Proxmox-Port/qemu
1
0
Fork 0
mirror of https://github.com/qemu/qemu.git synced 2025-09-26 16:12:25 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
staging-10.1
qemu/hw
History
Peter Maydell bbb31acea9 hw/pci-host/astro: Don't call pci_regsiter_root_bus() in init 
In the astro PCI host bridge device, we call pci_register_root_bus()
in the device's instance_init. This is a problem for two reasons
 * the PCI bridge is then available to the rest of the simulation
   (e.g. via pci_qdev_find_device()), even though it hasn't
   yet been realized
 * we do not attempt to unregister in an instance_deinit,
   which means that if you go through an instance_init -> deinit
   lifecycle the freed memory for the host-bridge device is
   left on the pci_host_bridges list

ASAN reports the resulting use-after-free:

==1776584==ERROR: AddressSanitizer: heap-use-after-free on address 0x51f00000cb00 at pc 0x5b2d460a89b5 bp 0x7ffef7617f50 sp 0x7ffef7617f48
WRITE of size 8 at 0x51f00000cb00 thread T0
    #0 0x5b2d460a89b4 in pci_host_bus_register /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:608:5
    #1 0x5b2d46093566 in pci_root_bus_internal_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:677:5
    #2 0x5b2d460935e0 in pci_root_bus_new /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:706:5
    #3 0x5b2d46093fe5 in pci_register_root_bus /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:751:11
    #4 0x5b2d46fe2335 in elroy_pcihost_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci-host/astro.c:455:16

0x51f00000cb00 is located 1664 bytes inside of 3456-byte region [0x51f00000c480,0x51f00000d200)
freed by thread T0 here:
    #0 0x5b2d4582385a in free (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qemu-system-hppa+0x17ad85a) (BuildId: 692b49eedc6fb0ef618bbb6784a09311b3b7f1e8)
    #1 0x5b2d47160723 in object_finalize /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:734:9
    #2 0x5b2d471589db in object_unref /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:1232:9
    #3 0x5b2d477d373c in qmp_device_list_properties /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/qom-qmp-cmds.c:237:5

previously allocated by thread T0 here:
    #0 0x5b2d45823af3 in malloc (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qemu-system-hppa+0x17adaf3) (BuildId: 692b49eedc6fb0ef618bbb6784a09311b3b7f1e8)
    #1 0x79728fa08b09 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62b09) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75)
    #2 0x5b2d471595fc in object_new_with_type /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:767:15
    #3 0x5b2d47159409 in object_new_with_class /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:782:12
    #4 0x5b2d477d29a5 in qmp_device_list_properties /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/qom-qmp-cmds.c:206:11

