From: "Philippe Mathieu-Daudé" <philmd@redhat.com>
To: "Alex Bennée" <alex.bennee@linaro.org>
Cc: fam@euphon.net, berrange@redhat.com,
"Michael S. Tsirkin" <mst@redhat.com>,
Bug 1878645 <1878645@bugs.launchpad.net>,
richard.henderson@linaro.org, qemu-devel@nongnu.org,
cota@braap.org, Paolo Bonzini <pbonzini@redhat.com>,
aurelien@aurel32.net
Subject: Re: [PATCH v4 01/40] hw/isa: check for current_cpu before generating IRQ
Date: Wed, 1 Jul 2020 19:37:43 +0200 [thread overview]
Message-ID: <bc418946-9d67-6efa-d6c7-dd2d8c5d757c@redhat.com> (raw)
In-Reply-To: <ef90b1f6-715a-8e38-069a-8c919b14d9b8@redhat.com>
On 7/1/20 7:34 PM, Philippe Mathieu-Daudé wrote:
> +Paolo
>
> On 7/1/20 7:09 PM, Alex Bennée wrote:
>> Philippe Mathieu-Daudé <philmd@redhat.com> writes:
>>> On 7/1/20 6:40 PM, Alex Bennée wrote:
>>>> Philippe Mathieu-Daudé <philmd@redhat.com> writes:
>>>>
>>>>> On 7/1/20 3:56 PM, Alex Bennée wrote:
>>>>>> It's possible to trigger this function from qtest/monitor at which
>>>>>> point current_cpu won't point at the right place. Check it and
>>>>>> fall back to first_cpu if it's NULL.
>>>>>>
>>>>>> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
>>>>>> Cc: Bug 1878645 <1878645@bugs.launchpad.net>
>>>>>> ---
>>>>>> hw/isa/lpc_ich9.c | 2 +-
>>>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>>>
>>>>>> diff --git a/hw/isa/lpc_ich9.c b/hw/isa/lpc_ich9.c
>>>>>> index cd6e169d47a..791c878eb0b 100644
>>>>>> --- a/hw/isa/lpc_ich9.c
>>>>>> +++ b/hw/isa/lpc_ich9.c
>>>>>> @@ -439,7 +439,7 @@ static void ich9_apm_ctrl_changed(uint32_t val, void *arg)
>>>>>> cpu_interrupt(cs, CPU_INTERRUPT_SMI);
>>>>>> }
>>>>>> } else {
>>>>>> - cpu_interrupt(current_cpu, CPU_INTERRUPT_SMI);
>>>>>> + cpu_interrupt(current_cpu ? current_cpu : first_cpu, CPU_INTERRUPT_SMI);
>>>>>
>>>>> I'm not sure this change anything, as first_cpu is NULL when using
>>>>> qtest accelerator or none-machine, see 508b4ecc39 ("gdbstub.c: fix
>>>>> GDB connection segfault caused by empty machines").
>>>>
>>>> Good point - anyway feel free to ignore - it shouldn't have been in this
>>>> series. It was just some random experimentation I was doing when looking
>>>> at that bug.
>>>
>>> See commit c781a2cc42 ("hw/i386/vmport: Allow QTest use without
>>> crashing") for a similar approach, but here I was thinking about
>>> a more generic fix, not very intrusive:
>>>
>>> -- >8 --
>>> diff --git a/hw/isa/apm.c b/hw/isa/apm.c
>>> index bce266b957..809afeb3e4 100644
>>> --- a/hw/isa/apm.c
>>> +++ b/hw/isa/apm.c
>>> @@ -40,7 +40,7 @@ static void apm_ioport_writeb(void *opaque, hwaddr
>>> addr, uint64_t val,
>>> if (addr == 0) {
>>> apm->apmc = val;
>>>
>>> - if (apm->callback) {
>>> + if (apm->callback && !qtest_enabled()) {
>>> (apm->callback)(val, apm->arg);
>>> }
>>
>> But the other failure mode reported on the bug thread was via the
>> monitor - so I'm not sure just checking for qtest catches that.
