From: "Alex Bennée" <alex.bennee@linaro.org>
To: "Philippe Mathieu-Daudé" <philmd@redhat.com>
Cc: fam@euphon.net, berrange@redhat.com,
"Michael S. Tsirkin" <mst@redhat.com>,
Bug 1878645 <1878645@bugs.launchpad.net>,
richard.henderson@linaro.org, qemu-devel@nongnu.org,
cota@braap.org, aurelien@aurel32.net
Subject: Re: [PATCH v4 01/40] hw/isa: check for current_cpu before generating IRQ
Date: Wed, 01 Jul 2020 18:09:48 +0100 [thread overview]
Message-ID: <87k0znqi03.fsf@linaro.org> (raw)
In-Reply-To: <838d4d01-cd9e-d74a-5cd2-b23644172c9f@redhat.com>
Philippe Mathieu-Daudé <philmd@redhat.com> writes:
> On 7/1/20 6:40 PM, Alex Bennée wrote:
>>
>> Philippe Mathieu-Daudé <philmd@redhat.com> writes:
>>
>>> On 7/1/20 3:56 PM, Alex Bennée wrote:
>>>> It's possible to trigger this function from qtest/monitor at which
>>>> point current_cpu won't point at the right place. Check it and
>>>> fall back to first_cpu if it's NULL.
>>>>
>>>> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
>>>> Cc: Bug 1878645 <1878645@bugs.launchpad.net>
>>>> ---
>>>> hw/isa/lpc_ich9.c | 2 +-
>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/hw/isa/lpc_ich9.c b/hw/isa/lpc_ich9.c
>>>> index cd6e169d47a..791c878eb0b 100644
>>>> --- a/hw/isa/lpc_ich9.c
>>>> +++ b/hw/isa/lpc_ich9.c
>>>> @@ -439,7 +439,7 @@ static void ich9_apm_ctrl_changed(uint32_t val, void *arg)
>>>> cpu_interrupt(cs, CPU_INTERRUPT_SMI);
>>>> }
>>>> } else {
>>>> - cpu_interrupt(current_cpu, CPU_INTERRUPT_SMI);
>>>> + cpu_interrupt(current_cpu ? current_cpu : first_cpu, CPU_INTERRUPT_SMI);
>>>
>>> I'm not sure this change anything, as first_cpu is NULL when using
>>> qtest accelerator or none-machine, see 508b4ecc39 ("gdbstub.c: fix
>>> GDB connection segfault caused by empty machines").
>>
>> Good point - anyway feel free to ignore - it shouldn't have been in this
>> series. It was just some random experimentation I was doing when looking
>> at that bug.
>
> See commit c781a2cc42 ("hw/i386/vmport: Allow QTest use without
> crashing") for a similar approach, but here I was thinking about
> a more generic fix, not very intrusive:
>
> -- >8 --
> diff --git a/hw/isa/apm.c b/hw/isa/apm.c
> index bce266b957..809afeb3e4 100644
> --- a/hw/isa/apm.c
> +++ b/hw/isa/apm.c
> @@ -40,7 +40,7 @@ static void apm_ioport_writeb(void *opaque, hwaddr
> addr, uint64_t val,
> if (addr == 0) {
> apm->apmc = val;
>
> - if (apm->callback) {
> + if (apm->callback && !qtest_enabled()) {
> (apm->callback)(val, apm->arg);
> }
But the other failure mode reported on the bug thread was via the
monitor - so I'm not sure just checking for qtest catches that.
> } else {
> ---
--
Alex Bennée
WARNING: multiple messages have this Message-ID (diff)
From: "Alex Bennée" <1878645@bugs.launchpad.net>
To: qemu-devel@nongnu.org
Subject: [Bug 1878645] Re: [PATCH v4 01/40] hw/isa: check for current_cpu before generating IRQ
Date: Wed, 01 Jul 2020 17:09:48 -0000 [thread overview]
Message-ID: <87k0znqi03.fsf@linaro.org> (raw)
Message-ID: <20200701170948.ZlMtFKcvykjjNQisrIjMV3MtA4GNy6HvkoNGABF0Bgk@z> (raw)
In-Reply-To: 838d4d01-cd9e-d74a-5cd2-b23644172c9f@redhat.com
Philippe Mathieu-Daudé <philmd@redhat.com> writes:
> On 7/1/20 6:40 PM, Alex Bennée wrote:
>>
>> Philippe Mathieu-Daudé <philmd@redhat.com> writes:
>>
>>> On 7/1/20 3:56 PM, Alex Bennée wrote:
>>>> It's possible to trigger this function from qtest/monitor at which
>>>> point current_cpu won't point at the right place. Check it and
>>>> fall back to first_cpu if it's NULL.
