[BUG Report] Got a use-after-free error while start arm64 VM with lots of pci controllers

* [BUG Report] Got a use-after-free error while start arm64 VM with lots of pci controllers
@ 2020-01-17  8:18 Pan Nengyuan
  2020-01-17  8:20 ` Pan Nengyuan
  0 siblings, 1 reply; 2+ messages in thread
From: Pan Nengyuan @ 2020-01-17  8:18 UTC (permalink / raw)
  To: Michael Tsirkin, marcel.apfelbaum; +Cc: kuhn.chenqun, qemu-devel, zhanghailiang

[-- Attachment #1: Type: text/plain, Size: 5296 bytes --]

Hi,

We got a use-after-free report in our Euler Robot Test, it is can be reproduced quite easily,
It can be reproduced by start VM with lots of pci controller and virtio-scsi devices.
You can find the full qemu log from attachment.
We have analyzed the log and got the rough process how it happened, but don't know how to fix it.

Could anyone help to fix it ?

The key message shows bellow:
har device redirected to /dev/pts/1 (label charserial0)
==1517174==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases!
=================================================================
==1517174==ERROR: AddressSanitizer: heap-use-after-free on address 0xfffc31a002a0 at pc 0xaaad73e1f668 bp 0xfffc319fddb0 sp 0xfffc319fddd0
READ of size 8 at 0xfffc31a002a0 thread T1
    #0 0xaaad73e1f667 in memory_region_unref /home/qemu/memory.c:1771
    #1 0xaaad73e1f667 in flatview_destroy /home/qemu/memory.c:291
    #2 0xaaad74adc85b in call_rcu_thread util/rcu.c:283
    #3 0xaaad74ab31db in qemu_thread_start util/qemu-thread-posix.c:519
    #4 0xfffc3a1678bb  (/lib64/libpthread.so.0+0x78bb)
    #5 0xfffc3a0a616b  (/lib64/libc.so.6+0xd616b)

0xfffc31a002a0 is located 544 bytes inside of 1440-byte region [0xfffc31a00080,0xfffc31a00620)
freed by thread T37 (CPU 0/KVM) here:
    #0 0xfffc3c102e23 in free (/lib64/libasan.so.4+0xd2e23)
    #1 0xfffc3bbc729f in g_free (/lib64/libglib-2.0.so.0+0x5729f)
    #2 0xaaad745cce03 in pci_bridge_update_mappings hw/pci/pci_bridge.c:245
    #3 0xaaad745ccf33 in pci_bridge_write_config hw/pci/pci_bridge.c:271
    #4 0xaaad745ba867 in pci_bridge_dev_write_config hw/pci-bridge/pci_bridge_dev.c:153
    #5 0xaaad745d6013 in pci_host_config_write_common hw/pci/pci_host.c:81
    #6 0xaaad73e2346f in memory_region_write_accessor /home/qemu/memory.c:483
    #7 0xaaad73e1d9ff in access_with_adjusted_size /home/qemu/memory.c:544
    #8 0xaaad73e28d1f in memory_region_dispatch_write /home/qemu/memory.c:1482
    #9 0xaaad73d7274f in flatview_write_continue /home/qemu/exec.c:3167
    #10 0xaaad73d72a53 in flatview_write /home/qemu/exec.c:3207
    #11 0xaaad73d7c8c3 in address_space_write /home/qemu/exec.c:3297
    #12 0xaaad73e5059b in kvm_cpu_exec /home/qemu/accel/kvm/kvm-all.c:2386
    #13 0xaaad73e07ac7 in qemu_kvm_cpu_thread_fn /home/qemu/cpus.c:1246
    #14 0xaaad74ab31db in qemu_thread_start util/qemu-thread-posix.c:519
    #15 0xfffc3a1678bb  (/lib64/libpthread.so.0+0x78bb)
    #16 0xfffc3a0a616b  (/lib64/libc.so.6+0xd616b)

previously allocated by thread T0 here:
    #0 0xfffc3c1031cb in __interceptor_malloc (/lib64/libasan.so.4+0xd31cb)
    #1 0xfffc3bbc7163 in g_malloc (/lib64/libglib-2.0.so.0+0x57163)
    #2 0xaaad745ccb57 in pci_bridge_region_init hw/pci/pci_bridge.c:188
    #3 0xaaad745cd8cb in pci_bridge_initfn hw/pci/pci_bridge.c:385
    #4 0xaaad745baaf3 in pci_bridge_dev_realize hw/pci-bridge/pci_bridge_dev.c:64
    #5 0xaaad745cacd7 in pci_qdev_realize hw/pci/pci.c:2095
    #6 0xaaad7439d9f7 in device_set_realized hw/core/qdev.c:865
    #7 0xaaad7485ed23 in property_set_bool qom/object.c:2102
    #8 0xaaad74868f4b in object_property_set_qobject qom/qom-qobject.c:26
    #9 0xaaad74863a43 in object_property_set_bool qom/object.c:1360
    #10 0xaaad742a53b7 in qdev_device_add /home/qemu/qdev-monitor.c:675
    #11 0xaaad742a9c7b in device_init_func /home/qemu/vl.c:2074
    #12 0xaaad74ad4d33 in qemu_opts_foreach util/qemu-option.c:1170
    #13 0xaaad73d60c17 in main /home/qemu/vl.c:4313
    #14 0xfffc39ff0b9f in __libc_start_main (/lib64/libc.so.6+0x20b9f)
    #15 0xaaad73d6db33  (/home/qemu/aarch64-softmmu/qemu-system-aarch64+0x98db33)

