[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[BUG Report] Got a use-after-free error while start arm64 VM with lots o
|
From: |
Pan Nengyuan |
|
Subject: |
[BUG Report] Got a use-after-free error while start arm64 VM with lots of pci controllers |
|
Date: |
Fri, 17 Jan 2020 16:18:49 +0800 |
|
User-agent: |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 |
Hi,
We got a use-after-free report in our Euler Robot Test, it is can be reproduced
quite easily,
It can be reproduced by start VM with lots of pci controller and virtio-scsi
devices.
You can find the full qemu log from attachment.
We have analyzed the log and got the rough process how it happened, but don't
know how to fix it.
Could anyone help to fix it ?
The key message shows bellow:
har device redirected to /dev/pts/1 (label charserial0)
==1517174==WARNING: ASan doesn't fully support makecontext/swapcontext
functions and may produce false positives in some cases!
=================================================================
==1517174==ERROR: AddressSanitizer: heap-use-after-free on address
0xfffc31a002a0 at pc 0xaaad73e1f668 bp 0xfffc319fddb0 sp 0xfffc319fddd0
READ of size 8 at 0xfffc31a002a0 thread T1
#0 0xaaad73e1f667 in memory_region_unref /home/qemu/memory.c:1771
#1 0xaaad73e1f667 in flatview_destroy /home/qemu/memory.c:291
#2 0xaaad74adc85b in call_rcu_thread util/rcu.c:283
#3 0xaaad74ab31db in qemu_thread_start util/qemu-thread-posix.c:519
#4 0xfffc3a1678bb (/lib64/libpthread.so.0+0x78bb)
#5 0xfffc3a0a616b (/lib64/libc.so.6+0xd616b)
0xfffc31a002a0 is located 544 bytes inside of 1440-byte region
[0xfffc31a00080,0xfffc31a00620)
freed by thread T37 (CPU 0/KVM) here:
#0 0xfffc3c102e23 in free (/lib64/libasan.so.4+0xd2e23)
#1 0xfffc3bbc729f in g_free (/lib64/libglib-2.0.so.0+0x5729f)
#2 0xaaad745cce03 in pci_bridge_update_mappings hw/pci/pci_bridge.c:245
#3 0xaaad745ccf33 in pci_bridge_write_config hw/pci/pci_bridge.c:271
#4 0xaaad745ba867 in pci_bridge_dev_write_config
hw/pci-bridge/pci_bridge_dev.c:153
#5 0xaaad745d6013 in pci_host_config_write_common hw/pci/pci_host.c:81
#6 0xaaad73e2346f in memory_region_write_accessor /home/qemu/memory.c:483
#7 0xaaad73e1d9ff in access_with_adjusted_size /home/qemu/memory.c:544
#8 0xaaad73e28d1f in memory_region_dispatch_write /home/qemu/memory.c:1482
#9 0xaaad73d7274f in flatview_write_continue /home/qemu/exec.c:3167
#10 0xaaad73d72a53 in flatview_write /home/qemu/exec.c:3207
#11 0xaaad73d7c8c3 in address_space_write /home/qemu/exec.c:3297
#12 0xaaad73e5059b in kvm_cpu_exec /home/qemu/accel/kvm/kvm-all.c:2386
#13 0xaaad73e07ac7 in qemu_kvm_cpu_thread_fn /home/qemu/cpus.c:1246
#14 0xaaad74ab31db in qemu_thread_start util/qemu-thread-posix.c:519
#15 0xfffc3a1678bb (/lib64/libpthread.so.0+0x78bb)
#16 0xfffc3a0a616b (/lib64/libc.so.6+0xd616b)
