QEMU 6.2.0: Segfault while calling address_space_init from emulated device

QEMU 6.2.0: Segfault while calling address_space_init from emulated device

[Karthik Poduval]

Hi All,

I am trying to create a virtual mem2mem scaler device in QEMU (for the
purposes of writing a mem2mem driver tutorial). I created the mem2mem
device as shown here.
https://github.com/karthikpoduval/qemu/blob/scaler-bringup/hw/misc/m2m_scaler.c

I added this MMIO device to the arm virt.c (as shown here).
https://github.com/karthikpoduval/qemu/blob/scaler-bringup/hw/arm/virt.c#L1306

However while the device is getting created, there is a crash while
launching QEMU.
qemu-system-aarch64 -device
virtio-net-device,netdev=net0,mac=52:54:00:12:35:02 -netdev
user,id=net0,hostfwd=tcp::2222-:22,hostfwd=tcp::2323-:23,tftp=/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64
-object rng-random,filename=/dev/urandom,id=rng0 -device
virtio-rng-pci,rng=rng0 -drive
id=disk0,file=/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64/yoe-simple-image-qemuarm64-20220515002944.rootfs.ext4,if=none,format=raw
-device virtio-blk-device,drive=disk0 -device qemu-xhci -device
usb-tablet -device usb-kbd  -machine virt -cpu cortex-a57 -smp 4 -m
1024 -serial mon:stdio -serial null -nographic -device virtio-gpu-pci
-kernel /home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64/Image--5.15.22+git0+2d38a472b2_7f685244af-r0.0-qemua
rm64-20220306152158.bin -append 'root=/dev/vda rw  mem=256M ip=dhcp
console=ttyAMA0 console=hvc0  '

Upon running gdb, the stack trace looks like.
Thread 1 "qemu-system-aar" received signal SIGSEGV, Segmentation fault.
0x0000555555d2f6d6 in memory_region_ref (mr=0x56becae0) at
../git/softmmu/memory.c:3005
3005        memory_region_ref(root);
(gdb) bt
#0  0x0000555555d2f6d6 in memory_region_ref (mr=0x56becae0) at
../git/softmmu/memory.c:3005
#1  address_space_init (as=0x5555570f8bb8, root=0x56becae0,
name=0x5555560a9620 "m2m-scaler-dma") at ../git/softmmu/memory.c:3005
#2  0x0000555555e0d5c8 in object_initialize_with_type
(obj=obj@entry=0x5555570f8750, size=size@entry=1360,
type=type@entry=0x555556a117d0) at ../git/qom/object.c:518
#3  0x0000555555e0d719 in object_new_with_type (type=0x555556a117d0)
at ../git/qom/object.c:733
#4  0x0000555555e08e3a in qdev_new (name=name@entry=0x5555560a95eb
"m2m_scaler") at ../git/hw/core/qdev.c:153
#5  0x000055555595cafa in sysbus_create_varargs
(name=name@entry=0x5555560a95eb "m2m_scaler", addr=addr@entry=0) at
../git/hw/core/sysbus.c:234
#6  0x0000555555adf1a1 in sysbus_create_simple (irq=<optimized out>,
addr=0, name=0x5555560a95eb "m2m_scaler")
    at /home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/git/include/hw/sysbus.h:104
#7  create_m2m_scaler (vms=0x555556c31400) at ../git/hw/arm/virt.c:1317
#8  machvirt_init (machine=0x555556c31400) at ../git/hw/arm/virt.c:2239
#9  0x0000555555959929 in machine_run_board_init
(machine=0x555556c31400) at ../git/hw/core/machine.c:1187
#10 0x0000555555d3576f in qemu_init_board () at ../git/softmmu/vl.c:2656
#11 qmp_x_exit_preconfig (errp=<optimized out>) at ../git/softmmu/vl.c:2746
#12 qmp_x_exit_preconfig (errp=<optimized out>) at ../git/softmmu/vl.c:2739
#13 0x0000555555d38f3b in qemu_init (argc=<optimized out>,
argv=<optimized out>, envp=<optimized out>) at
../git/softmmu/vl.c:3777
#14 0x000055555588e1bd in main (argc=<optimized out>, argv=<optimized
out>, envp=<optimized out>) at ../git/softmmu/main.c:49

I was able to do the same thing in QEMU 5.1.0 do not know why this
does not work in QEMU 6.2.0. Kindly help me resolve this issue. I want
my device to have access to the entire system RAM (as thi emulated
device can read input image from DDR scale it and write back the input
image to DDR so it needs to have access to the entire DDR memory).

