From nobody Sun May 19 21:56:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1573468818; cv=none; d=zoho.com; s=zohoarc; b=S06kJG6Nu3LpX1n9kAiHwbGcWKx0ZMBCIHAB1QO0vvYG99jgSr2yevqZyyphpdzhSsC5PnCFpchnPJPx4nY+vLdrDqRlVFkpPTGKW+CjrKcZ6ncDAJixYZLCLWNW4CUG4o0erIyVkSoiG3XcHh2Xg3beP7OhCcIIhKTpbCmNy6I= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1573468818; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=plhy1uZkekv8VMNLA+nPZe58rkKQkQ/37jG9PB7wxcI=; b=XoiinUV1dSe9mn8Vj0d3ps6xqQgYWDEfMEk/xa6Xzv8wc5SatdcHee+vVOq/y1nyTovoqc2f4oWrT0vC9HRjGRnY2CdYGz207aaSB7/eHClozYSKPyczXTHNTJCC5LIAc7bajxDeIAYfSq05GcAHRh8sdA4gDeqvSHMHcp9KhHI= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1573468818655541.5481581095121; Mon, 11 Nov 2019 02:40:18 -0800 (PST) Received: from localhost ([::1]:50688 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iU77F-0001sE-Fl for importer@patchew.org; Mon, 11 Nov 2019 05:40:13 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:50659) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iU76E-0000vr-8D for qemu-devel@nongnu.org; Mon, 11 Nov 2019 05:39:11 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iU76B-0003jY-W7 for qemu-devel@nongnu.org; Mon, 11 Nov 2019 05:39:09 -0500 Received: from us-smtp-delivery-1.mimecast.com ([205.139.110.120]:56585 helo=us-smtp-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1iU76B-0003i5-L7 for qemu-devel@nongnu.org; Mon, 11 Nov 2019 05:39:07 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-386-Z8WlT_zjM0uQGtESJw46PA-1; Mon, 11 Nov 2019 05:38:00 -0500 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 96786107ACC4 for ; Mon, 11 Nov 2019 10:37:59 +0000 (UTC) Received: from moe.redhat.com (unknown [10.43.2.30]) by smtp.corp.redhat.com (Postfix) with ESMTP id EA84C5C883; Mon, 11 Nov 2019 10:37:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1573468747; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=plhy1uZkekv8VMNLA+nPZe58rkKQkQ/37jG9PB7wxcI=; b=OyGmLsomMelP1oEzY4G71AvxbMSe1ADCZWJENpbfEobLvwHWjoyuISe+jPHYyxkqkjXr5Q dktHrqOgnT3/cObtC3ILQn4qUhpAunynoGCzHiKZgXv7TGtSsAK1DJGneRiQ4UKYR+06II rCfuAcIdj3now4wvXTqY5zDhIGEylXo= From: Michal Privoznik To: qemu-devel@nongnu.org Subject: [PATCH 1/2] hw/vfio/pci: Fix double free of migration_blocker Date: Mon, 11 Nov 2019 11:37:41 +0100 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-MC-Unique: Z8WlT_zjM0uQGtESJw46PA-1 X-Mimecast-Spam-Score: 0 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 205.139.110.120 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: alex.williamson@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" When user tries to hotplug a VFIO device, but the operation fails somewhere in the middle (in my testing it failed because of RLIMIT_MEMLOCK forbidding more memory allocation), then a double free occurs. In vfio_realize() the vdev->migration_blocker is allocated, then something goes wrong which causes control to jump onto 'error' label where the error is freed. But the pointer is left pointing to invalid memory. Later, when vfio_instance_finalize() is called, the memory is freed again. In my testing the second hunk was sufficient to fix the bug, but I figured the first hunk doesn't hurt either. =3D=3D169952=3D=3D Invalid read of size 8 =3D=3D169952=3D=3D at 0xA47DCD: error_free (error.c:266) =3D=3D169952=3D=3D by 0x4E0A18: vfio_instance_finalize (pci.c:3040) =3D=3D169952=3D=3D by 0x8DF74C: object_deinit (object.c:606) =3D=3D169952=3D=3D by 0x8DF7BE: object_finalize (object.c:620) =3D=3D169952=3D=3D by 0x8E0757: object_unref (object.c:1074) =3D=3D169952=3D=3D by 0x45079C: memory_region_unref (memory.c:1779) =3D=3D169952=3D=3D by 0x45376B: do_address_space_destroy (memory.c:2793) =3D=3D169952=3D=3D by 0xA5C600: call_rcu_thread (rcu.c:283) =3D=3D169952=3D=3D by 0xA427CB: qemu_thread_start (qemu-thread-posix.c:5= 19) =3D=3D169952=3D=3D by 0x80A8457: start_thread (in /lib64/libpthread-2.29= .so) =3D=3D169952=3D=3D by 0x81C96EE: clone (in /lib64/libc-2.29.so) =3D=3D169952=3D=3D Address 0x143137e0 is 0 bytes inside a block of size 48= free'd =3D=3D169952=3D=3D at 0x4A342BB: free (vg_replace_malloc.c:530) =3D=3D169952=3D=3D by 0xA47E05: error_free (error.c:270) =3D=3D169952=3D=3D by 0x4E0945: vfio_realize (pci.c:3025) =3D=3D169952=3D=3D by 0x76A4FF: pci_qdev_realize (pci.c:2099) =3D=3D169952=3D=3D by 0x689B9A: device_set_realized (qdev.c:876) =3D=3D169952=3D=3D by 0x8E2C80: property_set_bool (object.c:2080) =3D=3D169952=3D=3D by 0x8E0EF6: object_property_set (object.c:1272) =3D=3D169952=3D=3D by 0x8E3FC8: object_property_set_qobject (qom-qobject= .c:26) =3D=3D169952=3D=3D by 0x8E11DB: object_property_set_bool (object.c:1338) =3D=3D169952=3D=3D by 0x5E7BDD: qdev_device_add (qdev-monitor.c:673) =3D=3D169952=3D=3D by 0x5E81E5: qmp_device_add (qdev-monitor.c:798) =3D=3D169952=3D=3D by 0x9E18A8: do_qmp_dispatch (qmp-dispatch.c:132) =3D=3D169952=3D=3D Block was alloc'd at =3D=3D169952=3D=3D at 0x4A35476: calloc (vg_replace_malloc.c:752) =3D=3D169952=3D=3D by 0x51B1158: g_malloc0 (in /usr/lib64/libglib-2.0.so= .0.6000.6) =3D=3D169952=3D=3D by 0xA47357: error_setv (error.c:61) =3D=3D169952=3D=3D by 0xA475D9: error_setg_internal (error.c:97) =3D=3D169952=3D=3D by 0x4DF8C2: vfio_realize (pci.c:2737) =3D=3D169952=3D=3D by 0x76A4FF: pci_qdev_realize (pci.c:2099) =3D=3D169952=3D=3D by 0x689B9A: device_set_realized (qdev.c:876) =3D=3D169952=3D=3D by 0x8E2C80: property_set_bool (object.c:2080) =3D=3D169952=3D=3D by 0x8E0EF6: object_property_set (object.c:1272) =3D=3D169952=3D=3D by 0x8E3FC8: object_property_set_qobject (qom-qobject= .c:26) =3D=3D169952=3D=3D by 0x8E11DB: object_property_set_bool (object.c:1338) =3D=3D169952=3D=3D by 0x5E7BDD: qdev_device_add (qdev-monitor.c:673) Signed-off-by: Michal Privoznik Reviewed-by: Cornelia Huck --- hw/vfio/pci.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c index e6569a7968..9c165995df 100644 --- a/hw/vfio/pci.c +++ b/hw/vfio/pci.c @@ -2740,6 +2740,7 @@ static void vfio_realize(PCIDevice *pdev, Error **err= p) if (err) { error_propagate(errp, err); error_free(vdev->migration_blocker); + vdev->migration_blocker =3D NULL; return; } } @@ -3023,6 +3024,7 @@ error: if (vdev->migration_blocker) { migrate_del_blocker(vdev->migration_blocker); error_free(vdev->migration_blocker); + vdev->migration_blocker =3D NULL; } } =20 --=20 2.23.0 From nobody Sun May 19 21:56:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1573468818; cv=none; d=zoho.com; s=zohoarc; b=gh0CHfmlVpqI2atjW4UoEqGVgSLpCjjS3A0PpdzGKeooyuncJMjiRm4xuNnJtkDPKNGyqarHXsrtbBLIT6TAFuM8HqmRmDKrccoPuptZuASnRajb9mkXqVYH3TqsrwLsPypYYVcInz8XjERV1ADmFa/YASMHzuePRFWrInqnDHY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1573468818; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=2W9qkQmT80Ew2GlLeYb015BXhx5aOqc++2SvZrumetg=; b=FqSTR5UMdo4N7bSZ32O9vAv925mPNRX72I8IDc10lcE8CMneVVIUNnOHS8fN2NeRTXGlU8RHgTvebnLuC8jJfvU+YyzOaXPjtr6bxxbf6aokaQT6vDYscsTX1RXtcN8bbTpiGd6Yz8s96y725MH1lBSFa6bfKD2adIfHyTdRGvY= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1573468818658168.99139520339406; Mon, 