From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:60342)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <anthony@codemonkey.ws>) id 1TF2ix-0002Xo-Iz
	for qemu-devel@nongnu.org; Fri, 21 Sep 2012 08:52:55 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <anthony@codemonkey.ws>) id 1TF2it-0004I0-4w
	for qemu-devel@nongnu.org; Fri, 21 Sep 2012 08:52:51 -0400
Received: from mail-ob0-f173.google.com ([209.85.214.173]:41196)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <anthony@codemonkey.ws>) id 1TF2it-0004Hu-01
	for qemu-devel@nongnu.org; Fri, 21 Sep 2012 08:52:47 -0400
Received: by obbta14 with SMTP id ta14so2995547obb.4
	for <qemu-devel@nongnu.org>; Fri, 21 Sep 2012 05:52:45 -0700 (PDT)
From: Anthony Liguori <anthony@codemonkey.ws>
In-Reply-To: <20120920170005.GA25890@mail.hallyn.com>
References: <20120920170005.GA25890@mail.hallyn.com>
Date: Fri, 21 Sep 2012 07:52:42 -0500
Message-ID: <87392b8rmt.fsf@codemonkey.ws>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: Re: [Qemu-devel] assert and crash on hot-unplug
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Serge E. Hallyn" <serge@hallyn.com>, qemu-devel@nongnu.org

"Serge E. Hallyn" <serge@hallyn.com> writes:

Hi Serge,

> Hi,
>
> a regression test of CVE-2011-1751 (fixed by
> 505597e4476a6bc219d0ec1362b760d71cb4fdca) found that when writing 2 to
> 0xae08, qemu-system-i386 crashes with
>
> ERROR:qom/object.c:386:object_finalize: assertion failed: (obj->ref == 0)
>
> A simple way to reproduce this (in qemu 1.1 or 1.2) is:
>
> serge@ubuntu:~/qa-regression-testing/scripts$ ~/src/qemu/i386-softmmu/qemu-system-i386 -usb -monitor stdio -vnc :1 -hda x.img
> QEMU 1.2.50 monitor - type 'help' for more information
> (qemu) o 0xae08 2
> **
> ERROR:qom/object.c:386:object_finalize: assertion failed: (obj->ref == 0)
> Aborted (core dumped)
>
> I don't think it's a regression of the CVE, as some added printfs show it is
> the usb controller which is being unplugged (dev 1, fn 2, not dev 1 fn 3).
>
>   Bus  0, device   1, function 2:
>     USB controller: PCI device 8086:7020
>       IRQ 11.
>       BAR4: I/O at 0xc040 [0xc05f].
>       id ""
>   Bus  0, device   1, function 3:
>     Bridge: PCI device 8086:7113
>       IRQ 9.
>       id ""

Thanks, I'll take a look.

Regards,

Anthony Liguori

>
>
> -serge