-- 
Regards,
Karthik Poduval

Re: QEMU 6.2.0: Segfault while calling address_space_init from emulated device

[Karthik Poduval]

Hi All,

I still need help, any help would be greatly appreciated. Turned on
address sanitizers (config option --enable-sanitizers).
It pointed to a heap overflow in xilinx code.
SUMMARY: AddressSanitizer: heap-buffer-overflow
../git/hw/dma/xlnx_csu_dma.c:722 in xlnx_csu_dma_class_init

So disabled xilinx from the config.
diff --git a/configs/devices/aarch64-softmmu/default.mak
b/configs/devices/aarch64-softmmu/default.mak
index cf43ac8da1..cf8b98070e 100644
--- a/configs/devices/aarch64-softmmu/default.mak
+++ b/configs/devices/aarch64-softmmu/default.mak
@@ -3,6 +3,6 @@
 # We support all the 32 bit boards so need all their config
 include ../arm-softmmu/default.mak

-CONFIG_XLNX_ZYNQMP_ARM=y
-CONFIG_XLNX_VERSAL=y
+CONFIG_XLNX_ZYNQMP_ARM=n
+CONFIG_XLNX_VERSAL=n
 CONFIG_SBSA_REF=y

Even after doing that the code still crashes at the same point. It
seems to be a memory curruption issue or else how can
get_system_address() function provide an incorrect pointer.
build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/image/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/recipe-sysroot-native/usr/bin/qemu-system-aarch64
-device virtio-net-device,netdev=net0,mac=52:54:00:12:35:02 -netdev
user,id=net0,hostfwd=tcp::2222-:22,hostfwd=tcp::2323-:23,tftp=/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64
-object rng-random,filename=/dev/urandom,id=rng0 -device
virtio-rng-pci,rng=rng0 -drive
id=disk0,file=/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64/yoe-simple-image-qemuarm64-20220515002944.rootfs.ext4,if=none,format=raw
-device virtio-blk-device,drive=disk0 -device qemu-xhci -device
usb-tablet -device usb-kbd  -machine virt -cpu cortex-a57 -smp 4 -m
1024 -serial mon:stdio -serial null -nographic -device virtio-gpu-pci
-kernel /home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64/Image--5.15.22+git0+2d38a472b2_7f685244af-r0.0-qemuarm64-20220306152158.bin
-append 'root=/dev/vda rw  mem=1024M ip=dhcp console=ttyAMA0
console=hvc0  '
==2004211==WARNING: ASan doesn't fully support makecontext/swapcontext
functions and may produce false positives in some cases!
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2004211==ERROR: AddressSanitizer: SEGV on unknown address
0x000000005300 (pc 0x55dfdc2b47fc bp 0x61a0000028e8 sp 0x7ffcf813edc0
T0)
==2004211==The signal is caused by a READ memory access.
    #0 0x55dfdc2b47fb in memory_region_ref ../git/softmmu/memory.c:1790
    #1 0x55dfdc2b47fb in address_space_init ../git/softmmu/memory.c:3005
    #2 0x55dfdacba208 in m2m_scaler_realize ../git/hw/misc/m2m_scaler.c:288
    #3 0x55dfdc7fb1eb in device_set_realized ../git/hw/core/qdev.c:531
    #4 0x55dfdc807c50 in property_set_bool ../git/qom/object.c:2268
    #5 0x55dfdc80f5ff in object_property_set ../git/qom/object.c:1403
    #6 0x55dfdc819253 in object_property_set_qobject ../git/qom/qom-qobject.c:28
    #7 0x55dfdc80feb5 in object_property_set_bool ../git/qom/object.c:1472
    #8 0x55dfdc7f9452 in qdev_realize_and_unref ../git/hw/core/qdev.c:340
    #9 0x55dfda8c9adc in sysbus_create_varargs ../git/hw/core/sysbus.c:236
    #10 0x55dfdb24d87e in sysbus_create_simple
/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/git/include/hw/sysbus.h:104
    #11 0x55dfdb24d87e in create_m2m_scaler ../git/hw/arm/virt.c:1316
    #12 0x55dfdb24d87e in machvirt_init ../git/hw/arm/virt.c:2223
    #13 0x55dfda8bd006 in machine_run_board_init ../git/hw/core/machine.c:1187
    #14 0x55dfdc2c9f51 in qemu_init_board ../git/softmmu/vl.c:2656
    #15 0x55dfdc2c9f51 in qmp_x_exit_preconfig ../git/softmmu/vl.c:2746
    #16 0x55dfdc2d1425 in qemu_init ../git/softmmu/vl.c:3777
    #17 0x55dfda49c1fc in main ../git/softmmu/main.c:49
    #18 0x7f53e39ce57a
(/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/sysroots-uninative/x86_64-linux/lib/libc.so.6+0x2d57a)
    #19 0x7f53e39ce62f in __libc_start_main
(/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/sysroots-uninative/x86_64-linux/lib/libc.so.6+0x2d62f)
    #20 0x55dfda4d6f5d in _start
(/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/image/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/recipe-sysroot-native/usr/bin/qemu-system-aarch64+0x3b58f5d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../git/softmmu/memory.c:1790 in
memory_region_ref
==2004211==ABORTING

Any help would be greatly appreciated. Here is the link to the latest code.
https://github.com/karthikpoduval/qemu/tree/scaler-bringup