Thread T1 created by T0 here:
    #0 0xfffc3c068f6f in __interceptor_pthread_create (/lib64/libasan.so.4+0x38f6f)
    #1 0xaaad74ab54ab in qemu_thread_create util/qemu-thread-posix.c:556
    #2 0xaaad74adc6a7 in rcu_init_complete util/rcu.c:326
    #3 0xaaad74bab2a7 in __libc_csu_init (/home/qemu/aarch64-softmmu/qemu-system-aarch64+0x17cb2a7)
    #4 0xfffc39ff0b47 in __libc_start_main (/lib64/libc.so.6+0x20b47)
    #5 0xaaad73d6db33  (/home/qemu/aarch64-softmmu/qemu-system-aarch64+0x98db33)

Thread T37 (CPU 0/KVM) created by T0 here:
    #0 0xfffc3c068f6f in __interceptor_pthread_create (/lib64/libasan.so.4+0x38f6f)
    #1 0xaaad74ab54ab in qemu_thread_create util/qemu-thread-posix.c:556
    #2 0xaaad73e09b0f in qemu_dummy_start_vcpu /home/qemu/cpus.c:2045
    #3 0xaaad73e09b0f in qemu_init_vcpu /home/qemu/cpus.c:2077
    #4 0xaaad740d36b7 in arm_cpu_realizefn /home/qemu/target/arm/cpu.c:1712
    #5 0xaaad7439d9f7 in device_set_realized hw/core/qdev.c:865
    #6 0xaaad7485ed23 in property_set_bool qom/object.c:2102
    #7 0xaaad74868f4b in object_property_set_qobject qom/qom-qobject.c:26
    #8 0xaaad74863a43 in object_property_set_bool qom/object.c:1360
    #9 0xaaad73fe3e67 in machvirt_init /home/qemu/hw/arm/virt.c:1682
    #10 0xaaad743acfc7 in machine_run_board_init hw/core/machine.c:1077
    #11 0xaaad73d60b73 in main /home/qemu/vl.c:4292
    #12 0xfffc39ff0b9f in __libc_start_main (/lib64/libc.so.6+0x20b9f)
    #13 0xaaad73d6db33  (/home/qemu/aarch64-softmmu/qemu-system-aarch64+0x98db33)

SUMMARY: AddressSanitizer: heap-use-after-free /home/qemu/memory.c:1771 in memory_region_unref

Thanks

[-- Attachment #2: use-after-free-qemu.log --]
[-- Type: text/plain, Size: 23328 bytes --]

