From: "Alex Bennée" <alex.bennee@linaro.org>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Peter Maydell" <peter.maydell@linaro.org>,
"Bug 1878645" <1878645@bugs.launchpad.net>,
"QEMU Developers" <qemu-devel@nongnu.org>,
"Alexander Bulekov" <alxndr@bu.edu>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>,
"Richard Henderson" <rth@twiddle.net>
Subject: Re: [RFC PATCH] cpus: Initialize current_cpu with the first vCPU created
Date: Thu, 02 Jul 2020 11:49:29 +0100 [thread overview]
Message-ID: <87r1tup4xy.fsf@linaro.org> (raw)
In-Reply-To: <70b04307-fe22-c9bd-3194-f2612d41e197@redhat.com>
Paolo Bonzini <pbonzini@redhat.com> writes:
> On 01/07/20 22:35, Peter Maydell wrote:
>> For the monitor, that
>> would be the current "default cpu" as set by the "cpu"
>> command (cf monitor_set_cpu()). The bug here will be that
>> somewhere along the line we are probably missing plumbing
>> sufficient to pass down "which CPU do we want".
>
> Yeah, the fix is probably to add a functions that returns either
> current_cpu or the monitor CPU, and use it in device emulation if
> applicable.
>
> The problem with current_cpu is that it affects stuff like run_on_cpu,
> and that is guaranteed to cause havoc to code that expects to run on a
> given CPU and therefore doesn't use locks.
IIRC the original reported bug was in a APM callback which was triggered
by an MMIO operation. Currently we don't expose the current cpu via the
memory dispatch routines. Should we to ensure there is always something
valid there?
>
> Paolo
--
Alex Bennée
WARNING: multiple messages have this Message-ID (diff)
From: "Alex Bennée" <1878645@bugs.launchpad.net>
To: qemu-devel@nongnu.org
Subject: [Bug 1878645] Re: [RFC PATCH] cpus: Initialize current_cpu with the first vCPU created
Date: Thu, 02 Jul 2020 10:49:29 -0000 [thread overview]
Message-ID: <87r1tup4xy.fsf@linaro.org> (raw)
Message-ID: <20200702104929.sUt-sBgnR1xx5xHflBQWRyjinRT75fdePc0bkMm9XSY@z> (raw)
In-Reply-To: 158947246472.30762.752698283456022174.malonedeb@chaenomeles.canonical.com
Paolo Bonzini <pbonzini@redhat.com> writes:
> On 01/07/20 22:35, Peter Maydell wrote:
>> For the monitor, that
>> would be the current "default cpu" as set by the "cpu"
>> command (cf monitor_set_cpu()). The bug here will be that
>> somewhere along the line we are probably missing plumbing
>> sufficient to pass down "which CPU do we want".
>
> Yeah, the fix is probably to add a functions that returns either
> current_cpu or the monitor CPU, and use it in device emulation if
> applicable.
>
> The problem with current_cpu is that it affects stuff like run_on_cpu,
> and that is guaranteed to cause havoc to code that expects to run on a
> given CPU and therefore doesn't use locks.
IIRC the original reported bug was in a APM callback which was triggered
by an MMIO operation. Currently we don't expose the current cpu via the
memory dispatch routines. Should we to ensure there is always something
valid there?
>
> Paolo
--
Alex Bennée
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1878645
Title:
null-ptr dereference in ich9_apm_ctrl_changed
Status in QEMU:
New
Bug description:
Hello,
While fuzzing, I found an input which triggers a NULL pointer dereference in
tcg_handle_interrupt. It seems the culprint is a "cpu" pointer - maybe this bug
is specific to QTest?
==23862==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000b4 (pc 0x55b9dc7c9dce bp 0x7ffc346a0900 sp 0x7ffc346a0880 T0)
==23862==The signal is caused by a READ memory access.
==23862==Hint: address points to the zero page.