On Sun, May 15, 2022 at 12:26 AM Karthik Poduval
<karthik.poduval@gmail.com> wrote:
>
> Hi All,
>
> I am trying to create a virtual mem2mem scaler device in QEMU (for the
> purposes of writing a mem2mem driver tutorial). I created the mem2mem
> device as shown here.
> https://github.com/karthikpoduval/qemu/blob/scaler-bringup/hw/misc/m2m_scaler.c
>
> I added this MMIO device to the arm virt.c (as shown here).
> https://github.com/karthikpoduval/qemu/blob/scaler-bringup/hw/arm/virt.c#L1306
>
> However while the device is getting created, there is a crash while
> launching QEMU.
> qemu-system-aarch64 -device
> virtio-net-device,netdev=net0,mac=52:54:00:12:35:02 -netdev
> user,id=net0,hostfwd=tcp::2222-:22,hostfwd=tcp::2323-:23,tftp=/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64
> -object rng-random,filename=/dev/urandom,id=rng0 -device
> virtio-rng-pci,rng=rng0 -drive
> id=disk0,file=/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64/yoe-simple-image-qemuarm64-20220515002944.rootfs.ext4,if=none,format=raw
> -device virtio-blk-device,drive=disk0 -device qemu-xhci -device
> usb-tablet -device usb-kbd  -machine virt -cpu cortex-a57 -smp 4 -m
> 1024 -serial mon:stdio -serial null -nographic -device virtio-gpu-pci
> -kernel /home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64/Image--5.15.22+git0+2d38a472b2_7f685244af-r0.0-qemua
> rm64-20220306152158.bin -append 'root=/dev/vda rw  mem=256M ip=dhcp
> console=ttyAMA0 console=hvc0  '
>
> Upon running gdb, the stack trace looks like.
> Thread 1 "qemu-system-aar" received signal SIGSEGV, Segmentation fault.
> 0x0000555555d2f6d6 in memory_region_ref (mr=0x56becae0) at
> ../git/softmmu/memory.c:3005
> 3005        memory_region_ref(root);
> (gdb) bt
> #0  0x0000555555d2f6d6 in memory_region_ref (mr=0x56becae0) at
> ../git/softmmu/memory.c:3005
> #1  address_space_init (as=0x5555570f8bb8, root=0x56becae0,
> name=0x5555560a9620 "m2m-scaler-dma") at ../git/softmmu/memory.c:3005
> #2  0x0000555555e0d5c8 in object_initialize_with_type
> (obj=obj@entry=0x5555570f8750, size=size@entry=1360,
> type=type@entry=0x555556a117d0) at ../git/qom/object.c:518
> #3  0x0000555555e0d719 in object_new_with_type (type=0x555556a117d0)
> at ../git/qom/object.c:733
> #4  0x0000555555e08e3a in qdev_new (name=name@entry=0x5555560a95eb
> "m2m_scaler") at ../git/hw/core/qdev.c:153
> #5  0x000055555595cafa in sysbus_create_varargs
> (name=name@entry=0x5555560a95eb "m2m_scaler", addr=addr@entry=0) at
> ../git/hw/core/sysbus.c:234
> #6  0x0000555555adf1a1 in sysbus_create_simple (irq=<optimized out>,
> addr=0, name=0x5555560a95eb "m2m_scaler")
>     at /home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/git/include/hw/sysbus.h:104
> #7  create_m2m_scaler (vms=0x555556c31400) at ../git/hw/arm/virt.c:1317
> #8  machvirt_init (machine=0x555556c31400) at ../git/hw/arm/virt.c:2239
> #9  0x0000555555959929 in machine_run_board_init
> (machine=0x555556c31400) at ../git/hw/core/machine.c:1187
> #10 0x0000555555d3576f in qemu_init_board () at ../git/softmmu/vl.c:2656
> #11 qmp_x_exit_preconfig (errp=<optimized out>) at ../git/softmmu/vl.c:2746
> #12 qmp_x_exit_preconfig (errp=<optimized out>) at ../git/softmmu/vl.c:2739
> #13 0x0000555555d38f3b in qemu_init (argc=<optimized out>,
> argv=<optimized out>, envp=<optimized out>) at
> ../git/softmmu/vl.c:3777
> #14 0x000055555588e1bd in main (argc=<optimized out>, argv=<optimized
> out>, envp=<optimized out>) at ../git/softmmu/main.c:49
>
> I was able to do the same thing in QEMU 5.1.0 do not know why this
> does not work in QEMU 6.2.0. Kindly help me resolve this issue. I want
> my device to have access to the entire system RAM (as thi emulated
> device can read input image from DDR scale it and write back the input
> image to DDR so it needs to have access to the entire DDR memory).
>
> --
> Regards,
> Karthik Poduval



-- 
Regards,
Karthik Poduval

Re: QEMU 6.2.0: Segfault while calling address_space_init from emulated device

[Karthik Poduval]

I was able to get it to work with a workaround. After doing some gdb
debugging it shows that the system_memory global was being populated
before the m2m_scaler device was being initialized. Printing
system_meory vs mr (argumet) to the crashing function shows the
pointer value to be truncated.

