Proxmox-Port/qemu
1
0
Fork 0
mirror of https://github.com/qemu/qemu.git synced 2025-09-26 16:12:25 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
staging-10.0
qemu/hw
History
Peter Maydell 837030e11c hw/pci-host/astro: Don't call pci_regsiter_root_bus() in init 
In the astro PCI host bridge device, we call pci_register_root_bus()
in the device's instance_init. This is a problem for two reasons
 * the PCI bridge is then available to the rest of the simulation
   (e.g. via pci_qdev_find_device()), even though it hasn't
   yet been realized
 * we do not attempt to unregister in an instance_deinit,
   which means that if you go through an instance_init -> deinit
   lifecycle the freed memory for the host-bridge device is
   left on the pci_host_bridges list

ASAN reports the resulting use-after-free:

==1776584==ERROR: AddressSanitizer: heap-use-after-free on address 0x51f00000cb00 at pc 0x5b2d460a89b5 bp 0x7ffef7617f50 sp 0x7ffef7617f48
WRITE of size 8 at 0x51f00000cb00 thread T0
    #0 0x5b2d460a89b4 in pci_host_bus_register /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:608:5
    #1 0x5b2d46093566 in pci_root_bus_internal_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:677:5
    #2 0x5b2d460935e0 in pci_root_bus_new /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:706:5
    #3 0x5b2d46093fe5 in pci_register_root_bus /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:751:11
    #4 0x5b2d46fe2335 in elroy_pcihost_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci-host/astro.c:455:16

0x51f00000cb00 is located 1664 bytes inside of 3456-byte region [0x51f00000c480,0x51f00000d200)
freed by thread T0 here:
    #0 0x5b2d4582385a in free (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qemu-system-hppa+0x17ad85a) (BuildId: 692b49eedc6fb0ef618bbb6784a09311b3b7f1e8)
    #1 0x5b2d47160723 in object_finalize /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:734:9
    #2 0x5b2d471589db in object_unref /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:1232:9
    #3 0x5b2d477d373c in qmp_device_list_properties /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/qom-qmp-cmds.c:237:5

previously allocated by thread T0 here:
    #0 0x5b2d45823af3 in malloc (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qemu-system-hppa+0x17adaf3) (BuildId: 692b49eedc6fb0ef618bbb6784a09311b3b7f1e8)
    #1 0x79728fa08b09 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62b09) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75)
    #2 0x5b2d471595fc in object_new_with_type /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:767:15
    #3 0x5b2d47159409 in object_new_with_class /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:782:12
    #4 0x5b2d477d29a5 in qmp_device_list_properties /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/qom-qmp-cmds.c:206:11