2020-01-17 07:43:48.033+0000: starting up libvirt version: 5.5.0, package: 5, qemu version: 4.2.50v4.2.0-684-g28b58f19d2, kernel: 4.19.90-512U-fixes+, hostname: ciagent-9-13-7-55
LC_ALL=C \
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
HOME=/var/lib/libvirt/qemu/domain-859-test2 \
XDG_DATA_HOME=/var/lib/libvirt/qemu/domain-859-test2/.local/share \
XDG_CACHE_HOME=/var/lib/libvirt/qemu/domain-859-test2/.cache \
XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain-859-test2/.config \
QEMU_AUDIO_DRV=none \
/home/qemu/aarch64-softmmu/qemu-system-aarch64 \
-name guest=test2,debug-threads=on \
-S \
-object secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-859-test2/master-key.aes \
-machine virt-5.0,accel=kvm,usb=off,dump-guest-core=off,gic-version=3 \
-cpu host \
-drive file=/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw,if=pflash,format=raw,unit=0,readonly=on \
-drive file=/var/lib/libvirt/qemu/nvram/testvm.qcow2_par_VARS.fd,if=pflash,format=raw,unit=1 \
-m 131072 \
-overcommit mem-lock=off \
-smp 128,sockets=2,cores=64,threads=1 \
-object memory-backend-file,id=ram-node0,prealloc=yes,mem-path=/dev/hugepages/libvirt/qemu/859-test2,size=68719476736,host-nodes=0,policy=bind \
-numa node,nodeid=0,cpus=0-63,memdev=ram-node0 \
-object memory-backend-file,id=ram-node1,prealloc=yes,mem-path=/dev/hugepages/libvirt/qemu/859-test2,size=68719476736,host-nodes=1,policy=bind \
-numa node,nodeid=1,cpus=64-127,memdev=ram-node1 \
-uuid 10d7a74d-4a67-4bfd-9483-1ae5125e6eaf \
-no-user-config \
-nodefaults \
-chardev socket,id=charmonitor,fd=32,server,nowait \
-mon chardev=charmonitor,id=monitor,mode=control \
-rtc base=utc,clock=vm,driftfix=slew \
-no-shutdown \
-boot strict=on \
-device pcie-root-port,port=0x8,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,addr=0x1 \
-device pcie-pci-bridge,id=pci.2,bus=pci.1,addr=0x0 \
-device pci-bridge,chassis_nr=3,id=pci.3,bus=pci.2,addr=0x1 \
-device pcie-root-port,port=0x9,chassis=4,id=pci.4,bus=pcie.0,addr=0x1.0x1 \
-device pcie-root-port,port=0xa,chassis=5,id=pci.5,bus=pcie.0,addr=0x1.0x2 \
-device pcie-root-port,port=0xb,chassis=6,id=pci.6,bus=pcie.0,addr=0x1.0x3 \
-device pcie-root-port,port=0xc,chassis=7,id=pci.7,bus=pcie.0,addr=0x1.0x4 \
-device pcie-root-port,port=0xd,chassis=8,id=pci.8,bus=pcie.0,addr=0x1.0x5 \
-device pcie-root-port,port=0xe,chassis=9,id=pci.9,bus=pcie.0,addr=0x1.0x6 \
-device pcie-root-port,port=0xf,chassis=10,id=pci.10,bus=pcie.0,addr=0x1.0x7 \
-device pcie-root-port,port=0x10,chassis=11,id=pci.11,bus=pcie.0,multifunction=on,addr=0x2 \
-device pcie-root-port,port=0x11,chassis=12,id=pci.12,bus=pcie.0,addr=0x2.0x1 \
-device pcie-root-port,port=0x12,chassis=13,id=pci.13,bus=pcie.0,addr=0x2.0x2 \
-device pcie-root-port,port=0x13,chassis=14,id=pci.14,bus=pcie.0,addr=0x2.0x3 \
-device pcie-root-port,port=0x14,chassis=15,id=pci.15,bus=pcie.0,addr=0x2.0x4 \
-device pcie-root-port,port=0x15,chassis=16,id=pci.16,bus=pcie.0,addr=0x2.0x5 \
-device pcie-root-port,port=0x16,chassis=17,id=pci.17,bus=pcie.0,addr=0x2.0x6 \
-device pcie-root-port,port=0x17,chassis=18,id=pci.18,bus=pcie.0,addr=0x2.0x7 \
-device pcie-root-port,port=0x18,chassis=19,id=pci.19,bus=pcie.0,multifunction=on,addr=0x3 \
-device pcie-root-port,port=0x19,chassis=20,id=pci.20,bus=pcie.0,addr=0x3.0x1 \
-device pcie-root-port,port=0x1a,chassis=21,id=pci.21,bus=pcie.0,addr=0x3.0x2 \
-device pcie-root-port,port=0x1b,chassis=22,id=pci.22,bus=pcie.0,addr=0x3.0x3 \
-device pcie-root-port,port=0x1c,chassis=23,id=pci.23,bus=pcie.0,addr=0x3.0x4 \
-device pcie-root-port,port=0x1d,chassis=24,id=pci.24,bus=pcie.0,addr=0x3.0x5 \
-device pcie-root-port,port=0x1e,chassis=25,id=pci.25,bus=pcie.0,addr=0x3.0x6 \
-device pcie-root-port,port=0x1f,chassis=26,id=pci.26,bus=pcie.0,addr=0x3.0x7 \
-device pcie-root-port,port=0x20,chassis=27,id=pci.27,bus=pcie.0,multifunction=on,addr=0x4 \
-device pcie-root-port,port=0x21,chassis=28,id=pci.28,bus=pcie.0,addr=0x4.0x1 \
-device pcie-root-port,port=0x22,chassis=29,id=pci.29,bus=pcie.0,addr=0x4.0x2 \
-device pcie-root-port,port=0x23,chassis=30,id=pci.30,bus=pcie.0,addr=0x4.0x3 \
-device pcie-root-port,port=0x24,chassis=31,id=pci.31,bus=pcie.0,addr=0x4.0x4 \
-device pcie-root-port,port=0x25,chassis=32,id=pci.32,bus=pcie.0,addr=0x4.0x5 \
-device pcie-root-port,port=0x26,chassis=33,id=pci.33,bus=pcie.0,addr=0x4.0x6 \
-device pcie-root-port,port=0x27,chassis=34,id=pci.34,bus=pcie.0,addr=0x4.0x7 \
-device pcie-root-port,port=0x28,chassis=35,id=pci.35,bus=pcie.0,multifunction=on,addr=0x5 \
-device pcie-root-port,port=0x29,chassis=36,id=pci.36,bus=pcie.0,addr=0x5.0x1 \
-device pcie-root-port,port=0x30,chassis=37,id=pci.37,bus=pcie.0,addr=0x5.0x2 \
-device pcie-root-port,port=0x31,chassis=38,id=pci.38,bus=pcie.0,addr=0x5.0x3 \
-device pcie-root-port,port=0x32,chassis=39,id=pci.39,bus=pcie.0,addr=0x5.0x4 \
-device pcie-root-port,port=0x33,chassis=40,id=pci.40,bus=pcie.0,addr=0x5.0x5 \
-device pcie-root-port,port=0x34,chassis=41,id=pci.41,bus=pcie.0,addr=0x5.0x6 \
-device pcie-root-port,port=0x35,chassis=42,id=pci.42,bus=pcie.0,addr=0x5.0x7 \
-device pcie-root-port,port=0x36,chassis=43,id=pci.43,bus=pcie.0,multifunction=on,addr=0x6 \
-device pcie-root-port,port=0x37,chassis=44,id=pci.44,bus=pcie.0,addr=0x6.0x1 \
-device pcie-root-port,port=0x38,chassis=45,id=pci.45,bus=pcie.0,addr=0x6.0x2 \
-device pcie-root-port,port=0x39,chassis=46,id=pci.46,bus=pcie.0,addr=0x6.0x3 \
-device pcie-root-port,port=0x40,chassis=47,id=pci.47,bus=pcie.0,addr=0x6.0x4 \
-device pcie-root-port,port=0x41,chassis=48,id=pci.48,bus=pcie.0,addr=0x6.0x5 \
-device pcie-root-port,port=0x42,chassis=49,id=pci.49,bus=pcie.0,addr=0x6.0x6 \
-device pcie-root-port,port=0x43,chassis=50,id=pci.50,bus=pcie.0,addr=0x6.0x7 \
-device usb-ehci,id=usb,bus=pci.2,addr=0x2 \
-device virtio-scsi-pci,id=scsi0,bus=pci.5,addr=0x0 \
