Proxmox-Port/qemu
1
0
Fork 0
mirror of https://github.com/qemu/qemu.git synced 2025-09-26 16:12:25 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
staging-10.0
qemu/hw/pci-host
History
Peter Maydell 837030e11c hw/pci-host/astro: Don't call pci_regsiter_root_bus() in init 
In the astro PCI host bridge device, we call pci_register_root_bus()
in the device's instance_init. This is a problem for two reasons
 * the PCI bridge is then available to the rest of the simulation
   (e.g. via pci_qdev_find_device()), even though it hasn't
   yet been realized
 * we do not attempt to unregister in an instance_deinit,
   which means that if you go through an instance_init -> deinit
   lifecycle the freed memory for the host-bridge device is
   left on the pci_host_bridges list

ASAN reports the resulting use-after-free:

==1776584==ERROR: AddressSanitizer: heap-use-after-free on address 0x51f00000cb00 at pc 0x5b2d460a89b5 bp 0x7ffef7617f50 sp 0x7ffef7617f48
WRITE of size 8 at 0x51f00000cb00 thread T0
    #0 0x5b2d460a89b4 in pci_host_bus_register /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:608:5
    #1 0x5b2d46093566 in pci_root_bus_internal_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:677:5
    #2 0x5b2d460935e0 in pci_root_bus_new /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:706:5
    #3 0x5b2d46093fe5 in pci_register_root_bus /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:751:11
    #4 0x5b2d46fe2335 in elroy_pcihost_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci-host/astro.c:455:16

0x51f00000cb00 is located 1664 bytes inside of 3456-byte region [0x51f00000c480,0x51f00000d200)
freed by thread T0 here:
    #0 0x5b2d4582385a in free (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qemu-system-hppa+0x17ad85a) (BuildId: 692b49eedc6fb0ef618bbb6784a09311b3b7f1e8)
    #1 0x5b2d47160723 in object_finalize /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:734:9
    #2 0x5b2d471589db in object_unref /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:1232:9
    #3 0x5b2d477d373c in qmp_device_list_properties /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/qom-qmp-cmds.c:237:5

previously allocated by thread T0 here:
    #0 0x5b2d45823af3 in malloc (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qemu-system-hppa+0x17adaf3) (BuildId: 692b49eedc6fb0ef618bbb6784a09311b3b7f1e8)
    #1 0x79728fa08b09 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62b09) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75)
    #2 0x5b2d471595fc in object_new_with_type /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:767:15
    #3 0x5b2d47159409 in object_new_with_class /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:782:12
    #4 0x5b2d477d29a5 in qmp_device_list_properties /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/qom-qmp-cmds.c:206:11

Cc: qemu-stable@nongnu.org
Fixes: e029bb00a7 ("hw/pci-host: Add Astro system bus adapter found on PA-RISC machines")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3118
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20250918114259.1802337-3-peter.maydell@linaro.org>
(cherry picked from commit 76d2b8d42a)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2025-09-26 09:59:25 +03:00
..
articia.c hw/pci-host: Add emulation of Mai Logic Articia S 2023-11-07 12:59:29 -03:00
astro.c hw/pci-host/astro: Don't call pci_regsiter_root_bus() in init 2025-09-26 09:59:25 +03:00
bonito.c include: Rename sysemu/ -> system/ 2024-12-20 17:44:56 +01:00
designware.c hw/pci-host/designware: Fix ATU_UPPER_TARGET register access 2025-03-31 21:32:43 +02:00
dino.c hw/pci-host/dino: Don't call pci_register_root_bus() in init 2025-09-26 09:59:25 +03:00
fsl_imx8m_phy.c hw/arm/fsl-imx8mp: Add PCIe support 2025-02-25 17:02:34 +00:00
gpex-acpi.c hw/pci-host/gpex-acpi: Use acpi_uid property. 2024-11-04 16:03:24 -05:00
gpex.c hw/pci-host/gpex: Allow more than 4 legacy IRQs 2024-12-30 20:04:50 +01:00
grackle.c include/hw/qdev-properties: Remove DEFINE_PROP_END_OF_LIST 2024-12-19 19:36:37 +01:00
gt64120.c hw/pci-host/gt64120: Fix endianness handling 2025-05-22 14:33:00 +03:00
i440fx.c include/hw/qdev-properties: Remove DEFINE_PROP_END_OF_LIST 2024-12-19 19:36:37 +01:00
Kconfig hw/arm/fsl-imx8mp: Add PCIe support 2025-02-25 17:02:34 +00:00
meson.build hw/arm/fsl-imx8mp: Add PCIe support 2025-02-25 17:02:34 +00:00
mv643xx.h mv64361: Add dummy gigabit ethernet PHY access registers 2023-07-07 04:18:26 -03:00
mv64361.c include/hw/qdev-properties: Remove DEFINE_PROP_END_OF_LIST 2024-12-19 19:36:37 +01:00
pam.c hw/pci-host/pam: Make init_pam() usage more readable 2023-05-19 10:30:46 -04:00
pnv_phb3_msi.c include: Rename sysemu/ -> system/ 2024-12-20 17:44:56 +01:00
pnv_phb3_pbcq.c Remove qemu-common.h include from most units 2022-04-06 14:31:55 +02:00
pnv_phb3.c Accel & Exec patch queue 2024-12-21 11:07:00 -05:00
pnv_phb4_pec.c ppc/pnv/phb4: Add pervasive chiplet support to PHB4/5 2025-03-11 22:43:30 +10:00
pnv_phb4.c include/hw/qdev-properties: Remove DEFINE_PROP_END_OF_LIST 2024-12-19 19:36:37 +01:00
pnv_phb.c Accel & Exec patch queue 2024-12-21 11:07:00 -05:00
pnv_phb.h include/hw/ppc include/hw/pci-host: Drop extra typedefs 2023-01-20 07:25:22 +01:00
ppc4xx_pci.c include: Rename sysemu/ -> system/ 2024-12-20 17:44:56 +01:00
ppc440_pcix.c hw: Use device_class_set_legacy_reset() instead of opencoding 2024-09-13 15:31:44 +01:00
ppce500.c Accel & Exec patch queue 2024-12-21 11:07:00 -05:00
q35.c include/hw/qdev-properties: Remove DEFINE_PROP_END_OF_LIST 2024-12-19 19:36:37 +01:00
raven.c hw/loader: Pass ELFDATA endian order argument to load_elf() 2025-01-31 19:36:44 +01:00
remote.c Remove qemu-common.h include from most units 2022-04-06 14:31:55 +02:00
sabre.c Accel & Exec patch queue 2024-12-21 11:07:00 -05:00
sh_pci.c hw/pci-host/sh_pcic: Replace magic value by proper definition 2023-10-19 23:13:28 +02:00
trace-events hw/ppc/ppc440_pcix: Move ppc440_pcix.c to hw/pci-host/ 2024-02-22 12:47:40 +01:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
uninorth.c include/hw/qdev-properties: Remove DEFINE_PROP_END_OF_LIST 2024-12-19 19:36:37 +01:00
versatile.c hw/pci-host: Mark versatile regions as little-endian 2025-02-16 14:41:46 +01:00
xen_igd_pt.c xen: Use ERRP_GUARD() 2020-07-10 15:18:09 +02:00
xilinx-pcie.c include/hw/qdev-properties: Remove DEFINE_PROP_END_OF_LIST 2024-12-19 19:36:37 +01:00