From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:33385) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SQ376-0005Bx-Nd for qemu-devel@nongnu.org; Thu, 03 May 2012 16:59:02 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SQ374-0006s2-BQ for qemu-devel@nongnu.org; Thu, 03 May 2012 16:59:00 -0400 Received: from v220110690675601.yourvserver.net ([78.47.199.172]:59571) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SQ374-0006pO-0S for qemu-devel@nongnu.org; Thu, 03 May 2012 16:58:58 -0400 Message-ID: <4FA2F18E.4020001@weilnetz.de> Date: Thu, 03 May 2012 22:58:54 +0200 From: Stefan Weil MIME-Version: 1.0 References: <1336066583-10503-1-git-send-email-sw@weilnetz.de> In-Reply-To: <1336066583-10503-1-git-send-email-sw@weilnetz.de> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH 1.1] scsi: Add assertion for use-after-free errors List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Paolo Bonzini Cc: Anthony Liguori , qemu-devel@nongnu.org Am 03.05.2012 19:36, schrieb Stefan Weil: > The QEMU emulation which is currently used with Raspberry PI images > (qemu-system-arm -M versatilepb ...) accesses memory which was freed. > > Valgrind output (extract): > > ==17857== Invalid write of size 4 > ==17857== at 0x24EB06: scsi_req_unref (scsi-bus.c:1273) > ==17857== by 0x24FFAE: scsi_read_complete (scsi-disk.c:277) > ==17857== by 0x152ACC: bdrv_co_em_bh (block.c:3363) > ==17857== by 0x13D49C: qemu_bh_poll (async.c:71) > ==17857== by 0x211A8C: main_loop_wait (main-loop.c:503) > ==17857== by 0x207954: main_loop (vl.c:1555) > ==17857== by 0x20E9C9: main (vl.c:3653) > ==17857== Address 0x1c54383c is 12 bytes inside a block of size 260 free'd > ==17857== at 0x4824B3A: free (vg_replace_malloc.c:366) > ==17857== by 0x20ADFA: free_and_trace (vl.c:2250) > ==17857== by 0x4899FC5: g_free (in /lib/libglib-2.0.so.0.2400.1) > ==17857== by 0x24EB3B: scsi_req_unref (scsi-bus.c:1277) > ==17857== by 0x24F003: scsi_req_complete (scsi-bus.c:1383) > ==17857== by 0x25022A: scsi_read_data (scsi-disk.c:334) > ==17857== by 0x24EB9F: scsi_req_continue (scsi-bus.c:1289) > ==17857== by 0x1C7787: lsi_do_dma (lsi53c895a.c:575) > ==17857== by 0x1C8CDA: lsi_execute_script (lsi53c895a.c:1147) > ==17857== by 0x1C74EA: lsi_resume_script (lsi53c895a.c:510) > ==17857== by 0x1C7ECD: lsi_transfer_data (lsi53c895a.c:746) > ==17857== by 0x24EC90: scsi_req_data (scsi-bus.c:1307) Hi Paolo, this is the result of a bisect to narrow the source of problem: ac6684264642f1aea7cba5c0c3907409b1f7f904 is the first bad commit commit ac6684264642f1aea7cba5c0c3907409b1f7f904 Author: Paolo Bonzini Date: Thu Apr 19 11:55:28 2012 +0200 scsi: support FUA on reads To force unit access on reads, flush the cache *before* doing the read. Signed-off-by: Paolo Bonzini Regards, Stefan > > (There are some more similar messages.) > > This patch adds an assertion which also detects those errors: > > Calling scsi_req_unref is not allowed when the previous call > of that function has decremented refcount to 0, because in this > case req was freed. > > Signed-off-by: Stefan Weil > --- > > There are chances that this patch breaks some test scenarios, > but that is intentional: we should not pretend that there are > no errors when there are some. > > The Raspberry PI emulation with QEMU is currently used by > a lot of people. > > Please apply this patch for the tests of QEMU 1.1. > > Of course we should also fix the problem which triggers the > assertion. I still don't know whether it is caused by > lsi53c895a.c or by the scsi code. It is the scsi code, see git bisect result.