(gdb) p system_memory

$1 = (MemoryRegion *) 0x555556ae16e0

(gdb) p mr

$2 = (MemoryRegion *) 0x56ae16e0

(gdb)

The following workaround resolves the issue for now. It accesses the
system_memory global variable directly instead of getting it from the
function get_system_memory.
https://github.com/karthikpoduval/qemu/commit/00580c9f3c60a7d9c3bb43bc9589f76e663197e4

On Mon, May 16, 2022 at 7:13 PM Karthik Poduval
<karthik.poduval@gmail.com> wrote:
>
> Hi All,
>
> I still need help, any help would be greatly appreciated. Turned on
> address sanitizers (config option --enable-sanitizers).
> It pointed to a heap overflow in xilinx code.
> SUMMARY: AddressSanitizer: heap-buffer-overflow
> ../git/hw/dma/xlnx_csu_dma.c:722 in xlnx_csu_dma_class_init
>
> So disabled xilinx from the config.
> diff --git a/configs/devices/aarch64-softmmu/default.mak
> b/configs/devices/aarch64-softmmu/default.mak
> index cf43ac8da1..cf8b98070e 100644
> --- a/configs/devices/aarch64-softmmu/default.mak
> +++ b/configs/devices/aarch64-softmmu/default.mak
> @@ -3,6 +3,6 @@
>  # We support all the 32 bit boards so need all their config
>  include ../arm-softmmu/default.mak
>
> -CONFIG_XLNX_ZYNQMP_ARM=y
> -CONFIG_XLNX_VERSAL=y
> +CONFIG_XLNX_ZYNQMP_ARM=n
> +CONFIG_XLNX_VERSAL=n
>  CONFIG_SBSA_REF=y
>
> Even after doing that the code still crashes at the same point. It
> seems to be a memory curruption issue or else how can
> get_system_address() function provide an incorrect pointer.
> build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/image/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/recipe-sysroot-native/usr/bin/qemu-system-aarch64
> -device virtio-net-device,netdev=net0,mac=52:54:00:12:35:02 -netdev
> user,id=net0,hostfwd=tcp::2222-:22,hostfwd=tcp::2323-:23,tftp=/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64
> -object rng-random,filename=/dev/urandom,id=rng0 -device
> virtio-rng-pci,rng=rng0 -drive
> id=disk0,file=/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64/yoe-simple-image-qemuarm64-20220515002944.rootfs.ext4,if=none,format=raw
> -device virtio-blk-device,drive=disk0 -device qemu-xhci -device
> usb-tablet -device usb-kbd  -machine virt -cpu cortex-a57 -smp 4 -m
> 1024 -serial mon:stdio -serial null -nographic -device virtio-gpu-pci
> -kernel /home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64/Image--5.15.22+git0+2d38a472b2_7f685244af-r0.0-qemuarm64-20220306152158.bin
> -append 'root=/dev/vda rw  mem=1024M ip=dhcp console=ttyAMA0
> console=hvc0  '
> ==2004211==WARNING: ASan doesn't fully support makecontext/swapcontext
> functions and may produce false positives in some cases!
> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==2004211==ERROR: AddressSanitizer: SEGV on unknown address
> 0x000000005300 (pc 0x55dfdc2b47fc bp 0x61a0000028e8 sp 0x7ffcf813edc0
> T0)
> ==2004211==The signal is caused by a READ memory access.
>     #0 0x55dfdc2b47fb in memory_region_ref ../git/softmmu/memory.c:1790
>     #1 0x55dfdc2b47fb in address_space_init ../git/softmmu/memory.c:3005
>     #2 0x55dfdacba208 in m2m_scaler_realize ../git/hw/misc/m2m_scaler.c:288
>     #3 0x55dfdc7fb1eb in device_set_realized ../git/hw/core/qdev.c:531
>     #4 0x55dfdc807c50 in property_set_bool ../git/qom/object.c:2268
>     #5 0x55dfdc80f5ff in object_property_set ../git/qom/object.c:1403
>     #6 0x55dfdc819253 in object_property_set_qobject ../git/qom/qom-qobject.c:28
>     #7 0x55dfdc80feb5 in object_property_set_bool ../git/qom/object.c:1472
>     #8 0x55dfdc7f9452 in qdev_realize_and_unref ../git/hw/core/qdev.c:340
>     #9 0x55dfda8c9adc in sysbus_create_varargs ../git/hw/core/sysbus.c:236
>     #10 0x55dfdb24d87e in sysbus_create_simple
> /home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/git/include/hw/sysbus.h:104
>     #11 0x55dfdb24d87e in create_m2m_scaler ../git/hw/arm/virt.c:1316
>     #12 0x55dfdb24d87e in machvirt_init ../git/hw/arm/virt.c:2223
>     #13 0x55dfda8bd006 in machine_run_board_init ../git/hw/core/machine.c:1187
>     #14 0x55dfdc2c9f51 in qemu_init_board ../git/softmmu/vl.c:2656
>     #15 0x55dfdc2c9f51 in qmp_x_exit_preconfig ../git/softmmu/vl.c:2746
>     #16 0x55dfdc2d1425 in qemu_init ../git/softmmu/vl.c:3777
>     #17 0x55dfda49c1fc in main ../git/softmmu/main.c:49
>     #18 0x7f53e39ce57a
> (/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/sysroots-uninative/x86_64-linux/lib/libc.so.6+0x2d57a)
>     #19 0x7f53e39ce62f in __libc_start_main
> (/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/sysroots-uninative/x86_64-linux/lib/libc.so.6+0x2d62f)
