[Qemu-devel] qemu_malloc failing

[Qemu-devel] qemu_malloc failing

[Brad Hards]

Hi,

I'm trying to investigate a bug (crash) that I see when attaching a USB device
(a UVC webcam) from the host to the guest.

I'm running it as:
sudo gdb --args /opt/bin/qemu -hda ubuntu-test -name kubuntu-qemu -usb -device usb-tablet -m 1024 -serial stdio -usbdevice host:0c45:6450

(I've tried running with -m 512 too, not discernibly different).

Host and guest are the same - kubuntu 10.10. The device works fine on the host.

The guest runs for a while, and has no ill-effects (that I've seen) until I try
to use the webcam. If I open the device (using cheese or luvcview), I see some
traffic, then qemu segfaults:


Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5a4e66c in malloc_consolidate (av=0x7ffff5d55e40) at malloc.c:5161
5161    malloc.c: No such file or directory.
        in malloc.c
(gdb) bt
#0  0x00007ffff5a4e66c in malloc_consolidate (av=0x7ffff5d55e40) at malloc.c:5161
#1  0x00007ffff5a51e82 in _int_malloc (av=0x7ffff5d55e40, bytes=2128) at malloc.c:4373
#2  0x00007ffff5a5338e in __libc_malloc (bytes=2128) at malloc.c:3660
#3  0x000000000042b3d6 in qemu_malloc (size=2128) at qemu-malloc.c:49
#4  0x000000000056100f in uhci_async_alloc (s=0x15dcc10) at /home/bradh/qemu-codingstyle.git/hw/usb-uhci.c:167
#5  0x00000000005620d4 in uhci_handle_td (s=0x15dcc10, addr=684474656, td=0x7fffffffdf80, int_mask=0x7fffffffdfac) at /home/bradh/qemu-codingstyle.git/hw/usb-uhci.c:808
#6  0x0000000000562665 in uhci_process_frame (s=0x15dcc10) at /home/bradh/qemu-codingstyle.git/hw/usb-uhci.c:1007
#7  0x00000000005628a8 in uhci_frame_timer (opaque=0x15dcc10) at /home/bradh/qemu-codingstyle.git/hw/usb-uhci.c:1092
#8  0x00000000004da94c in qemu_run_timers (clock=0x1171ff0) at qemu-timer.c:505
#9  0x00000000004dac0c in qemu_run_all_timers () at qemu-timer.c:616
#10 0x00000000005484c2 in main_loop_wait (nonblocking=1) at /home/bradh/qemu-codingstyle.git/vl.c:1324
#11 0x0000000000548549 in main_loop () at /home/bradh/qemu-codingstyle.git/vl.c:1365
#12 0x000000000054c725 in main (argc=14, argv=0x7fffffffe648, envp=0x7fffffffe6c0) at /home/bradh/qemu-codingstyle.git/vl.c:3195

Line 167 in hw/usb-uhci.c is in in static UHCIAsync *uhci_async_alloc(UHCIState *s)
It looks like:
	UHCIAsync *async = qemu_malloc(sizeof(UHCIAsync));

UHCIState is fairly large, so the size looks possible:
typedef struct UHCIState {
    PCIDevice dev;
    USBBus bus;
    uint16_t cmd; /* cmd register */
    uint16_t status;
    uint16_t intr; /* interrupt enable register */
    uint16_t frnum; /* frame number */
    uint32_t fl_base_addr; /* frame list base address */
    uint8_t sof_timing;
    uint8_t status2; /* bit 0 and 1 are used to generate UHCI_STS_USBINT */
    int64_t expire_time;
    QEMUTimer *frame_timer;
    UHCIPort ports[NB_PORTS];

    /* Interrupts that should be raised at the end of the current frame.  */
    uint32_t pending_int_mask;

    /* Active packets */
    UHCIAsync *async_pending;
    UHCIAsync *async_pool;
    uint8_t num_ports_vmstate;
} UHCIState;

Line 49 in qemu_malloc.c is in void *qemu_malloc(size_t size).
It looks like.
	ptr = qemu_oom_check(malloc(size ? size : 1));

So I guess malloc is failing. However I don't see how / why. The host is a laptop
machine with 6G RAM, and it appears to remain quite responsive. 

Any suggestions on how to proceed with debugging this?

Brad

Re: [Qemu-devel] qemu_malloc failing

[Mulyadi Santosa]

Hi...

On Sun, Apr 10, 2011 at 09:08, Brad Hards <bradh@frogmouth.net> wrote:
> Program received signal SIGSEGV, Segmentation fault.
> 0x00007ffff5a4e66c in malloc_consolidate (av=0x7ffff5d55e40) at malloc.c:5161
> 5161    malloc.c: No such file or directory.
>        in malloc.c
> (gdb) bt
> #0  0x00007ffff5a4e66c in malloc_consolidate (av=0x7ffff5d55e40) at malloc.c:5161
> #1  0x00007ffff5a51e82 in _int_malloc (av=0x7ffff5d55e40, bytes=2128) at malloc.c:4373
> #2  0x00007ffff5a5338e in __libc_malloc (bytes=2128) at malloc.c:3660
> #3  0x000000000042b3d6 in qemu_malloc (size=2128) at qemu-malloc.c:49
> #4  0x000000000056100f in uhci_async_alloc (s=0x15dcc10) at /home/bradh/qemu-codingstyle.git/hw/usb-uhci.c:167

looking at:
http://www.linuxquestions.org/questions/programming-9/segfault-in-malloc_consolidate-363048/

and

http://www.linuxquestions.org/questions/linux-general-1/malloc_consolidate-757663/

I feel that it's somekind double free or data overwriting the malloc
metadata.... thus causing trouble during memory block coalescing...

First thing I suggest is to check if malloc() is always followed by
proper free().... and then see how much we really fill data into that
allocated block (think about malloc exploit explained in Phrack...)

-- 
regards,

Mulyadi Santosa
Freelance Linux trainer and consultant

blog: the-hydra.blogspot.com
training: mulyaditraining.blogspot.com

Re: [Qemu-devel] qemu_malloc failing

[Stefan Hajnoczi]

On Sun, Apr 10, 2011 at 3:08 AM, Brad Hards <bradh@frogmouth.net> wrote:
> #3  0x000000000042b3d6 in qemu_malloc (size=2128) at qemu-malloc.c:49

It's only slightly more than 2 KB.  When malloc(3) fails it returns
NULL, it doesn't crash.

As Mulyadi suggested, this looks like heap corruption.  If you have no
idea where the problem is coming from, you might like to try
valgrind(1).

Stefan