Cc: qemu-stable@nongnu.org
Fixes: e029bb00a7 ("hw/pci-host: Add Astro system bus adapter found on PA-RISC machines")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3118
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20250918114259.1802337-3-peter.maydell@linaro.org>
(cherry picked from commit 76d2b8d42a)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2025-09-26 09:58:36 +03:00
..
9pfs hw/9pfs: move G_GNUC_PRINTF to header 2025-07-16 14:18:48 +02:00
acpi hw/acpi/aml-build: Build a root node in the PPTT table 2025-07-15 02:56:40 -04:00
adc qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
alpha qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
arm hw/arm/stm32f205_soc: Don't leak TYPE_OR_IRQ objects 2025-08-31 08:08:33 +03:00
audio hw/audio/via-ac97: skip automatic zero-init of large array 2025-06-12 13:40:15 -04:00
avr qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
block hw/virtio: Build various files once 2025-07-15 02:56:39 -04:00
char hw/char/max78000_uart: Destroy FIFO on deinit 2025-09-04 23:17:16 +03:00
core hw/i386: Fix 'use-legacy-x86-rom' property compatibility 2025-07-28 17:52:34 +02:00
cpu qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
cxl hw/cxl: mailbox-utils: 0x5605 - FMAPI Initiate DC Release 2025-07-15 02:56:40 -04:00
display hw/display/framebuffer: Add cast to force 64x64 multiply 2025-08-01 16:48:50 +01:00
dma hw/dma/xlnx_csu_dma: skip automatic zero-init of large array 2025-06-12 13:40:15 -04:00
fsi qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
gpio hw/gpio/pca9554: Avoid leak in pca9554_set_pin() 2025-09-04 23:17:16 +03:00
hppa qom: Make InterfaceInfo[] uses const 2025-04-25 17:00:41 +02:00
hyperv hw/hyperv/syndbg: skip automatic zero-init of large array 2025-06-12 13:40:15 -04:00
i2c hw/arm: Replace TABs for spaces in OMAP board and device code 2025-05-14 14:29:47 +01:00
i386 hw/i386/microvm: Explicitly select ACPI_PCI 2025-08-05 17:30:45 +02:00
ide qom: Make InterfaceInfo[] uses const 2025-04-25 17:00:41 +02:00
input vhost-user: return failure if backend crash when live migration 2025-05-14 05:39:15 -04:00
intc hw/intc/loongarch_pch_pic: Fix ubsan warning and endianness issue 2025-09-11 12:26:08 +03:00
ipack qom: Make InterfaceInfo[] uses const 2025-04-25 17:00:41 +02:00
ipmi qom: Make InterfaceInfo[] uses const 2025-04-25 17:00:41 +02:00
isa hw/isa/ich9: Remove stray empty comment 2025-05-09 23:49:26 +03:00
loongarch acpi: Add machine option to disable SPCR table 2025-07-14 09:16:40 -04:00
m68k qom: Make InterfaceInfo[] uses const 2025-04-25 17:00:41 +02:00
mem hw/cxl: mailbox-utils: 0x5604 - FMAPI Initiate DC Add 2025-07-15 02:56:40 -04:00
microblaze hw/microblaze: Add missing FDT dependency 2025-07-15 00:24:26 +02:00
mips hw/mips: Restrict ITU to TCG 2025-07-15 00:24:26 +02:00
misc hw/misc/max78000_aes: Comment Internal Key Storage 2025-07-21 10:07:53 +01:00
net e1000e: Prevent crash from legacy interrupt firing after MSI-X enable 2025-09-04 18:26:14 +03:00
nubus qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
nvme hw/nvme: cap MDTS value for internal limitation 2025-08-11 00:17:38 -07:00
nvram hw/nvram/fw_cfg: Remove legacy FW_CFG_ORDER_OVERRIDE 2025-05-30 09:52:08 +02:00
openrisc qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
pci pcie_sriov: Fix configuration and state synchronization 2025-08-01 08:33:04 -04:00
pci-bridge qom: Make InterfaceInfo[] uses const 2025-04-25 17:00:41 +02:00
pci-host hw/pci-host/astro: Don't call pci_regsiter_root_bus() in init 2025-09-26 09:58:36 +03:00
ppc hw/ppc: Fix build error with CONFIG_POWERNV disabled 2025-09-04 23:17:16 +03:00
remote qom: Make InterfaceInfo[] uses const 2025-04-25 17:00:41 +02:00
riscv hw/riscv/virt-acpi-build.c: Update FADT and MADT versions 2025-07-30 10:59:26 +10:00
rtc hw/rtc/mc146818rtc: Drop pre-v3 migration stream support 2025-04-30 20:44:20 +02:00
rx qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
s390x qemu: Declare all load/store helper in 'qemu/bswap.h' 2025-07-15 02:56:39 -04:00
scsi esp.c: only allow ESP commands permitted in the current asc_mode 2025-07-15 00:25:21 +02:00
sd hw/sd/ssi-sd: Return noise (dummy byte) when no card connected 2025-08-12 18:52:12 +02:00
sensor qemu: Declare all load/store helper in 'qemu/bswap.h' 2025-07-15 02:56:39 -04:00
sh4 include: Remove 'exec/exec-all.h' 2025-04-30 12:45:05 -07:00
smbios qemu: Declare all load/store helper in 'qemu/bswap.h' 2025-07-15 02:56:39 -04:00
sparc qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
sparc64 qom: Make InterfaceInfo[] uses const 2025-04-25 17:00:41 +02:00
ssi hw/ssi/aspeed_smc: Fix incorrect FMC_WDT2 register read on AST1030 2025-08-04 09:07:38 +02:00
timer hpet: return errors from realize if properties are incorrect 2025-06-06 14:32:54 +02:00
tpm qom: Make InterfaceInfo[] uses const 2025-04-25 17:00:41 +02:00
tricore qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
uefi hw/uefi: open json file in binary mode 2025-08-12 08:03:16 +02:00
ufs hw/ufs/lu: skip automatic zero-init of large array 2025-06-12 13:40:16 -04:00
usb hw/usb/network: Remove hardcoded 0x40 prefix in STRING_ETHADDR response 2025-09-17 23:17:39 +03:00
vfio vfio: Document 'use-legacy-x86-rom' property 2025-08-09 00:06:48 +02:00
vfio-user hw/vfio-user: add x-pci-class-code 2025-09-11 17:20:51 +03:00
virtio vhost: Do not abort on log-stop error 2025-08-01 08:33:04 -04:00
vmapple qemu: Declare all load/store helper in 'qemu/bswap.h' 2025-07-15 02:56:39 -04:00
watchdog qom: Make InterfaceInfo[] uses const 2025-04-25 17:00:41 +02:00
xen hw/xen/passthrough: add missing error-report include 2025-07-29 13:56:39 +02:00
xenpv hw/boards: Do not create unusable default if=sd drives 2025-02-16 14:25:08 +01:00
xtensa qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
Kconfig vfio-user: add vfio-user class and container 2025-06-26 08:55:38 +02:00
meson.build vfio-user: add vfio-user class and container 2025-06-26 08:55:38 +02:00