#0 0x55b9dc7c9dce in tcg_handle_interrupt /home/alxndr/Development/qemu/accel/tcg/tcg-all.c:57:21
#1 0x55b9dc904799 in cpu_interrupt /home/alxndr/Development/qemu/include/hw/core/cpu.h:872:5
#2 0x55b9dc9085e8 in ich9_apm_ctrl_changed /home/alxndr/Development/qemu/hw/isa/lpc_ich9.c:442:13
#3 0x55b9dd19cdc8 in apm_ioport_writeb /home/alxndr/Development/qemu/hw/isa/apm.c:50:13
#4 0x55b9dc73f8b4 in memory_region_write_accessor /home/alxndr/Development/qemu/memory.c:483:5
#5 0x55b9dc73f289 in access_with_adjusted_size /home/alxndr/Development/qemu/memory.c:544:18
#6 0x55b9dc73ddf5 in memory_region_dispatch_write /home/alxndr/Development/qemu/memory.c:1476:16
#7 0x55b9dc577bf3 in flatview_write_continue /home/alxndr/Development/qemu/exec.c:3137:23
#8 0x55b9dc567ad8 in flatview_write /home/alxndr/Development/qemu/exec.c:3177:14
#9 0x55b9dc567608 in address_space_write /home/alxndr/Development/qemu/exec.c:3268:18
#10 0x55b9dc723fe7 in cpu_outb /home/alxndr/Development/qemu/ioport.c:60:5
#11 0x55b9dc72d3c0 in qtest_process_command /home/alxndr/Development/qemu/qtest.c:392:13
#12 0x55b9dc72b186 in qtest_process_inbuf /home/alxndr/Development/qemu/qtest.c:710:9
#13 0x55b9dc72a8b3 in qtest_read /home/alxndr/Development/qemu/qtest.c:722:5
#14 0x55b9ddc6e60b in qemu_chr_be_write_impl /home/alxndr/Development/qemu/chardev/char.c:183:9
#15 0x55b9ddc6e75a in qemu_chr_be_write /home/alxndr/Development/qemu/chardev/char.c:195:9
#16 0x55b9ddc77979 in fd_chr_read /home/alxndr/Development/qemu/chardev/char-fd.c:68:9
#17 0x55b9ddcff0e9 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/io/channel-watch.c:84:12
#18 0x7f7161eac897 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e897)
#19 0x55b9ddebcb84 in glib_pollfds_poll /home/alxndr/Development/qemu/util/main-loop.c:219:9
#20 0x55b9ddebb57d in os_host_main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:242:5
#21 0x55b9ddebb176 in main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:518:11
#22 0x55b9dcb4bd1d in qemu_main_loop /home/alxndr/Development/qemu/softmmu/vl.c:1664:9
#23 0x55b9ddd1629c in main /home/alxndr/Development/qemu/softmmu/main.c:49:5
#24 0x7f7160a5ce0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16
#25 0x55b9dc49c819 in _start (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0xc9c819)
I can reproduce this in qemu 5.0 built with AddressSanitizer using these qtest commands:
cat << EOF | ./qemu-system-i386 \
-qtest stdio -nographic -monitor none -serial none \
-M pc-q35-5.0
outl 0xcf8 0x8400f841
outl 0xcfc 0xaa215d6d
outl 0x6d30 0x2ef8ffbe
outb 0xb2 0x20
EOF
Please let me know if I can provide any further info.
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1878645/+subscriptions
next prev parent reply other threads:[~2020-07-02 10:50 UTC|newest]
Thread overview: 98+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-14 16:07 [Bug 1878645] [NEW] null-ptr dereference in tcg_handle_interrupt Alexander Bulekov
2020-06-29 16:03 ` [Bug 1878645] " Alexander Bulekov
2020-06-29 19:00 ` Alex Bennée
2020-06-29 19:00 ` Alex Bennée
2020-06-29 20:08 ` Alexander Bulekov
2020-06-29 20:08 ` Alexander Bulekov
2020-06-29 17:57 ` [Bug 1878645] Re: null-ptr dereference in ich9_apm_ctrl_changed Philippe Mathieu-Daudé