previously allocated by thread T0 here:
#0 0xfffc3c1031cb in __interceptor_malloc (/lib64/libasan.so.4+0xd31cb)
#1 0xfffc3bbc7163 in g_malloc (/lib64/libglib-2.0.so.0+0x57163)
#2 0xaaad745ccb57 in pci_bridge_region_init hw/pci/pci_bridge.c:188
#3 0xaaad745cd8cb in pci_bridge_initfn hw/pci/pci_bridge.c:385
#4 0xaaad745baaf3 in pci_bridge_dev_realize
hw/pci-bridge/pci_bridge_dev.c:64
#5 0xaaad745cacd7 in pci_qdev_realize hw/pci/pci.c:2095
#6 0xaaad7439d9f7 in device_set_realized hw/core/qdev.c:865
#7 0xaaad7485ed23 in property_set_bool qom/object.c:2102
#8 0xaaad74868f4b in object_property_set_qobject qom/qom-qobject.c:26
#9 0xaaad74863a43 in object_property_set_bool qom/object.c:1360
#10 0xaaad742a53b7 in qdev_device_add /home/qemu/qdev-monitor.c:675
#11 0xaaad742a9c7b in device_init_func /home/qemu/vl.c:2074
#12 0xaaad74ad4d33 in qemu_opts_foreach util/qemu-option.c:1170
#13 0xaaad73d60c17 in main /home/qemu/vl.c:4313
#14 0xfffc39ff0b9f in __libc_start_main (/lib64/libc.so.6+0x20b9f)
#15 0xaaad73d6db33
(/home/qemu/aarch64-softmmu/qemu-system-aarch64+0x98db33)
Thread T1 created by T0 here:
#0 0xfffc3c068f6f in __interceptor_pthread_create
(/lib64/libasan.so.4+0x38f6f)
#1 0xaaad74ab54ab in qemu_thread_create util/qemu-thread-posix.c:556
#2 0xaaad74adc6a7 in rcu_init_complete util/rcu.c:326
#3 0xaaad74bab2a7 in __libc_csu_init
(/home/qemu/aarch64-softmmu/qemu-system-aarch64+0x17cb2a7)
#4 0xfffc39ff0b47 in __libc_start_main (/lib64/libc.so.6+0x20b47)
#5 0xaaad73d6db33 (/home/qemu/aarch64-softmmu/qemu-system-aarch64+0x98db33)
Thread T37 (CPU 0/KVM) created by T0 here:
#0 0xfffc3c068f6f in __interceptor_pthread_create
(/lib64/libasan.so.4+0x38f6f)
#1 0xaaad74ab54ab in qemu_thread_create util/qemu-thread-posix.c:556
#2 0xaaad73e09b0f in qemu_dummy_start_vcpu /home/qemu/cpus.c:2045
#3 0xaaad73e09b0f in qemu_init_vcpu /home/qemu/cpus.c:2077
#4 0xaaad740d36b7 in arm_cpu_realizefn /home/qemu/target/arm/cpu.c:1712
#5 0xaaad7439d9f7 in device_set_realized hw/core/qdev.c:865
#6 0xaaad7485ed23 in property_set_bool qom/object.c:2102
#7 0xaaad74868f4b in object_property_set_qobject qom/qom-qobject.c:26
#8 0xaaad74863a43 in object_property_set_bool qom/object.c:1360
#9 0xaaad73fe3e67 in machvirt_init /home/qemu/hw/arm/virt.c:1682
#10 0xaaad743acfc7 in machine_run_board_init hw/core/machine.c:1077
#11 0xaaad73d60b73 in main /home/qemu/vl.c:4292
#12 0xfffc39ff0b9f in __libc_start_main (/lib64/libc.so.6+0x20b9f)
#13 0xaaad73d6db33
(/home/qemu/aarch64-softmmu/qemu-system-aarch64+0x98db33)
SUMMARY: AddressSanitizer: heap-use-after-free /home/qemu/memory.c:1771 in
memory_region_unref
Thanks
use-after-free-qemu.log
Description: Text document
- [BUG Report] Got a use-after-free error while start arm64 VM with lots of pci controllers,
Pan Nengyuan <=