>>>>
>>>> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
>>>> Cc: Bug 1878645 <1878645@bugs.launchpad.net>
>>>> ---
>>>> hw/isa/lpc_ich9.c | 2 +-
>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/hw/isa/lpc_ich9.c b/hw/isa/lpc_ich9.c
>>>> index cd6e169d47a..791c878eb0b 100644
>>>> --- a/hw/isa/lpc_ich9.c
>>>> +++ b/hw/isa/lpc_ich9.c
>>>> @@ -439,7 +439,7 @@ static void ich9_apm_ctrl_changed(uint32_t val, void *arg)
>>>> cpu_interrupt(cs, CPU_INTERRUPT_SMI);
>>>> }
>>>> } else {
>>>> - cpu_interrupt(current_cpu, CPU_INTERRUPT_SMI);
>>>> + cpu_interrupt(current_cpu ? current_cpu : first_cpu, CPU_INTERRUPT_SMI);
>>>
>>> I'm not sure this change anything, as first_cpu is NULL when using
>>> qtest accelerator or none-machine, see 508b4ecc39 ("gdbstub.c: fix
>>> GDB connection segfault caused by empty machines").
>>
>> Good point - anyway feel free to ignore - it shouldn't have been in this
>> series. It was just some random experimentation I was doing when looking
>> at that bug.
>
> See commit c781a2cc42 ("hw/i386/vmport: Allow QTest use without
> crashing") for a similar approach, but here I was thinking about
> a more generic fix, not very intrusive:
>
> -- >8 --
> diff --git a/hw/isa/apm.c b/hw/isa/apm.c
> index bce266b957..809afeb3e4 100644
> --- a/hw/isa/apm.c
> +++ b/hw/isa/apm.c
> @@ -40,7 +40,7 @@ static void apm_ioport_writeb(void *opaque, hwaddr
> addr, uint64_t val,
> if (addr == 0) {
> apm->apmc = val;
>
> - if (apm->callback) {
> + if (apm->callback && !qtest_enabled()) {
> (apm->callback)(val, apm->arg);
> }
But the other failure mode reported on the bug thread was via the
monitor - so I'm not sure just checking for qtest catches that.
> } else {
> ---
--
Alex Bennée
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1878645
Title:
null-ptr dereference in ich9_apm_ctrl_changed
Status in QEMU:
New
Bug description:
Hello,
While fuzzing, I found an input which triggers a NULL pointer dereference in
tcg_handle_interrupt. It seems the culprint is a "cpu" pointer - maybe this bug
is specific to QTest?
==23862==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000b4 (pc 0x55b9dc7c9dce bp 0x7ffc346a0900 sp 0x7ffc346a0880 T0)
==23862==The signal is caused by a READ memory access.
==23862==Hint: address points to the zero page.