-device virtio-scsi-pci,id=scsi1,bus=pci.6,addr=0x0 \
-device virtio-scsi-pci,id=scsi2,bus=pci.7,addr=0x0 \
-device virtio-scsi-pci,id=scsi3,bus=pci.8,addr=0x0 \
-device lsi,id=scsi4,bus=pci.2,addr=0x3 \
-device lsi,id=scsi5,bus=pci.2,addr=0x4 \
-drive file=/mnt/sdb/centos76_aarch64.qcow2,format=qcow2,if=none,id=drive-scsi0-0-0-0,cache=none,aio=native \
-device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,device_id=drive-scsi0-0-0-0,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bootindex=1,write-cache=on \
-drive file=/mnt/sdb/disk/disk_001,format=raw,if=none,id=drive-scsi0-0-0-1,cache=none,aio=threads \
-device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=1,device_id=drive-scsi0-0-0-1,drive=drive-scsi0-0-0-1,id=scsi0-0-0-1,write-cache=on \
-drive file=/mnt/sdb/disk/disk_002,format=raw,if=none,id=drive-scsi0-0-0-2,cache=none,aio=threads \
-device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=2,device_id=drive-scsi0-0-0-2,drive=drive-scsi0-0-0-2,id=scsi0-0-0-2,write-cache=on \
-drive file=/mnt/sdb/disk/disk_003,format=raw,if=none,id=drive-scsi0-0-0-3,cache=none,aio=threads \
-device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=3,device_id=drive-scsi0-0-0-3,drive=drive-scsi0-0-0-3,id=scsi0-0-0-3,write-cache=on \
-drive file=/mnt/sdb/disk/disk_004,format=raw,if=none,id=drive-scsi0-0-0-4,cache=none,aio=threads \
-device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=4,device_id=drive-scsi0-0-0-4,drive=drive-scsi0-0-0-4,id=scsi0-0-0-4,write-cache=on \
-drive file=/mnt/sdb/disk/disk_005,format=raw,if=none,id=drive-scsi0-0-0-5,cache=none,aio=threads \
-device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=5,device_id=drive-scsi0-0-0-5,drive=drive-scsi0-0-0-5,id=scsi0-0-0-5,write-cache=on \
-drive file=/mnt/sdb/disk/disk_006,format=raw,if=none,id=drive-scsi0-0-0-6,cache=none,aio=threads \
-device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=6,device_id=drive-scsi0-0-0-6,drive=drive-scsi0-0-0-6,id=scsi0-0-0-6,write-cache=on \
-drive file=/mnt/sdb/disk/disk_007,format=raw,if=none,id=drive-scsi1-0-0-0,cache=none,aio=threads \
-device scsi-hd,bus=scsi1.0,channel=0,scsi-id=0,lun=0,device_id=drive-scsi1-0-0-0,drive=drive-scsi1-0-0-0,id=scsi1-0-0-0,write-cache=on \
-drive file=/mnt/sdb/disk/disk_008,format=raw,if=none,id=drive-scsi1-0-0-1,cache=none,aio=threads \
-device scsi-hd,bus=scsi1.0,channel=0,scsi-id=0,lun=1,device_id=drive-scsi1-0-0-1,drive=drive-scsi1-0-0-1,id=scsi1-0-0-1,write-cache=on \
-drive file=/mnt/sdb/disk/disk_009,format=raw,if=none,id=drive-scsi1-0-0-2,cache=none,aio=threads \
-device scsi-hd,bus=scsi1.0,channel=0,scsi-id=0,lun=2,device_id=drive-scsi1-0-0-2,drive=drive-scsi1-0-0-2,id=scsi1-0-0-2,write-cache=on \
-drive file=/mnt/sdb/disk/disk_010,format=raw,if=none,id=drive-scsi1-0-0-3,cache=none,aio=threads \
-device scsi-hd,bus=scsi1.0,channel=0,scsi-id=0,lun=3,device_id=drive-scsi1-0-0-3,drive=drive-scsi1-0-0-3,id=scsi1-0-0-3,write-cache=on \
-drive file=/mnt/sdb/disk/disk_011,format=raw,if=none,id=drive-scsi1-0-0-4,cache=none,aio=threads \
-device scsi-hd,bus=scsi1.0,channel=0,scsi-id=0,lun=4,device_id=drive-scsi1-0-0-4,drive=drive-scsi1-0-0-4,id=scsi1-0-0-4,write-cache=on \
-drive file=/mnt/sdb/disk/disk_012,format=raw,if=none,id=drive-scsi1-0-0-5,cache=none,aio=threads \
-device scsi-hd,bus=scsi1.0,channel=0,scsi-id=0,lun=5,device_id=drive-scsi1-0-0-5,drive=drive-scsi1-0-0-5,id=scsi1-0-0-5,write-cache=on \
-drive file=/mnt/sdb/disk/disk_013,format=raw,if=none,id=drive-scsi1-0-0-6,cache=none,aio=threads \
-device scsi-hd,bus=scsi1.0,channel=0,scsi-id=0,lun=6,device_id=drive-scsi1-0-0-6,drive=drive-scsi1-0-0-6,id=scsi1-0-0-6,write-cache=on \
-drive file=/mnt/sdb/disk/disk_014,format=raw,if=none,id=drive-scsi2-0-0-0,cache=none,aio=threads \
-device scsi-hd,bus=scsi2.0,channel=0,scsi-id=0,lun=0,device_id=drive-scsi2-0-0-0,drive=drive-scsi2-0-0-0,id=scsi2-0-0-0,write-cache=on \
-drive file=/mnt/sdb/disk/disk_015,format=raw,if=none,id=drive-scsi2-0-0-1,cache=none,aio=threads \
-device scsi-hd,bus=scsi2.0,channel=0,scsi-id=0,lun=1,device_id=drive-scsi2-0-0-1,drive=drive-scsi2-0-0-1,id=scsi2-0-0-1,write-cache=on \
-drive file=/mnt/sdb/disk/disk_016,format=raw,if=none,id=drive-scsi2-0-0-2,cache=none,aio=threads \
-device scsi-hd,bus=scsi2.0,channel=0,scsi-id=0,lun=2,device_id=drive-scsi2-0-0-2,drive=drive-scsi2-0-0-2,id=scsi2-0-0-2,write-cache=on \
-drive file=/mnt/sdb/disk/disk_017,format=raw,if=none,id=drive-scsi2-0-0-3,cache=none,aio=threads \
-device scsi-hd,bus=scsi2.0,channel=0,scsi-id=0,lun=3,device_id=drive-scsi2-0-0-3,drive=drive-scsi2-0-0-3,id=scsi2-0-0-3,write-cache=on \
-drive file=/mnt/sdb/disk/disk_018,format=raw,if=none,id=drive-scsi2-0-0-4,cache=none,aio=threads \
-device scsi-hd,bus=scsi2.0,channel=0,scsi-id=0,lun=4,device_id=drive-scsi2-0-0-4,drive=drive-scsi2-0-0-4,id=scsi2-0-0-4,write-cache=on \
-drive file=/mnt/sdb/disk/disk_019,format=raw,if=none,id=drive-scsi2-0-0-5,cache=none,aio=threads \
-device scsi-hd,bus=scsi2.0,channel=0,scsi-id=0,lun=5,device_id=drive-scsi2-0-0-5,drive=drive-scsi2-0-0-5,id=scsi2-0-0-5,write-cache=on \
-drive file=/mnt/sdb/disk/disk_020,format=raw,if=none,id=drive-scsi2-0-0-6,cache=none,aio=threads \
-device scsi-hd,bus=scsi2.0,channel=0,scsi-id=0,lun=6,device_id=drive-scsi2-0-0-6,drive=drive-scsi2-0-0-6,id=scsi2-0-0-6,write-cache=on \
-drive file=/mnt/sdb/disk/disk_021,format=raw,if=none,id=drive-scsi3-0-0-0,cache=none,aio=threads \
-device scsi-hd,bus=scsi3.0,channel=0,scsi-id=0,lun=0,device_id=drive-scsi3-0-0-0,drive=drive-scsi3-0-0-0,id=scsi3-0-0-0,write-cache=on \
-drive file=/mnt/sdb/disk/disk_022,format=raw,if=none,id=drive-scsi3-0-0-1,cache=none,aio=threads \
-device scsi-hd,bus=scsi3.0,channel=0,scsi-id=0,lun=1,device_id=drive-scsi3-0-0-1,drive=drive-scsi3-0-0-1,id=scsi3-0-0-1,write-cache=on \