>     #20 0x55dfda4d6f5d in _start
> (/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/image/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/recipe-sysroot-native/usr/bin/qemu-system-aarch64+0x3b58f5d)
>
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV ../git/softmmu/memory.c:1790 in
> memory_region_ref
> ==2004211==ABORTING
>
> Any help would be greatly appreciated. Here is the link to the latest code.
> https://github.com/karthikpoduval/qemu/tree/scaler-bringup
>
> On Sun, May 15, 2022 at 12:26 AM Karthik Poduval
> <karthik.poduval@gmail.com> wrote:
> >
> > Hi All,
> >
> > I am trying to create a virtual mem2mem scaler device in QEMU (for the
> > purposes of writing a mem2mem driver tutorial). I created the mem2mem
> > device as shown here.
> > https://github.com/karthikpoduval/qemu/blob/scaler-bringup/hw/misc/m2m_scaler.c
> >
> > I added this MMIO device to the arm virt.c (as shown here).
> > https://github.com/karthikpoduval/qemu/blob/scaler-bringup/hw/arm/virt.c#L1306
> >
> > However while the device is getting created, there is a crash while
> > launching QEMU.
> > qemu-system-aarch64 -device
> > virtio-net-device,netdev=net0,mac=52:54:00:12:35:02 -netdev
> > user,id=net0,hostfwd=tcp::2222-:22,hostfwd=tcp::2323-:23,tftp=/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64
> > -object rng-random,filename=/dev/urandom,id=rng0 -device
> > virtio-rng-pci,rng=rng0 -drive
> > id=disk0,file=/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64/yoe-simple-image-qemuarm64-20220515002944.rootfs.ext4,if=none,format=raw
> > -device virtio-blk-device,drive=disk0 -device qemu-xhci -device
> > usb-tablet -device usb-kbd  -machine virt -cpu cortex-a57 -smp 4 -m
> > 1024 -serial mon:stdio -serial null -nographic -device virtio-gpu-pci
> > -kernel /home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64/Image--5.15.22+git0+2d38a472b2_7f685244af-r0.0-qemua
> > rm64-20220306152158.bin -append 'root=/dev/vda rw  mem=256M ip=dhcp
> > console=ttyAMA0 console=hvc0  '
> >
> > Upon running gdb, the stack trace looks like.
> > Thread 1 "qemu-system-aar" received signal SIGSEGV, Segmentation fault.
> > 0x0000555555d2f6d6 in memory_region_ref (mr=0x56becae0) at
> > ../git/softmmu/memory.c:3005
> > 3005        memory_region_ref(root);
> > (gdb) bt
> > #0  0x0000555555d2f6d6 in memory_region_ref (mr=0x56becae0) at
> > ../git/softmmu/memory.c:3005
> > #1  address_space_init (as=0x5555570f8bb8, root=0x56becae0,
> > name=0x5555560a9620 "m2m-scaler-dma") at ../git/softmmu/memory.c:3005
> > #2  0x0000555555e0d5c8 in object_initialize_with_type
> > (obj=obj@entry=0x5555570f8750, size=size@entry=1360,
> > type=type@entry=0x555556a117d0) at ../git/qom/object.c:518
> > #3  0x0000555555e0d719 in object_new_with_type (type=0x555556a117d0)
> > at ../git/qom/object.c:733
> > #4  0x0000555555e08e3a in qdev_new (name=name@entry=0x5555560a95eb
> > "m2m_scaler") at ../git/hw/core/qdev.c:153
> > #5  0x000055555595cafa in sysbus_create_varargs
> > (name=name@entry=0x5555560a95eb "m2m_scaler", addr=addr@entry=0) at
> > ../git/hw/core/sysbus.c:234
> > #6  0x0000555555adf1a1 in sysbus_create_simple (irq=<optimized out>,
> > addr=0, name=0x5555560a95eb "m2m_scaler")
> >     at /home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/git/include/hw/sysbus.h:104
> > #7  create_m2m_scaler (vms=0x555556c31400) at ../git/hw/arm/virt.c:1317
> > #8  machvirt_init (machine=0x555556c31400) at ../git/hw/arm/virt.c:2239
> > #9  0x0000555555959929 in machine_run_board_init
> > (machine=0x555556c31400) at ../git/hw/core/machine.c:1187
> > #10 0x0000555555d3576f in qemu_init_board () at ../git/softmmu/vl.c:2656
> > #11 qmp_x_exit_preconfig (errp=<optimized out>) at ../git/softmmu/vl.c:2746
> > #12 qmp_x_exit_preconfig (errp=<optimized out>) at ../git/softmmu/vl.c:2739
> > #13 0x0000555555d38f3b in qemu_init (argc=<optimized out>,
> > argv=<optimized out>, envp=<optimized out>) at
> > ../git/softmmu/vl.c:3777
> > #14 0x000055555588e1bd in main (argc=<optimized out>, argv=<optimized
> > out>, envp=<optimized out>) at ../git/softmmu/main.c:49
> >
> > I was able to do the same thing in QEMU 5.1.0 do not know why this
> > does not work in QEMU 6.2.0. Kindly help me resolve this issue. I want
> > my device to have access to the entire system RAM (as thi emulated
> > device can read input image from DDR scale it and write back the input
> > image to DDR so it needs to have access to the entire DDR memory).
> >
> > --
> > Regards,
> > Karthik Poduval
>
>
>
> --
> Regards,
> Karthik Poduval