2020-07-01 18:21 ` [RFC PATCH] cpus: Initialize current_cpu with the first vCPU created Philippe Mathieu-Daudé
2020-07-01 18:21 ` [Bug 1878645] " Philippe Mathieu-Daudé
2020-07-01 18:54 ` Alexander Bulekov
2020-07-01 18:54 ` [Bug 1878645] " Alexander Bulekov
2020-07-01 20:35 ` Peter Maydell
2020-07-01 20:35 ` [Bug 1878645] " Peter Maydell
2020-07-02 7:55 ` Philippe Mathieu-Daudé
2020-07-02 7:55 ` [Bug 1878645] " Philippe Mathieu-Daudé
2020-07-02 9:52 ` Paolo Bonzini
2020-07-02 10:49 ` Alex Bennée [this message]
2020-07-02 10:49 ` [Bug 1878645] " Alex Bennée
2020-09-07 20:35 ` Alexander Bulekov
2020-09-08 6:33 ` Paolo Bonzini
2020-09-08 6:39 ` Philippe Mathieu-Daudé
2020-09-08 11:43 ` Paolo Bonzini
2020-10-22 14:15 ` [Bug 1878645] Re: null-ptr dereference in ich9_apm_ctrl_changed Philippe Mathieu-Daudé
2021-08-21 4:08 ` Alexander Bulekov
2021-08-21 6:13 ` Thomas Huth
-- strict thread matches above, loose matches on Subject: below --
2020-07-01 13:56 [PATCH v4 00/40] testing/next (vm, gitlab, fixes) Alex Bennée
2020-07-01 13:56 ` [PATCH v4 01/40] hw/isa: check for current_cpu before generating IRQ Alex Bennée
2020-07-01 13:56 ` [Bug 1878645] " Alex Bennée
2020-07-01 15:51 ` Philippe Mathieu-Daudé
2020-07-01 15:51 ` [Bug 1878645] " Philippe Mathieu-Daudé
2020-07-01 16:40 ` Alex Bennée
2020-07-01 16:40 ` [Bug 1878645] " Alex Bennée
2020-07-01 16:47 ` Philippe Mathieu-Daudé
2020-07-01 16:47 ` [Bug 1878645] " Philippe Mathieu-Daudé
2020-07-01 17:09 ` Alex Bennée
2020-07-01 17:09 ` [Bug 1878645] " Alex Bennée
2020-07-01 17:34 ` Philippe Mathieu-Daudé
2020-07-01 17:34 ` [Bug 1878645] " Philippe Mathieu-Daudé
2020-07-01 17:37 ` Philippe Mathieu-Daudé
2020-07-01 17:37 ` [Bug 1878645] " Philippe Mathieu-Daudé
2020-07-01 17:48 ` Philippe Mathieu-Daudé
2020-07-01 17:48 ` [Bug 1878645] " Philippe Mathieu-Daudé
2020-07-01 18:13 ` Philippe Mathieu-Daudé
2020-07-01 18:13 ` [Bug 1878645] " Philippe Mathieu-Daudé
2020-07-01 13:56 ` [PATCH v4 02/40] iotests: Fix 051 output after qdev_init_nofail() removal Alex Bennée
2020-07-01 13:56 ` [PATCH v4 03/40] crypto/linux_keyring: fix 'secret_keyring' configure test Alex Bennée
2020-07-01 13:56 ` [PATCH v4 04/40] util/coroutine: Cleanup start_switch_fiber_ for TSAN Alex Bennée
2020-07-01 13:56 ` [PATCH v4 05/40] tests/vm: pass args through to BaseVM's __init__ Alex Bennée
2020-07-01 13:56 ` [PATCH v4 06/40] tests/vm: Add configuration to basevm.py Alex Bennée
2020-07-01 13:56 ` [PATCH v4 07/40] tests/vm: Added configuration file support Alex Bennée
2020-07-01 13:56 ` [PATCH v4 08/40] tests/vm: Add common Ubuntu python module Alex Bennée
2020-07-01 13:56 ` [PATCH v4 09/40] tests/vm: Added a new script for ubuntu.aarch64 Alex Bennée
2020-07-01 13:56 ` [PATCH v4 10/40] tests/vm: Added a new script for centos.aarch64 Alex Bennée
2020-07-01 13:56 ` [PATCH v4 11/40] tests/vm: change scripts to use self._config Alex Bennée
2020-07-10 18:16 ` Alex Bennée
2020-07-01 13:56 ` [PATCH v4 12/40] python/qemu: Add ConsoleSocket for optional use in QEMUMachine Alex Bennée
2020-07-01 13:56 ` [PATCH v4 13/40] tests/vm: Add workaround to consume console Alex Bennée
2020-07-01 13:56 ` [PATCH v4 14/40] tests/vm: switch from optsparse to argparse Alex Bennée
2020-07-01 13:56 ` [PATCH v4 15/40] tests/vm: allow us to take advantage of MTTCG Alex Bennée
