From: "Alex Bennée" <alex.bennee@linaro.org>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: qemu-devel@nongnu.org,
Richard Henderson <richard.henderson@linaro.org>,
Helge Deller <deller@gmx.de>
Subject: Re: [PATCH 2/2] hw/pci-host/astro: Don't call pci_regsiter_root_bus() in init
Date: Mon, 22 Sep 2025 10:18:56 +0100 [thread overview]
Message-ID: <87ms6mq1z3.fsf@draig.linaro.org> (raw)
In-Reply-To: <20250918114259.1802337-3-peter.maydell@linaro.org> (Peter Maydell's message of "Thu, 18 Sep 2025 12:42:59 +0100")
Peter Maydell <peter.maydell@linaro.org> writes:
> In the astro PCI host bridge device, we call pci_register_root_bus()
> in the device's instance_init. This is a problem for two reasons
> * the PCI bridge is then available to the rest of the simulation
> (e.g. via pci_qdev_find_device()), even though it hasn't
> yet been realized
> * we do not attempt to unregister in an instance_deinit,
> which means that if you go through an instance_init -> deinit
> lifecycle the freed memory for the host-bridge device is
> left on the pci_host_bridges list
>
> ASAN reports the resulting use-after-free:
>
> ==1776584==ERROR: AddressSanitizer: heap-use-after-free on address 0x51f00000cb00 at pc 0x5b2d460a89b5 bp 0x7ffef7617f50 sp 0x7ffef7617f48
> WRITE of size 8 at 0x51f00000cb00 thread T0
> #0 0x5b2d460a89b4 in pci_host_bus_register /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:608:5
> #1 0x5b2d46093566 in pci_root_bus_internal_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:677:5
> #2 0x5b2d460935e0 in pci_root_bus_new /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:706:5
> #3 0x5b2d46093fe5 in pci_register_root_bus /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:751:11
> #4 0x5b2d46fe2335 in elroy_pcihost_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci-host/astro.c:455:16
>
> 0x51f00000cb00 is located 1664 bytes inside of 3456-byte region [0x51f00000c480,0x51f00000d200)
> freed by thread T0 here:
> #0 0x5b2d4582385a in free (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qemu-system-hppa+0x17ad85a) (BuildId: 692b49eedc6fb0ef618bbb6784a09311b3b7f1e8)
> #1 0x5b2d47160723 in object_finalize /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:734:9
> #2 0x5b2d471589db in object_unref /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:1232:9
> #3 0x5b2d477d373c in qmp_device_list_properties /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/qom-qmp-cmds.c:237:5
>
> previously allocated by thread T0 here:
> #0 0x5b2d45823af3 in malloc (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qemu-system-hppa+0x17adaf3) (BuildId: 692b49eedc6fb0ef618bbb6784a09311b3b7f1e8)
> #1 0x79728fa08b09 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62b09) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75)
> #2 0x5b2d471595fc in object_new_with_type /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:767:15
> #3 0x5b2d47159409 in object_new_with_class /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:782:12
> #4 0x5b2d477d29a5 in qmp_device_list_properties /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/qom-qmp-cmds.c:206:11
>
> Cc: qemu-stable@nongnu.org
> Fixes: e029bb00a79be ("hw/pci-host: Add Astro system bus adapter found on PA-RISC machines")
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3118
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
with the typo fix:
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
--
Alex Bennée
Virtualisation Tech Lead @ Linaro
next prev parent reply other threads:[~2025-09-22 9:19 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-18 11:42 [PATCH 0/2] hw/pci-host: fix use-after-free in hppa pci-host devices Peter Maydell
2025-09-18 11:42 ` [PATCH 1/2] hw/pci-host/dino: Don't call pci_register_root_bus() in init Peter Maydell
2025-09-22 9:18 ` Alex Bennée
2025-09-18 11:42 ` [PATCH 2/2] hw/pci-host/astro: Don't call pci_regsiter_root_bus() " Peter Maydell
2025-09-18 11:59 ` Peter Maydell
2025-09-22 9:18 ` Alex Bennée [this message]
2025-09-22 9:03 ` [PATCH 0/2] hw/pci-host: fix use-after-free in hppa pci-host devices Alex Bennée
2025-09-23 23:53 ` Richard Henderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ms6mq1z3.fsf@draig.linaro.org \
--to=alex.bennee@linaro.org \
--cc=deller@gmx.de \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.