-- 
Regards,
Karthik Poduval

Re: QEMU 6.2.0: Segfault while calling address_space_init from emulated device

[Karthik Poduval]

Ok digging deeper, there was a compiler warning about a missing
prototype of get_system_memory but I never thought it would lead to
this sort of an issue. The fix now is pretty simple to include the
header where get_system_memory is defined.
https://github.com/qemu/qemu/commit/620dba22bf389c6f9b9f039ad01fc5e1365d8216

I always thought that compilers figured things out about function
prototypes but in this case it caused a very serious issue that almost
seemed like memory corruption. Lesson learned, never miss function
prototypes.

On Mon, May 16, 2022 at 8:31 PM Karthik Poduval
<karthik.poduval@gmail.com> wrote:
>
> I was able to get it to work with a workaround. After doing some gdb
> debugging it shows that the system_memory global was being populated
> before the m2m_scaler device was being initialized. Printing
> system_meory vs mr (argumet) to the crashing function shows the
> pointer value to be truncated.
>
> (gdb) p system_memory
>
> $1 = (MemoryRegion *) 0x555556ae16e0
>
> (gdb) p mr
>
> $2 = (MemoryRegion *) 0x56ae16e0
>
> (gdb)
>
> The following workaround resolves the issue for now. It accesses the
> system_memory global variable directly instead of getting it from the
> function get_system_memory.
> https://github.com/karthikpoduval/qemu/commit/00580c9f3c60a7d9c3bb43bc9589f76e663197e4
>
> On Mon, May 16, 2022 at 7:13 PM Karthik Poduval
> <karthik.poduval@gmail.com> wrote:
> >
> > Hi All,
> >
> > I still need help, any help would be greatly appreciated. Turned on
> > address sanitizers (config option --enable-sanitizers).
> > It pointed to a heap overflow in xilinx code.
> > SUMMARY: AddressSanitizer: heap-buffer-overflow
> > ../git/hw/dma/xlnx_csu_dma.c:722 in xlnx_csu_dma_class_init
> >
> > So disabled xilinx from the config.
> > diff --git a/configs/devices/aarch64-softmmu/default.mak
> > b/configs/devices/aarch64-softmmu/default.mak
> > index cf43ac8da1..cf8b98070e 100644
> > --- a/configs/devices/aarch64-softmmu/default.mak
> > +++ b/configs/devices/aarch64-softmmu/default.mak
> > @@ -3,6 +3,6 @@
> >  # We support all the 32 bit boards so need all their config
> >  include ../arm-softmmu/default.mak
> >
> > -CONFIG_XLNX_ZYNQMP_ARM=y
> > -CONFIG_XLNX_VERSAL=y
> > +CONFIG_XLNX_ZYNQMP_ARM=n
> > +CONFIG_XLNX_VERSAL=n
> >  CONFIG_SBSA_REF=y
> >
> > Even after doing that the code still crashes at the same point. It
> > seems to be a memory curruption issue or else how can
> > get_system_address() function provide an incorrect pointer.
> > build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/image/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/recipe-sysroot-native/usr/bin/qemu-system-aarch64
> > -device virtio-net-device,netdev=net0,mac=52:54:00:12:35:02 -netdev
> > user,id=net0,hostfwd=tcp::2222-:22,hostfwd=tcp::2323-:23,tftp=/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64
> > -object rng-random,filename=/dev/urandom,id=rng0 -device
> > virtio-rng-pci,rng=rng0 -drive
> > id=disk0,file=/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64/yoe-simple-image-qemuarm64-20220515002944.rootfs.ext4,if=none,format=raw
> > -device virtio-blk-device,drive=disk0 -device qemu-xhci -device
> > usb-tablet -device usb-kbd  -machine virt -cpu cortex-a57 -smp 4 -m
> > 1024 -serial mon:stdio -serial null -nographic -device virtio-gpu-pci
> > -kernel /home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64/Image--5.15.22+git0+2d38a472b2_7f685244af-r0.0-qemuarm64-20220306152158.bin
> > -append 'root=/dev/vda rw  mem=1024M ip=dhcp console=ttyAMA0
> > console=hvc0  '
> > ==2004211==WARNING: ASan doesn't fully support makecontext/swapcontext
> > functions and may produce false positives in some cases!
> > AddressSanitizer:DEADLYSIGNAL
> > =================================================================
> > ==2004211==ERROR: AddressSanitizer: SEGV on unknown address
> > 0x000000005300 (pc 0x55dfdc2b47fc bp 0x61a0000028e8 sp 0x7ffcf813edc0
> > T0)
> > ==2004211==The signal is caused by a READ memory access.
> >     #0 0x55dfdc2b47fb in memory_region_ref ../git/softmmu/memory.c:1790
> >     #1 0x55dfdc2b47fb in address_space_init ../git/softmmu/memory.c:3005
> >     #2 0x55dfdacba208 in m2m_scaler_realize ../git/hw/misc/m2m_scaler.c:288
> >     #3 0x55dfdc7fb1eb in device_set_realized ../git/hw/core/qdev.c:531
> >     #4 0x55dfdc807c50 in property_set_bool ../git/qom/object.c:2268
> >     #5 0x55dfdc80f5ff in object_property_set ../git/qom/object.c:1403
> >     #6 0x55dfdc819253 in object_property_set_qobject ../git/qom/qom-qobject.c:28
> >     #7 0x55dfdc80feb5 in object_property_set_bool ../git/qom/object.c:1472
> >     #8 0x55dfdc7f9452 in qdev_realize_and_unref ../git/hw/core/qdev.c:340
> >     #9 0x55dfda8c9adc in sysbus_create_varargs ../git/hw/core/sysbus.c:236
> >     #10 0x55dfdb24d87e in sysbus_create_simple
> > /home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/git/include/hw/sysbus.h:104
> >     #11 0x55dfdb24d87e in create_m2m_scaler ../git/hw/arm/virt.c:1316
> >     #12 0x55dfdb24d87e in machvirt_init ../git/hw/arm/virt.c:2223
> >     #13 0x55dfda8bd006 in machine_run_board_init ../git/hw/core/machine.c:1187
> >     #14 0x55dfdc2c9f51 in qemu_init_board ../git/softmmu/vl.c:2656