-drive file=/mnt/sdb/disk/disk_023,format=raw,if=none,id=drive-scsi3-0-0-2,cache=none,aio=threads \
-device scsi-hd,bus=scsi3.0,channel=0,scsi-id=0,lun=2,device_id=drive-scsi3-0-0-2,drive=drive-scsi3-0-0-2,id=scsi3-0-0-2,write-cache=on \
-drive file=/mnt/sdb/disk/disk_024,format=raw,if=none,id=drive-scsi3-0-0-3,cache=none,aio=threads \
-device scsi-hd,bus=scsi3.0,channel=0,scsi-id=0,lun=3,device_id=drive-scsi3-0-0-3,drive=drive-scsi3-0-0-3,id=scsi3-0-0-3,write-cache=on \
-drive file=/mnt/sdb/disk/disk_025,format=raw,if=none,id=drive-scsi3-0-0-4,cache=none,aio=threads \
-device scsi-hd,bus=scsi3.0,channel=0,scsi-id=0,lun=4,device_id=drive-scsi3-0-0-4,drive=drive-scsi3-0-0-4,id=scsi3-0-0-4,write-cache=on \
-drive file=/mnt/sdb/disk/disk_026,format=raw,if=none,id=drive-scsi3-0-0-5,cache=none,aio=threads \
-device scsi-hd,bus=scsi3.0,channel=0,scsi-id=0,lun=5,device_id=drive-scsi3-0-0-5,drive=drive-scsi3-0-0-5,id=scsi3-0-0-5,write-cache=on \
-drive file=/mnt/sdb/disk/disk_027,format=raw,if=none,id=drive-scsi3-0-0-6,cache=none,aio=threads \
-device scsi-hd,bus=scsi3.0,channel=0,scsi-id=0,lun=6,device_id=drive-scsi3-0-0-6,drive=drive-scsi3-0-0-6,id=scsi3-0-0-6,write-cache=on \
-drive file=/mnt/sdb/disk/disk_028,format=raw,if=none,id=drive-scsi4-0-0,cache=none,aio=threads \
-device scsi-hd,bus=scsi4.0,scsi-id=0,device_id=drive-scsi4-0-0,drive=drive-scsi4-0-0,id=scsi4-0-0,write-cache=on \
-drive file=/mnt/sdb/disk/disk_029,format=raw,if=none,id=drive-scsi4-0-1,cache=none,aio=threads \
-device scsi-hd,bus=scsi4.0,scsi-id=1,device_id=drive-scsi4-0-1,drive=drive-scsi4-0-1,id=scsi4-0-1,write-cache=on \
-drive file=/mnt/sdb/disk/disk_030,format=raw,if=none,id=drive-scsi4-0-2,cache=none,aio=threads \
-device scsi-hd,bus=scsi4.0,scsi-id=2,device_id=drive-scsi4-0-2,drive=drive-scsi4-0-2,id=scsi4-0-2,write-cache=on \
-drive file=/mnt/sdb/disk/disk_031,format=raw,if=none,id=drive-scsi4-0-3,cache=none,aio=threads \
-device scsi-hd,bus=scsi4.0,scsi-id=3,device_id=drive-scsi4-0-3,drive=drive-scsi4-0-3,id=scsi4-0-3,write-cache=on \
-drive file=/mnt/sdb/disk/disk_032,format=raw,if=none,id=drive-scsi4-0-4,cache=none,aio=threads \
-device scsi-hd,bus=scsi4.0,scsi-id=4,device_id=drive-scsi4-0-4,drive=drive-scsi4-0-4,id=scsi4-0-4,write-cache=on \
-drive file=/mnt/sdb/disk/disk_033,format=raw,if=none,id=drive-scsi4-0-5,cache=none,aio=threads \
-device scsi-hd,bus=scsi4.0,scsi-id=5,device_id=drive-scsi4-0-5,drive=drive-scsi4-0-5,id=scsi4-0-5,write-cache=on \
-drive file=/mnt/sdb/disk/disk_034,format=raw,if=none,id=drive-scsi4-0-6,cache=none,aio=threads \
-device scsi-hd,bus=scsi4.0,scsi-id=6,device_id=drive-scsi4-0-6,drive=drive-scsi4-0-6,id=scsi4-0-6,write-cache=on \
-drive file=/mnt/sdb/disk/disk_035,format=raw,if=none,id=drive-scsi5-0-0,cache=none,aio=threads \
-device scsi-hd,bus=scsi5.0,scsi-id=0,device_id=drive-scsi5-0-0,drive=drive-scsi5-0-0,id=scsi5-0-0,write-cache=on \
-drive file=/mnt/sdb/disk/disk_036,format=raw,if=none,id=drive-scsi5-0-1,cache=none,aio=threads \
-device scsi-hd,bus=scsi5.0,scsi-id=1,device_id=drive-scsi5-0-1,drive=drive-scsi5-0-1,id=scsi5-0-1,write-cache=on \
-drive file=/mnt/sdb/disk/disk_037,format=raw,if=none,id=drive-scsi5-0-2,cache=none,aio=threads \
-device scsi-hd,bus=scsi5.0,scsi-id=2,device_id=drive-scsi5-0-2,drive=drive-scsi5-0-2,id=scsi5-0-2,write-cache=on \
-drive file=/mnt/sdb/disk/disk_038,format=raw,if=none,id=drive-scsi5-0-3,cache=none,aio=threads \
-device scsi-hd,bus=scsi5.0,scsi-id=3,device_id=drive-scsi5-0-3,drive=drive-scsi5-0-3,id=scsi5-0-3,write-cache=on \
-drive file=/mnt/sdb/disk/disk_039,format=raw,if=none,id=drive-scsi5-0-4,cache=none,aio=threads \
-device scsi-hd,bus=scsi5.0,scsi-id=4,device_id=drive-scsi5-0-4,drive=drive-scsi5-0-4,id=scsi5-0-4,write-cache=on \
-drive file=/mnt/sdb/disk/disk_040,format=raw,if=none,id=drive-scsi5-0-5,cache=none,aio=threads \
-device scsi-hd,bus=scsi5.0,scsi-id=5,device_id=drive-scsi5-0-5,drive=drive-scsi5-0-5,id=scsi5-0-5,write-cache=on \
-netdev tap,fd=34,id=hostnet0,vhost=on,vhostfd=35 \
-device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:f6:d4:08,bus=pci.4,addr=0x0 \
-chardev pty,id=charserial0 \
-serial chardev:charserial0 \
-device usb-tablet,id=input0,bus=usb.0,port=1 \
-device usb-kbd,id=input1,bus=usb.0,port=2 \
-vnc 0.0.0.0:0 \
-device virtio-gpu-pci,id=video0,max_outputs=1,bus=pci.17,addr=0x0 \
-device i6300esb,id=watchdog0,bus=pci.2,addr=0x5 \
-watchdog-action none \
-device vfio-pci,host=06:00.1,id=hostdev0,bus=pci.9,addr=0x0 \
-device vfio-pci,host=06:00.2,id=hostdev1,bus=pci.10,addr=0x0 \
-device vfio-pci,host=06:00.3,id=hostdev2,bus=pci.11,addr=0x0 \
-device vfio-pci,host=06:00.4,id=hostdev3,bus=pci.12,addr=0x0 \
-device vfio-pci,host=06:00.5,id=hostdev4,bus=pci.13,addr=0x0 \
-device vfio-pci,host=06:00.6,id=hostdev5,bus=pci.14,addr=0x0 \
-device vfio-pci,host=06:00.7,id=hostdev6,bus=pci.15,addr=0x0 \
-device vfio-pci,host=06:01.0,id=hostdev7,bus=pci.16,addr=0x0 \
-sandbox off \
-msg timestamp=on
2020-01-17 07:43:48.033+0000: Domain id=859 is tainted: high-privileges
2020-01-17 07:43:48.033+0000: Domain id=859 is tainted: host-cpu
char device redirected to /dev/pts/1 (label charserial0)
==1517174==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases!
=================================================================
==1517174==ERROR: AddressSanitizer: heap-use-after-free on address 0xfffc31a002a0 at pc 0xaaad73e1f668 bp 0xfffc319fddb0 sp 0xfffc319fddd0
READ of size 8 at 0xfffc31a002a0 thread T1
    #0 0xaaad73e1f667 in memory_region_unref /home/qemu/memory.c:1771
    #1 0xaaad73e1f667 in flatview_destroy /home/qemu/memory.c:291
    #2 0xaaad74adc85b in call_rcu_thread util/rcu.c:283
    #3 0xaaad74ab31db in qemu_thread_start util/qemu-thread-posix.c:519
    #4 0xfffc3a1678bb  (/lib64/libpthread.so.0+0x78bb)
    #5 0xfffc3a0a616b  (/lib64/libc.so.6+0xd616b)

