From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:45871) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TEkdt-00045F-JX for qemu-devel@nongnu.org; Thu, 20 Sep 2012 13:34:26 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1TEkds-0005kq-Kz for qemu-devel@nongnu.org; Thu, 20 Sep 2012 13:34:25 -0400 Received: from 50-56-35-84.static.cloud-ips.com ([50.56.35.84]:51103 helo=mail.hallyn.com) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TEkds-0005kk-HJ for qemu-devel@nongnu.org; Thu, 20 Sep 2012 13:34:24 -0400 Date: Thu, 20 Sep 2012 17:00:05 +0000 From: "Serge E. Hallyn" Message-ID: <20120920170005.GA25890@mail.hallyn.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Subject: [Qemu-devel] assert and crash on hot-unplug List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Hi, a regression test of CVE-2011-1751 (fixed by 505597e4476a6bc219d0ec1362b760d71cb4fdca) found that when writing 2 to 0xae08, qemu-system-i386 crashes with ERROR:qom/object.c:386:object_finalize: assertion failed: (obj->ref == 0) A simple way to reproduce this (in qemu 1.1 or 1.2) is: serge@ubuntu:~/qa-regression-testing/scripts$ ~/src/qemu/i386-softmmu/qemu-system-i386 -usb -monitor stdio -vnc :1 -hda x.img QEMU 1.2.50 monitor - type 'help' for more information (qemu) o 0xae08 2 ** ERROR:qom/object.c:386:object_finalize: assertion failed: (obj->ref == 0) Aborted (core dumped) I don't think it's a regression of the CVE, as some added printfs show it is the usb controller which is being unplugged (dev 1, fn 2, not dev 1 fn 3). Bus 0, device 1, function 2: USB controller: PCI device 8086:7020 IRQ 11. BAR4: I/O at 0xc040 [0xc05f]. id "" Bus 0, device 1, function 3: Bridge: PCI device 8086:7113 IRQ 9. id "" -serge