> >     #15 0x55dfdc2c9f51 in qmp_x_exit_preconfig ../git/softmmu/vl.c:2746
> >     #16 0x55dfdc2d1425 in qemu_init ../git/softmmu/vl.c:3777
> >     #17 0x55dfda49c1fc in main ../git/softmmu/main.c:49
> >     #18 0x7f53e39ce57a
> > (/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/sysroots-uninative/x86_64-linux/lib/libc.so.6+0x2d57a)
> >     #19 0x7f53e39ce62f in __libc_start_main
> > (/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/sysroots-uninative/x86_64-linux/lib/libc.so.6+0x2d62f)
> >     #20 0x55dfda4d6f5d in _start
> > (/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/image/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/recipe-sysroot-native/usr/bin/qemu-system-aarch64+0x3b58f5d)
> >
> > AddressSanitizer can not provide additional info.
> > SUMMARY: AddressSanitizer: SEGV ../git/softmmu/memory.c:1790 in
> > memory_region_ref
> > ==2004211==ABORTING
> >
> > Any help would be greatly appreciated. Here is the link to the latest code.
> > https://github.com/karthikpoduval/qemu/tree/scaler-bringup
> >
> > On Sun, May 15, 2022 at 12:26 AM Karthik Poduval
> > <karthik.poduval@gmail.com> wrote:
> > >
> > > Hi All,
> > >
> > > I am trying to create a virtual mem2mem scaler device in QEMU (for the
> > > purposes of writing a mem2mem driver tutorial). I created the mem2mem
> > > device as shown here.
> > > https://github.com/karthikpoduval/qemu/blob/scaler-bringup/hw/misc/m2m_scaler.c
> > >
> > > I added this MMIO device to the arm virt.c (as shown here).
> > > https://github.com/karthikpoduval/qemu/blob/scaler-bringup/hw/arm/virt.c#L1306
> > >
> > > However while the device is getting created, there is a crash while
> > > launching QEMU.
> > > qemu-system-aarch64 -device
> > > virtio-net-device,netdev=net0,mac=52:54:00:12:35:02 -netdev
> > > user,id=net0,hostfwd=tcp::2222-:22,hostfwd=tcp::2323-:23,tftp=/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64
> > > -object rng-random,filename=/dev/urandom,id=rng0 -device
> > > virtio-rng-pci,rng=rng0 -drive
> > > id=disk0,file=/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64/yoe-simple-image-qemuarm64-20220515002944.rootfs.ext4,if=none,format=raw
> > > -device virtio-blk-device,drive=disk0 -device qemu-xhci -device
> > > usb-tablet -device usb-kbd  -machine virt -cpu cortex-a57 -smp 4 -m
> > > 1024 -serial mon:stdio -serial null -nographic -device virtio-gpu-pci
> > > -kernel /home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64/Image--5.15.22+git0+2d38a472b2_7f685244af-r0.0-qemua
> > > rm64-20220306152158.bin -append 'root=/dev/vda rw  mem=256M ip=dhcp
> > > console=ttyAMA0 console=hvc0  '
> > >
> > > Upon running gdb, the stack trace looks like.
> > > Thread 1 "qemu-system-aar" received signal SIGSEGV, Segmentation fault.
> > > 0x0000555555d2f6d6 in memory_region_ref (mr=0x56becae0) at
> > > ../git/softmmu/memory.c:3005
> > > 3005        memory_region_ref(root);
> > > (gdb) bt
> > > #0  0x0000555555d2f6d6 in memory_region_ref (mr=0x56becae0) at
> > > ../git/softmmu/memory.c:3005
> > > #1  address_space_init (as=0x5555570f8bb8, root=0x56becae0,
> > > name=0x5555560a9620 "m2m-scaler-dma") at ../git/softmmu/memory.c:3005
> > > #2  0x0000555555e0d5c8 in object_initialize_with_type
> > > (obj=obj@entry=0x5555570f8750, size=size@entry=1360,
> > > type=type@entry=0x555556a117d0) at ../git/qom/object.c:518
> > > #3  0x0000555555e0d719 in object_new_with_type (type=0x555556a117d0)
> > > at ../git/qom/object.c:733
> > > #4  0x0000555555e08e3a in qdev_new (name=name@entry=0x5555560a95eb
> > > "m2m_scaler") at ../git/hw/core/qdev.c:153
> > > #5  0x000055555595cafa in sysbus_create_varargs
> > > (name=name@entry=0x5555560a95eb "m2m_scaler", addr=addr@entry=0) at
> > > ../git/hw/core/sysbus.c:234
> > > #6  0x0000555555adf1a1 in sysbus_create_simple (irq=<optimized out>,
> > > addr=0, name=0x5555560a95eb "m2m_scaler")
> > >     at /home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/git/include/hw/sysbus.h:104
> > > #7  create_m2m_scaler (vms=0x555556c31400) at ../git/hw/arm/virt.c:1317
> > > #8  machvirt_init (machine=0x555556c31400) at ../git/hw/arm/virt.c:2239
> > > #9  0x0000555555959929 in machine_run_board_init
> > > (machine=0x555556c31400) at ../git/hw/core/machine.c:1187
> > > #10 0x0000555555d3576f in qemu_init_board () at ../git/softmmu/vl.c:2656
> > > #11 qmp_x_exit_preconfig (errp=<optimized out>) at ../git/softmmu/vl.c:2746
> > > #12 qmp_x_exit_preconfig (errp=<optimized out>) at ../git/softmmu/vl.c:2739
> > > #13 0x0000555555d38f3b in qemu_init (argc=<optimized out>,
> > > argv=<optimized out>, envp=<optimized out>) at
> > > ../git/softmmu/vl.c:3777
> > > #14 0x000055555588e1bd in main (argc=<optimized out>, argv=<optimized
> > > out>, envp=<optimized out>) at ../git/softmmu/main.c:49
> > >
> > > I was able to do the same thing in QEMU 5.1.0 do not know why this
> > > does not work in QEMU 6.2.0. Kindly help me resolve this issue. I want
> > > my device to have access to the entire system RAM (as thi emulated
> > > device can read input image from DDR scale it and write back the input
> > > image to DDR so it needs to have access to the entire DDR memory).
> > >
> > > --
> > > Regards,
> > > Karthik Poduval
> >
> >
> >
> > --
> > Regards,
> > Karthik Poduval
>
>
>
> --
> Regards,
> Karthik Poduval