Cc: qemu-stable@nongnu.org
Fixes: e029bb00a7 ("hw/pci-host: Add Astro system bus adapter found on PA-RISC machines")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3118
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20250918114259.1802337-3-peter.maydell@linaro.org>
(cherry picked from commit 76d2b8d42a)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2025-09-26 09:59:25 +03:00
..
9pfs 9pfs: fix FD leak and reduce latency of v9fs_reclaim_fd() 2025-05-12 12:27:03 +03:00
acpi hw/i386/fw_cfg: Check ACPI availability with acpi_builtin() 2025-03-11 20:03:26 +01:00
adc include/hw/qdev-properties: Remove DEFINE_PROP_END_OF_LIST 2024-12-19 19:36:37 +01:00
alpha hw/boards: Do not create unusable default if=sd drives 2025-02-16 14:25:08 +01:00
arm hw/arm/stm32f205_soc: Don't leak TYPE_OR_IRQ objects 2025-08-31 08:08:30 +03:00
audio hw/audio/asc: fix SIGSEGV in asc_realize() 2025-06-05 15:10:42 +03:00
avr hw/boards: Do not create unusable default if=sd drives 2025-02-16 14:25:08 +01:00
block hw/block/m25p80: Categorize and add description 2025-03-31 16:33:23 +02:00
char hw/char/bcm2835_aux: Fix incorrect interrupt ID when RX disabled 2025-03-31 21:32:43 +02:00
core hw/core/qdev-properties-system: Add missing return in set_drive_helper() 2025-06-05 23:59:35 +03:00
cpu hw/cpu/arm_mpcore: Remove default values for GIC external IRQs 2025-02-20 14:20:29 +00:00
cxl mem/cxl_type3: support 3, 6, 12 and 16 interleave ways 2025-02-21 07:18:42 -05:00
display hw/display/qxl-render.c: fix qxl_unpack_chunks() chunk size calculation 2025-07-28 18:58:26 +03:00
dma hw/dma/i82374: Categorize and add description 2025-03-31 16:34:01 +02:00
fsi hw: Use device_class_set_legacy_reset() instead of opencoding 2024-09-13 15:31:44 +01:00
gpio hw/gpio/pca9554: Avoid leak in pca9554_set_pin() 2025-09-04 23:16:52 +03:00
hppa hw/boards: Do not create unusable default if=sd drives 2025-02-16 14:25:08 +01:00
hyperv qapi: Move include/qapi/qmp/ to include/qobject/ 2025-02-10 15:33:16 +01:00
i2c hw/i2c/imx: Always set interrupt status bit if interrupt condition occurs 2025-05-11 09:16:33 +03:00
i386 hw/i386/amd_iommu: Move IOAPIC memory region initialization to the end 2025-08-06 10:02:36 +03:00
ide dma: use current AioContext for dma_blk_io() 2025-03-13 17:57:23 +01:00
input Accel & Exec patch queue 2024-12-21 11:07:00 -05:00
intc hw/intc/arm_gicv3_kvm: preserve pending interrupts during cpr 2025-08-31 07:47:10 +03:00
ipack hw/ipack: Remove legacy qemu_allocate_irqs() use 2025-01-31 19:36:44 +01:00
ipmi Accel & Exec patch queue 2024-12-21 11:07:00 -05:00
isa hw: Declare various const data as 'const' 2025-02-16 14:26:07 +01:00
loongarch hw/loongarch/virt: Fix big endian support with MCFG table 2025-06-12 02:34:19 +03:00
m68k hw/boards: Do not create unusable default if=sd drives 2025-02-16 14:25:08 +01:00
mem mem/cxl_type3: support 3, 6, 12 and 16 interleave ways 2025-02-21 07:18:42 -05:00
microblaze hw/ssi/xilinx_spi: Make device endianness configurable 2025-02-16 14:34:57 +01:00
mips target/mips: Revert TARGET_PAGE_BITS_VARY 2025-03-31 21:32:43 +02:00
misc hw/misc/aspeed_hace: Ensure HASH_IRQ is always set to prevent firmware hang 2025-05-29 10:27:30 +03:00
net e1000e: Prevent crash from legacy interrupt firing after MSI-X enable 2025-09-04 18:26:11 +03:00
nubus include/hw/qdev-properties: Remove DEFINE_PROP_END_OF_LIST 2024-12-19 19:36:37 +01:00
nvme hw/nvme: cap MDTS value for internal limitation 2025-08-12 09:00:08 +03:00
nvram hw/nvram/xlnx-efuse: Do not expose as user-creatable 2025-03-31 21:32:43 +02:00
openrisc target/openrisc: Call cpu_openrisc_clock_init() in cpu_realize() 2025-03-06 15:46:18 +01:00
pci pcie_sriov: Fix configuration and state synchronization 2025-08-02 08:22:30 +03:00
pci-bridge pcie, virtio: Remove redundant pm_cap 2025-03-06 06:47:33 +01:00
pci-host hw/pci-host/astro: Don't call pci_regsiter_root_bus() in init 2025-09-26 09:59:25 +03:00
ppc hw/ppc: Fix build error with CONFIG_POWERNV disabled 2025-09-04 23:16:52 +03:00
remote Memory pull request for 10.0 2025-02-19 08:36:26 +08:00
riscv hw/riscv: Fix type conflict of GLib function pointers 2025-05-20 09:55:35 +03:00
rtc hw/rtc/goldfish: keep time offset when resetting 2025-03-31 21:32:43 +02:00
rx hw/rx: Allow execution without either bios or kernel 2025-02-16 14:45:38 +01:00
s390x hw/s390x/ccw-device: Fix memory leak in loadparm setter 2025-07-03 15:43:18 +03:00
scsi scsi-disk: Apply error policy for host_status errors again 2025-04-08 14:59:19 +02:00
sd hw/sd/ssi-sd: Return noise (dummy byte) when no card connected 2025-08-13 09:15:28 +03:00
sensor hw: Make class data 'const' 2025-02-16 14:26:07 +01:00
sh4 exec: Declare tlb_flush*() in 'exec/cputlb.h' 2025-03-08 07:56:14 -08:00
smbios smbios: Fix buffer overrun when using path= option 2025-04-08 20:45:13 +02:00
sparc load_aout: replace bswap_needed with big_endian 2025-03-21 12:51:16 +01:00
sparc64 load_aout: replace bswap_needed with big_endian 2025-03-21 12:51:16 +01:00
ssi hw/ssi/aspeed_smc: Fix incorrect FMC_WDT2 register read on AST1030 2025-08-06 10:02:36 +03:00
timer rust: Kconfig: Factor out whether HPET is Rust or C 2025-03-20 09:23:24 +01:00
tpm hw/tpm: Have TPM TIS sysbus device inherit from DYNAMIC_SYS_BUS_DEVICE 2025-02-16 14:25:07 +01:00
tricore hw/boards: Do not create unusable default if=sd drives 2025-02-16 14:25:08 +01:00
uefi hw/uefi: open json file in binary mode 2025-08-14 09:13:28 +03:00
ufs hw/ufs: Fix incorrect comment for segment_size and allocation_unit_size 2025-04-08 20:46:10 +02:00
usb hw/usb/network: Remove hardcoded 0x40 prefix in STRING_ETHADDR response 2025-09-17 23:17:44 +03:00
vfio vfio/pci: Drop debug commentary from x-device-dirty-page-tracking 2025-03-11 19:04:58 +01:00
virtio vhost: Do not abort on log-stop error 2025-08-02 08:12:53 +03:00
vmapple hw/vmapple/vmapple: Add vmapple machine type 2025-03-04 14:45:34 +01:00
watchdog hw/arm: Mark Allwinner Technology devices as little-endian 2025-02-16 14:41:46 +01:00
xen xen: mapcache: Split mapcache_grants by ro and rw 2025-05-11 09:15:20 +03:00
xenpv hw/boards: Do not create unusable default if=sd drives 2025-02-16 14:25:08 +01:00
xtensa hw/boards: Do not create unusable default if=sd drives 2025-02-16 14:25:08 +01:00
Kconfig Misc HW patches 2025-03-05 21:54:58 +08:00
meson.build Misc HW patches 2025-03-05 21:54:58 +08:00