); @@ -447,8 +448,8 @@ static void elroy_pcihost_init(Object *obj) &phb->data_mem); =20 /* Elroy PCI bus memory. */ - memory_region_init(&s->pci_mmio, OBJECT(s), "pci-mmio", UINT64_MAX); - memory_region_init_io(&s->pci_io, OBJECT(s), &unassigned_io_ops, obj, + memory_region_init(&s->pci_mmio, obj, "pci-mmio", UINT64_MAX); + memory_region_init_io(&s->pci_io, obj, &unassigned_io_ops, obj, "pci-isa-mmio", ((uint32_t) IOS_DIST_BASE_SIZE) / ROPES_PER_IO= C); =20 @@ -459,7 +460,7 @@ static void elroy_pcihost_init(Object *obj) =20 sysbus_init_mmio(sbd, &s->this_mem); =20 - qdev_init_gpio_in(DEVICE(obj), elroy_set_irq, ELROY_IRQS); + qdev_init_gpio_in(dev, elroy_set_irq, ELROY_IRQS); } =20 static const VMStateDescription vmstate_elroy =3D { @@ -487,6 +488,7 @@ static void elroy_pcihost_class_init(ObjectClass *klass= , const void *data) DeviceClass *dc =3D DEVICE_CLASS(klass); =20 device_class_set_legacy_reset(dc, elroy_reset); + dc->realize =3D elroy_pcihost_realize; dc->vmsd =3D &vmstate_elroy; dc->user_creatable =3D false; } @@ -494,7 +496,6 @@ static void elroy_pcihost_class_init(ObjectClass *klass= , const void *data) static const TypeInfo elroy_pcihost_info =3D { .name =3D TYPE_ELROY_PCI_HOST_BRIDGE, .parent =3D TYPE_PCI_HOST_BRIDGE, - .instance_init =3D elroy_pcihost_init, .instance_size =3D sizeof(ElroyState), .class_init =3D elroy_pcihost_class_init, }; --=20 2.43.0