-- 
Regards,
Karthik Poduval

Re: QEMU 6.2.0: Segfault while calling address_space_init from emulated device

[Peter Maydell]

On Tue, 17 May 2022 at 04:39, Karthik Poduval <karthik.poduval@gmail.com> wrote:
> Ok digging deeper, there was a compiler warning about a missing
> prototype of get_system_memory but I never thought it would lead to
> this sort of an issue.

If you're building QEMU from git it should default to
"warnings are errors". If you're not, then pass configure
--enable-werror to do that.

PS: not related to your problem, but you should really do
the address_space_init() in device realize, not init.

thanks
-- PMM

Re: QEMU 6.2.0: Segfault while calling address_space_init from emulated device

[Karthik Poduval]

Hi Peter,

I am building it from git but not directly but via Yocto Kirkstone (it
was originally designed to build via downloaded tarball archive). I
will add the --enable-werror to the build recipe.
May I ask why address_space_init should be called from device realize
and not init ?

On Tue, May 17, 2022 at 12:40 AM Peter Maydell <peter.maydell@linaro.org> wrote:
>
> On Tue, 17 May 2022 at 04:39, Karthik Poduval <karthik.poduval@gmail.com> wrote:
> > Ok digging deeper, there was a compiler warning about a missing
> > prototype of get_system_memory but I never thought it would lead to
> > this sort of an issue.
>
> If you're building QEMU from git it should default to
> "warnings are errors". If you're not, then pass configure
> --enable-werror to do that.
>
> PS: not related to your problem, but you should really do
> the address_space_init() in device realize, not init.
>
> thanks
> -- PMM



-- 
Regards,
Karthik Poduval