#0 0x55b9dc7c9dce in tcg_handle_interrupt /home/alxndr/Development/qemu/accel/tcg/tcg-all.c:57:21
#1 0x55b9dc904799 in cpu_interrupt /home/alxndr/Development/qemu/include/hw/core/cpu.h:872:5
#2 0x55b9dc9085e8 in ich9_apm_ctrl_changed /home/alxndr/Development/qemu/hw/isa/lpc_ich9.c:442:13
#3 0x55b9dd19cdc8 in apm_ioport_writeb /home/alxndr/Development/qemu/hw/isa/apm.c:50:13
#4 0x55b9dc73f8b4 in memory_region_write_accessor /home/alxndr/Development/qemu/memory.c:483:5
#5 0x55b9dc73f289 in access_with_adjusted_size /home/alxndr/Development/qemu/memory.c:544:18
#6 0x55b9dc73ddf5 in memory_region_dispatch_write /home/alxndr/Development/qemu/memory.c:1476:16
#7 0x55b9dc577bf3 in flatview_write_continue /home/alxndr/Development/qemu/exec.c:3137:23
#8 0x55b9dc567ad8 in flatview_write /home/alxndr/Development/qemu/exec.c:3177:14
#9 0x55b9dc567608 in address_space_write /home/alxndr/Development/qemu/exec.c:3268:18
#10 0x55b9dc723fe7 in cpu_outb /home/alxndr/Development/qemu/ioport.c:60:5
#11 0x55b9dc72d3c0 in qtest_process_command /home/alxndr/Development/qemu/qtest.c:392:13
#12 0x55b9dc72b186 in qtest_process_inbuf /home/alxndr/Development/qemu/qtest.c:710:9
#13 0x55b9dc72a8b3 in qtest_read /home/alxndr/Development/qemu/qtest.c:722:5
#14 0x55b9ddc6e60b in qemu_chr_be_write_impl /home/alxndr/Development/qemu/chardev/char.c:183:9
#15 0x55b9ddc6e75a in qemu_chr_be_write /home/alxndr/Development/qemu/chardev/char.c:195:9
#16 0x55b9ddc77979 in fd_chr_read /home/alxndr/Development/qemu/chardev/char-fd.c:68:9
#17 0x55b9ddcff0e9 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/io/channel-watch.c:84:12
#18 0x7f7161eac897 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e897)
#19 0x55b9ddebcb84 in glib_pollfds_poll /home/alxndr/Development/qemu/util/main-loop.c:219:9
#20 0x55b9ddebb57d in os_host_main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:242:5
#21 0x55b9ddebb176 in main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:518:11
#22 0x55b9dcb4bd1d in qemu_main_loop /home/alxndr/Development/qemu/softmmu/vl.c:1664:9
#23 0x55b9ddd1629c in main /home/alxndr/Development/qemu/softmmu/main.c:49:5
#24 0x7f7160a5ce0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16
#25 0x55b9dc49c819 in _start (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0xc9c819)
I can reproduce this in qemu 5.0 built with AddressSanitizer using these qtest commands:
cat << EOF | ./qemu-system-i386 \
-qtest stdio -nographic -monitor none -serial none \
-M pc-q35-5.0
outl 0xcf8 0x8400f841
outl 0xcfc 0xaa215d6d
outl 0x6d30 0x2ef8ffbe
outb 0xb2 0x20
EOF
Please let me know if I can provide any further info.
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1878645/+subscriptions
next prev parent reply other threads:[~2020-07-01 17:10 UTC|newest]
Thread overview: 98+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-01 13:56 [PATCH v4 00/40] testing/next (vm, gitlab, fixes) Alex Bennée
2020-07-01 13:56 ` [PATCH v4 01/40] hw/isa: check for current_cpu before generating IRQ Alex Bennée
2020-07-01 13:56 ` [Bug 1878645] " Alex Bennée
2020-07-01 15:51 ` Philippe Mathieu-Daudé
2020-07-01 15:51 ` [Bug 1878645] " Philippe Mathieu-Daudé
2020-07-01 16:40 ` Alex Bennée
2020-07-01 16:40 ` [Bug 1878645] " Alex Bennée
2020-07-01 16:47 ` Philippe Mathieu-Daudé