11 Nov 2019 02:40:18 -0800 (PST) Received: from localhost ([::1]:50690 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iU77D-0001sj-76 for importer@patchew.org; Mon, 11 Nov 2019 05:40:11 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:50657) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iU76E-0000vq-7s for qemu-devel@nongnu.org; Mon, 11 Nov 2019 05:39:11 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iU76C-0003jg-2s for qemu-devel@nongnu.org; Mon, 11 Nov 2019 05:39:08 -0500 Received: from us-smtp-1.mimecast.com ([205.139.110.61]:43344 helo=us-smtp-delivery-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1iU76B-0003iX-Pb for qemu-devel@nongnu.org; Mon, 11 Nov 2019 05:39:08 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-54-OkbK0SFPNAiG1CEpKP3qNg-1; Mon, 11 Nov 2019 05:38:01 -0500 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8A920800D49 for ; Mon, 11 Nov 2019 10:38:00 +0000 (UTC) Received: from moe.redhat.com (unknown [10.43.2.30]) by smtp.corp.redhat.com (Postfix) with ESMTP id DF02B4BB; Mon, 11 Nov 2019 10:37:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1573468747; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=2W9qkQmT80Ew2GlLeYb015BXhx5aOqc++2SvZrumetg=; b=MPr09lwYGS3y12Y6zzh/wAwEy5tTMqrw/f7rlFUGbp7HDjf+PC++kdrhd594GJB0bDtrpn Q46p9eylb5cV0MrLCWRJGSBkPJohfA4362ybKaCQtj50KKm0SHbweJO7Nxn77Q8w30OZ+H kc78k720wnfE3WYABnTNS58Mx+EoKys= From: Michal Privoznik To: qemu-devel@nongnu.org Subject: [PATCH 2/2] vfio-helpers: Free QEMUVFIOState in qemu_vfio_close() Date: Mon, 11 Nov 2019 11:37:42 +0100 Message-Id: <14247f68a13c7b9292b91eb7df02de9b9d248544.1573468531.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-MC-Unique: OkbK0SFPNAiG1CEpKP3qNg-1 X-Mimecast-Spam-Score: 0 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 205.139.110.61 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: alex.williamson@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" The qemu_vfio_open_pci() allocates this QEMUVFIOState structure but free counterpart is missing. Since we already have qemu_vfio_close() which does cleanup of the state, it looks like a perfect place to free the structure too. =3D=3D178278=3D=3D 528 (360 direct, 168 indirect) bytes in 1 blocks are def= initely lost in loss record 6,605 of 6,985 =3D=3D178278=3D=3D at 0x4A35476: calloc (vg_replace_malloc.c:752) =3D=3D178278=3D=3D by 0x51B1158: g_malloc0 (in /usr/lib64/libglib-2.0.so= .0.6000.6) =3D=3D178278=3D=3D by 0xA68613: qemu_vfio_open_pci (vfio-helpers.c:428) =3D=3D178278=3D=3D by 0x9779EA: nvme_init (nvme.c:606) =3D=3D178278=3D=3D by 0x97830F: nvme_file_open (nvme.c:795) =3D=3D178278=3D=3D by 0x8E9439: bdrv_open_driver (block.c:1293) =3D=3D178278=3D=3D by 0x8E9E1C: bdrv_open_common (block.c:1553) =3D=3D178278=3D=3D by 0x8ED264: bdrv_open_inherit (block.c:3083) =3D=3D178278=3D=3D by 0x8ED79D: bdrv_open (block.c:3176) =3D=3D178278=3D=3D by 0x5DA5C1: bds_tree_init (blockdev.c:670) =3D=3D178278=3D=3D by 0x5E2B64: qmp_blockdev_add (blockdev.c:4354) =3D=3D178278=3D=3D by 0x5ECB1D: configure_blockdev (vl.c:1202) Signed-off-by: Michal Privoznik --- util/vfio-helpers.c | 1 + 1 file changed, 1 insertion(+) diff --git a/util/vfio-helpers.c b/util/vfio-helpers.c index 813f7ec564..5ff91c1e5c 100644 --- a/util/vfio-helpers.c +++ b/util/vfio-helpers.c @@ -721,4 +721,5 @@ void qemu_vfio_close(QEMUVFIOState *s) close(s->device); close(s->group); close(s->container); + g_free(s); } --=20 2.23.0