2020-07-01 13:56 ` [PATCH v4 16/40] tests/docker: check for an parameters not empty string Alex Bennée
2020-07-01 13:56 ` [PATCH v4 17/40] tests/docker: change tag naming scheme of our images Alex Bennée
2020-07-01 13:56 ` [PATCH v4 18/40] .gitignore: un-ignore .gitlab-ci.d Alex Bennée
2020-07-01 13:56 ` [PATCH v4 19/40] gitlab-ci: Fix the change rules after moving the YML files Alex Bennée
2020-07-01 13:56 ` [PATCH v4 20/40] gitlab: introduce explicit "container" and "build" stages Alex Bennée
2020-07-01 13:56 ` [PATCH v4 21/40] gitlab: build all container images during CI Alex Bennée
2020-07-01 13:56 ` [PATCH v4 22/40] gitlab: convert jobs to use custom built containers Alex Bennée
2020-07-01 13:56 ` [PATCH v4 23/40] gitlab: build containers with buildkit and metadata Alex Bennée
2020-07-01 13:56 ` [PATCH v4 24/40] tests/docker: add --registry support to tooling Alex Bennée
2020-07-01 13:56 ` [PATCH v4 25/40] tests/docker: add packages needed for check-acceptance Alex Bennée
2020-07-01 13:56 ` [PATCH v4 26/40] tests/acceptance: skip s390x_ccw_vrtio_tcg on GitLab Alex Bennée
2020-07-01 13:56 ` [PATCH v4 27/40] tests/acceptance: fix dtb path for machine_rx_gdbsim Alex Bennée
2020-07-01 15:55 ` Philippe Mathieu-Daudé
2020-07-01 13:56 ` [PATCH v4 28/40] tests/acceptance: skip multicore mips_malta tests on GitLab Alex Bennée
2020-07-01 15:56 ` Philippe Mathieu-Daudé
2020-07-01 16:43 ` Alex Bennée
2020-07-01 17:01 ` Philippe Mathieu-Daudé
2020-07-02 3:06 ` Jiaxun Yang
2020-07-02 1:05 ` Aleksandar Markovic
2020-07-02 7:46 ` Alex Bennée
2020-07-01 13:56 ` [PATCH v4 29/40] tests/acceptance: skip LinuxInitrd 2gib with v4.16 " Alex Bennée
2020-07-01 15:57 ` Philippe Mathieu-Daudé
2020-07-01 13:56 ` [PATCH v4 30/40] gitlab: add acceptance testing to system builds Alex Bennée
2020-07-01 13:56 ` [PATCH v4 31/40] tests/tcg: add more default compilers to configure.sh Alex Bennée
2020-07-01 13:56 ` [PATCH v4 32/40] tests/docker: add a linux-user testing focused image Alex Bennée
2020-07-01 13:56 ` [PATCH v4 33/40] linux-user/elfload: use MAP_FIXED_NOREPLACE in pgb_reserved_va Alex Bennée
2020-07-01 13:56 ` [PATCH v4 34/40] gitlab: enable check-tcg for linux-user tests Alex Bennée
2020-07-01 13:56 ` [PATCH v4 35/40] gitlab: add avocado asset caching Alex Bennée
2020-07-01 13:56 ` [PATCH v4 36/40] gitlab: split build-disabled into two phases Alex Bennée
2020-07-10 13:16 ` Thomas Huth
2020-07-10 14:58 ` Alex Bennée
2020-07-10 16:01 ` Philippe Mathieu-Daudé
2020-07-10 16:26 ` Alex Bennée
2020-07-10 16:53 ` Philippe Mathieu-Daudé
2020-07-01 13:56 ` [PATCH v4 37/40] gitlab: limit re-builds of the containers Alex Bennée
2020-07-01 13:56 ` [PATCH v4 38/40] containers.yml: build with docker.py tooling Alex Bennée
2020-07-01 13:56 ` [PATCH v4 39/40] testing: add check-build target Alex Bennée
2020-07-01 15:59 ` Philippe Mathieu-Daudé
2020-07-01 13:56 ` [PATCH v4 40/40] shippable: pull images from registry instead of building Alex Bennée
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r1tup4xy.fsf@linaro.org \
--to=alex.bennee@linaro.org \
--cc=1878645@bugs.launchpad.net \
--cc=alxndr@bu.edu \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rth@twiddle.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).