Re: [Qemu-devel] Crashing in tcp_close

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Samuel Thibault <samuel.thibault@gnu.org>
To: Brian Candler <b.candler@pobox.com>
Cc: Stefan Hajnoczi <stefanha@gmail.com>,
	qemu-devel@nongnu.org, Jan Kiszka <jan.kiszka@siemens.com>
Subject: Re: [Qemu-devel] Crashing in tcp_close
Date: Fri, 11 Nov 2016 17:17:05 +0100	[thread overview]
Message-ID: <20161111161705.GE2417@var.home> (raw)
In-Reply-To: <02eee090-b017-dd4e-e63c-814d3d7beb72@pobox.com>

Hello,

Brian Candler, on Fri 11 Nov 2016 16:02:44 +0000, wrote:
> Aha!! Looking carefully at valgrind output, I see some definite cases of
> use-after-free in tcp_output. Does the info below help?

Ok, that's interesting. I however still don't see how that could happen
:)

> ==18350== Invalid read of size 4
> ==18350==    at 0x550B5B: if_start (if.c:230)
> ==18350==    by 0x552E6C: ip_output (ip_output.c:85)
> ==18350==    by 0x55AA31: tcp_output (tcp_output.c:469)
> ==18350==    by 0x558FD7: tcp_input (tcp_input.c:1386)
> ==18350==    by 0x55543F: slirp_input (slirp.c:867)
> ==18350==    by 0x54AFBF: net_slirp_receive (slirp.c:118)
> ==18350==    by 0x540B18: nc_sendv_compat (net.c:701)
> ==18350==    by 0x540B18: qemu_deliver_packet_iov (net.c:728)
> ==18350==    by 0x5438DA: qemu_net_queue_deliver_iov (queue.c:179)
> ==18350==    by 0x5438DA: qemu_net_queue_send_iov (queue.c:224)
> ==18350==    by 0x36B428: virtio_net_flush_tx (virtio-net.c:1282)
> ==18350==    by 0x36B624: virtio_net_tx_bh (virtio-net.c:1387)
> ==18350==    by 0x5804EC: aio_bh_call (async.c:67)
> ==18350==    by 0x5804EC: aio_bh_poll (async.c:95)
> ==18350==    by 0x58A8FF: aio_dispatch (aio-posix.c:308)

Could you increase the value given to valgrind's --num-callers= so we
can make sure the context of this call?  Here tcp_input get the buffer
being freed below from the slirp->tcb list, and sofree happens to drop
it from that list before calling free...

I'm wondering whether we have a kind of concurrency or recursivity here.

> ==18350==  Address 0x9eabec4 is 340 bytes inside a block of size 432 free'd
> ==18350==    at 0x4C2EDEB: free (in
> /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==18350==    by 0x55B25E: tcp_close (tcp_subr.c:334)
> ==18350==    by 0x55C7AE: tcp_timers (tcp_timer.c:289)
> ==18350==    by 0x55C7AE: tcp_slowtimo (tcp_timer.c:89)
> ==18350==    by 0x555187: slirp_pollfds_poll (slirp.c:576)
> ==18350==    by 0x5891EB: main_loop_wait (main-loop.c:508)
> ==18350==    by 0x2F4430: main_loop (vl.c:1908)
> ==18350==    by 0x2F4430: main (vl.c:4604)

Samuel

next prev parent reply	other threads:[~2016-11-11 16:17 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-10-20 21:53 [Qemu-devel] Crashing in tcp_close Brian Candler
2016-11-04 11:14 ` Stefan Hajnoczi
2016-11-06 18:04   ` Samuel Thibault
2016-11-07  8:42     ` Brian Candler
2016-11-07  9:33       ` Brian Candler
2016-11-07 10:42       ` Stefan Hajnoczi
2016-11-07 11:09         ` Brian Candler
2016-11-07 13:57           ` Stefan Hajnoczi
2016-11-07 20:52           ` Brian Candler
2016-11-08 16:03             ` Stefan Hajnoczi
2016-11-08 17:31             ` Brian Candler
2016-11-08 21:22         ` Brian Candler
2016-11-09 11:27           ` Stefan Hajnoczi
2016-11-11 15:02             ` Brian Candler
2016-11-11 16:02               ` Brian Candler
2016-11-11 16:17                 ` Samuel Thibault [this message]
2016-11-11 20:53                   ` Brian Candler
2016-11-11 22:09                     ` Samuel Thibault
2016-11-12  9:33                       ` Brian Candler
2016-11-12  9:54                         ` Brian Candler
2016-11-12 10:44                         ` Samuel Thibault
2016-11-13 11:55                           ` Brian Candler
2016-11-14 13:47                             ` Stefan Hajnoczi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161111161705.GE2417@var.home \
    --to=samuel.thibault@gnu.org \
    --cc=b.candler@pobox.com \
    --cc=jan.kiszka@siemens.com \
    --cc=qemu-devel@nongnu.org \
    --cc=stefanha@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).