0xfffc31a002a0 is located 544 bytes inside of 1440-byte region [0xfffc31a00080,0xfffc31a00620)
freed by thread T37 (CPU 0/KVM) here:
    #0 0xfffc3c102e23 in free (/lib64/libasan.so.4+0xd2e23)
    #1 0xfffc3bbc729f in g_free (/lib64/libglib-2.0.so.0+0x5729f)
    #2 0xaaad745cce03 in pci_bridge_update_mappings hw/pci/pci_bridge.c:245
    #3 0xaaad745ccf33 in pci_bridge_write_config hw/pci/pci_bridge.c:271
    #4 0xaaad745ba867 in pci_bridge_dev_write_config hw/pci-bridge/pci_bridge_dev.c:153
    #5 0xaaad745d6013 in pci_host_config_write_common hw/pci/pci_host.c:81
    #6 0xaaad73e2346f in memory_region_write_accessor /home/qemu/memory.c:483
    #7 0xaaad73e1d9ff in access_with_adjusted_size /home/qemu/memory.c:544
    #8 0xaaad73e28d1f in memory_region_dispatch_write /home/qemu/memory.c:1482
    #9 0xaaad73d7274f in flatview_write_continue /home/qemu/exec.c:3167
    #10 0xaaad73d72a53 in flatview_write /home/qemu/exec.c:3207
    #11 0xaaad73d7c8c3 in address_space_write /home/qemu/exec.c:3297
    #12 0xaaad73e5059b in kvm_cpu_exec /home/qemu/accel/kvm/kvm-all.c:2386
    #13 0xaaad73e07ac7 in qemu_kvm_cpu_thread_fn /home/qemu/cpus.c:1246
    #14 0xaaad74ab31db in qemu_thread_start util/qemu-thread-posix.c:519
    #15 0xfffc3a1678bb  (/lib64/libpthread.so.0+0x78bb)
    #16 0xfffc3a0a616b  (/lib64/libc.so.6+0xd616b)