2020-07-01 16:47 ` [Bug 1878645] " Philippe Mathieu-Daudé
2020-07-01 17:09 ` Alex Bennée [this message]
2020-07-01 17:09 ` Alex Bennée
2020-07-01 17:34 ` Philippe Mathieu-Daudé
2020-07-01 17:34 ` [Bug 1878645] " Philippe Mathieu-Daudé
2020-07-01 17:37 ` Philippe Mathieu-Daudé
2020-07-01 17:37 ` [Bug 1878645] " Philippe Mathieu-Daudé
2020-07-01 17:48 ` Philippe Mathieu-Daudé
2020-07-01 17:48 ` [Bug 1878645] " Philippe Mathieu-Daudé
2020-07-01 18:13 ` Philippe Mathieu-Daudé
2020-07-01 18:13 ` [Bug 1878645] " Philippe Mathieu-Daudé
2020-07-01 13:56 ` [PATCH v4 02/40] iotests: Fix 051 output after qdev_init_nofail() removal Alex Bennée
2020-07-01 13:56 ` [PATCH v4 03/40] crypto/linux_keyring: fix 'secret_keyring' configure test Alex Bennée
2020-07-01 13:56 ` [PATCH v4 04/40] util/coroutine: Cleanup start_switch_fiber_ for TSAN Alex Bennée
2020-07-01 13:56 ` [PATCH v4 05/40] tests/vm: pass args through to BaseVM's __init__ Alex Bennée
2020-07-01 13:56 ` [PATCH v4 06/40] tests/vm: Add configuration to basevm.py Alex Bennée
2020-07-01 13:56 ` [PATCH v4 07/40] tests/vm: Added configuration file support Alex Bennée
2020-07-01 13:56 ` [PATCH v4 08/40] tests/vm: Add common Ubuntu python module Alex Bennée
2020-07-01 13:56 ` [PATCH v4 09/40] tests/vm: Added a new script for ubuntu.aarch64 Alex Bennée
2020-07-01 13:56 ` [PATCH v4 10/40] tests/vm: Added a new script for centos.aarch64 Alex Bennée
2020-07-01 13:56 ` [PATCH v4 11/40] tests/vm: change scripts to use self._config Alex Bennée
2020-07-10 18:16 ` Alex Bennée
2020-07-01 13:56 ` [PATCH v4 12/40] python/qemu: Add ConsoleSocket for optional use in QEMUMachine Alex Bennée
2020-07-01 13:56 ` [PATCH v4 13/40] tests/vm: Add workaround to consume console Alex Bennée
2020-07-01 13:56 ` [PATCH v4 14/40] tests/vm: switch from optsparse to argparse Alex Bennée
2020-07-01 13:56 ` [PATCH v4 15/40] tests/vm: allow us to take advantage of MTTCG Alex Bennée
2020-07-01 13:56 ` [PATCH v4 16/40] tests/docker: check for an parameters not empty string Alex Bennée
2020-07-01 13:56 ` [PATCH v4 17/40] tests/docker: change tag naming scheme of our images Alex Bennée
2020-07-01 13:56 ` [PATCH v4 18/40] .gitignore: un-ignore .gitlab-ci.d Alex Bennée
2020-07-01 13:56 ` [PATCH v4 19/40] gitlab-ci: Fix the change rules after moving the YML files Alex Bennée
2020-07-01 13:56 ` [PATCH v4 20/40] gitlab: introduce explicit "container" and "build" stages Alex Bennée
2020-07-01 13:56 ` [PATCH v4 21/40] gitlab: build all container images during CI Alex Bennée
2020-07-01 13:56 ` [PATCH v4 22/40] gitlab: convert jobs to use custom built containers Alex Bennée
2020-07-01 13:56 ` [PATCH v4 23/40] gitlab: build containers with buildkit and metadata Alex Bennée
2020-07-01 13:56 ` [PATCH v4 24/40] tests/docker: add --registry support to tooling Alex Bennée
2020-07-01 13:56 ` [PATCH v4 25/40] tests/docker: add packages needed for check-acceptance Alex Bennée
2020-07-01 13:56 ` [PATCH v4 26/40] tests/acceptance: skip s390x_ccw_vrtio_tcg on GitLab Alex Bennée
2020-07-01 13:56 ` [PATCH v4 27/40] tests/acceptance: fix dtb path for machine_rx_gdbsim Alex Bennée
2020-07-01 15:55 ` Philippe Mathieu-Daudé
2020-07-01 13:56 ` [PATCH v4 28/40] tests/acceptance: skip multicore mips_malta tests on GitLab Alex Bennée