previously allocated by thread T0 here:
    #0 0xfffc3c1031cb in __interceptor_malloc (/lib64/libasan.so.4+0xd31cb)
    #1 0xfffc3bbc7163 in g_malloc (/lib64/libglib-2.0.so.0+0x57163)
    #2 0xaaad745ccb57 in pci_bridge_region_init hw/pci/pci_bridge.c:188
    #3 0xaaad745cd8cb in pci_bridge_initfn hw/pci/pci_bridge.c:385
    #4 0xaaad745baaf3 in pci_bridge_dev_realize hw/pci-bridge/pci_bridge_dev.c:64
    #5 0xaaad745cacd7 in pci_qdev_realize hw/pci/pci.c:2095
    #6 0xaaad7439d9f7 in device_set_realized hw/core/qdev.c:865
    #7 0xaaad7485ed23 in property_set_bool qom/object.c:2102
    #8 0xaaad74868f4b in object_property_set_qobject qom/qom-qobject.c:26
    #9 0xaaad74863a43 in object_property_set_bool qom/object.c:1360
    #10 0xaaad742a53b7 in qdev_device_add /home/qemu/qdev-monitor.c:675
    #11 0xaaad742a9c7b in device_init_func /home/qemu/vl.c:2074
    #12 0xaaad74ad4d33 in qemu_opts_foreach util/qemu-option.c:1170
    #13 0xaaad73d60c17 in main /home/qemu/vl.c:4313
    #14 0xfffc39ff0b9f in __libc_start_main (/lib64/libc.so.6+0x20b9f)
    #15 0xaaad73d6db33  (/home/qemu/aarch64-softmmu/qemu-system-aarch64+0x98db33)