2020-07-01 15:56 ` Philippe Mathieu-Daudé
2020-07-01 16:43 ` Alex Bennée
2020-07-01 17:01 ` Philippe Mathieu-Daudé
2020-07-02 3:06 ` Jiaxun Yang
2020-07-02 1:05 ` Aleksandar Markovic
2020-07-02 7:46 ` Alex Bennée
2020-07-01 13:56 ` [PATCH v4 29/40] tests/acceptance: skip LinuxInitrd 2gib with v4.16 " Alex Bennée
2020-07-01 15:57 ` Philippe Mathieu-Daudé
2020-07-01 13:56 ` [PATCH v4 30/40] gitlab: add acceptance testing to system builds Alex Bennée
2020-07-01 13:56 ` [PATCH v4 31/40] tests/tcg: add more default compilers to configure.sh Alex Bennée
2020-07-01 13:56 ` [PATCH v4 32/40] tests/docker: add a linux-user testing focused image Alex Bennée
2020-07-01 13:56 ` [PATCH v4 33/40] linux-user/elfload: use MAP_FIXED_NOREPLACE in pgb_reserved_va Alex Bennée
2020-07-01 13:56 ` [PATCH v4 34/40] gitlab: enable check-tcg for linux-user tests Alex Bennée
2020-07-01 13:56 ` [PATCH v4 35/40] gitlab: add avocado asset caching Alex Bennée
2020-07-01 13:56 ` [PATCH v4 36/40] gitlab: split build-disabled into two phases Alex Bennée
2020-07-10 13:16 ` Thomas Huth
2020-07-10 14:58 ` Alex Bennée
2020-07-10 16:01 ` Philippe Mathieu-Daudé
2020-07-10 16:26 ` Alex Bennée
2020-07-10 16:53 ` Philippe Mathieu-Daudé
2020-07-01 13:56 ` [PATCH v4 37/40] gitlab: limit re-builds of the containers Alex Bennée
2020-07-01 13:56 ` [PATCH v4 38/40] containers.yml: build with docker.py tooling Alex Bennée
2020-07-01 13:56 ` [PATCH v4 39/40] testing: add check-build target Alex Bennée
2020-07-01 15:59 ` Philippe Mathieu-Daudé
2020-07-01 13:56 ` [PATCH v4 40/40] shippable: pull images from registry instead of building Alex Bennée
-- strict thread matches above, loose matches on Subject: below --
2020-05-14 16:07 [Bug 1878645] [NEW] null-ptr dereference in tcg_handle_interrupt Alexander Bulekov
2020-06-29 16:03 ` [Bug 1878645] " Alexander Bulekov
2020-06-29 19:00 ` Alex Bennée
2020-06-29 19:00 ` Alex Bennée
2020-06-29 20:08 ` Alexander Bulekov
2020-06-29 20:08 ` Alexander Bulekov
2020-06-29 17:57 ` [Bug 1878645] Re: null-ptr dereference in ich9_apm_ctrl_changed Philippe Mathieu-Daudé
2020-07-01 18:21 ` [RFC PATCH] cpus: Initialize current_cpu with the first vCPU created Philippe Mathieu-Daudé
2020-07-01 18:21 ` [Bug 1878645] " Philippe Mathieu-Daudé
2020-07-01 18:54 ` Alexander Bulekov
2020-07-01 18:54 ` [Bug 1878645] " Alexander Bulekov
2020-07-01 20:35 ` Peter Maydell
2020-07-01 20:35 ` [Bug 1878645] " Peter Maydell
2020-07-02 7:55 ` Philippe Mathieu-Daudé
2020-07-02 7:55 ` [Bug 1878645] " Philippe Mathieu-Daudé
2020-07-02 9:52 ` Paolo Bonzini
2020-07-02 10:49 ` Alex Bennée
2020-07-02 10:49 ` [Bug 1878645] " Alex Bennée
2020-09-07 20:35 ` Alexander Bulekov
2020-09-08 6:33 ` Paolo Bonzini
2020-09-08 6:39 ` Philippe Mathieu-Daudé
2020-09-08 11:43 ` Paolo Bonzini
2020-10-22 14:15 ` [Bug 1878645] Re: null-ptr dereference in ich9_apm_ctrl_changed Philippe Mathieu-Daudé
2021-08-21 4:08 ` Alexander Bulekov
2021-08-21 6:13 ` Thomas Huth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87k0znqi03.fsf@linaro.org \
--to=alex.bennee@linaro.org \
--cc=1878645@bugs.launchpad.net \
--cc=aurelien@aurel32.net \
--cc=berrange@redhat.com \
--cc=cota@braap.org \
--cc=fam@euphon.net \
--cc=mst@redhat.com \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).