Thread T1 created by T0 here:
    #0 0xfffc3c068f6f in __interceptor_pthread_create (/lib64/libasan.so.4+0x38f6f)
    #1 0xaaad74ab54ab in qemu_thread_create util/qemu-thread-posix.c:556
    #2 0xaaad74adc6a7 in rcu_init_complete util/rcu.c:326
    #3 0xaaad74bab2a7 in __libc_csu_init (/home/qemu/aarch64-softmmu/qemu-system-aarch64+0x17cb2a7)
    #4 0xfffc39ff0b47 in __libc_start_main (/lib64/libc.so.6+0x20b47)
    #5 0xaaad73d6db33  (/home/qemu/aarch64-softmmu/qemu-system-aarch64+0x98db33)

Thread T37 (CPU 0/KVM) created by T0 here:
    #0 0xfffc3c068f6f in __interceptor_pthread_create (/lib64/libasan.so.4+0x38f6f)
    #1 0xaaad74ab54ab in qemu_thread_create util/qemu-thread-posix.c:556
    #2 0xaaad73e09b0f in qemu_dummy_start_vcpu /home/qemu/cpus.c:2045
    #3 0xaaad73e09b0f in qemu_init_vcpu /home/qemu/cpus.c:2077
    #4 0xaaad740d36b7 in arm_cpu_realizefn /home/qemu/target/arm/cpu.c:1712
    #5 0xaaad7439d9f7 in device_set_realized hw/core/qdev.c:865
    #6 0xaaad7485ed23 in property_set_bool qom/object.c:2102
    #7 0xaaad74868f4b in object_property_set_qobject qom/qom-qobject.c:26
    #8 0xaaad74863a43 in object_property_set_bool qom/object.c:1360
    #9 0xaaad73fe3e67 in machvirt_init /home/qemu/hw/arm/virt.c:1682
    #10 0xaaad743acfc7 in machine_run_board_init hw/core/machine.c:1077
    #11 0xaaad73d60b73 in main /home/qemu/vl.c:4292
    #12 0xfffc39ff0b9f in __libc_start_main (/lib64/libc.so.6+0x20b9f)
    #13 0xaaad73d6db33  (/home/qemu/aarch64-softmmu/qemu-system-aarch64+0x98db33)

SUMMARY: AddressSanitizer: heap-use-after-free /home/qemu/memory.c:1771 in memory_region_unref
Shadow bytes around the buggy address:
  0x200f86340000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x200f86340010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x200f86340020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x200f86340030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x200f86340040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x200f86340050: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
  0x200f86340060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x200f86340070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x200f86340080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x200f86340090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x200f863400a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1517174==ABORTING
2020-01-17 07:44:01.319+0000: shutting down, reason=crashed

^ permalink raw reply	[flat|nested] 2+ messages in thread