>
> Ah indeed.
>
> in exec.c:
>
> /* current CPU in the current thread. It is only valid inside
> cpu_exec() */
> __thread CPUState *current_cpu;
>
> Maybe we shouldn't use current_cpu out of exec.c...
I meant, out of cpu_exec(), a cpu thread. Here we access it
from an I/O thread.
WARNING: multiple messages have this Message-ID (diff)
From: "Philippe Mathieu-Daudé" <1878645@bugs.launchpad.net>
To: qemu-devel@nongnu.org
Subject: [Bug 1878645] Re: [PATCH v4 01/40] hw/isa: check for current_cpu before generating IRQ
Date: Wed, 01 Jul 2020 17:37:43 -0000 [thread overview]
Message-ID: <bc418946-9d67-6efa-d6c7-dd2d8c5d757c@redhat.com> (raw)
Message-ID: <20200701173743.JJmINFCnkhX5lNBeWopM53zVoot9MGmqPH7vzzA7rZc@z> (raw)
In-Reply-To: ef90b1f6-715a-8e38-069a-8c919b14d9b8@redhat.com
On 7/1/20 7:34 PM, Philippe Mathieu-Daudé wrote:
> +Paolo
>
> On 7/1/20 7:09 PM, Alex Bennée wrote:
>> Philippe Mathieu-Daudé <philmd@redhat.com> writes:
>>> On 7/1/20 6:40 PM, Alex Bennée wrote:
>>>> Philippe Mathieu-Daudé <philmd@redhat.com> writes:
>>>>
>>>>> On 7/1/20 3:56 PM, Alex Bennée wrote:
>>>>>> It's possible to trigger this function from qtest/monitor at which
>>>>>> point current_cpu won't point at the right place. Check it and
>>>>>> fall back to first_cpu if it's NULL.
>>>>>>
>>>>>> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
>>>>>> Cc: Bug 1878645 <1878645@bugs.launchpad.net>
>>>>>> ---
>>>>>> hw/isa/lpc_ich9.c | 2 +-
>>>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>>>
>>>>>> diff --git a/hw/isa/lpc_ich9.c b/hw/isa/lpc_ich9.c
>>>>>> index cd6e169d47a..791c878eb0b 100644
>>>>>> --- a/hw/isa/lpc_ich9.c
>>>>>> +++ b/hw/isa/lpc_ich9.c
>>>>>> @@ -439,7 +439,7 @@ static void ich9_apm_ctrl_changed(uint32_t val, void *arg)
>>>>>> cpu_interrupt(cs, CPU_INTERRUPT_SMI);
>>>>>> }
>>>>>> } else {
>>>>>> - cpu_interrupt(current_cpu, CPU_INTERRUPT_SMI);
>>>>>> + cpu_interrupt(current_cpu ? current_cpu : first_cpu, CPU_INTERRUPT_SMI);
>>>>>
>>>>> I'm not sure this change anything, as first_cpu is NULL when using
>>>>> qtest accelerator or none-machine, see 508b4ecc39 ("gdbstub.c: fix
>>>>> GDB connection segfault caused by empty machines").
>>>>
>>>> Good point - anyway feel free to ignore - it shouldn't have been in this
>>>> series. It was just some random experimentation I was doing when looking
>>>> at that bug.
>>>
>>> See commit c781a2cc42 ("hw/i386/vmport: Allow QTest use without
>>> crashing") for a similar approach, but here I was thinking about
>>> a more generic fix, not very intrusive:
>>>
>>> -- >8 --
>>> diff --git a/hw/isa/apm.c b/hw/isa/apm.c
>>> index bce266b957..809afeb3e4 100644
>>> --- a/hw/isa/apm.c
>>> +++ b/hw/isa/apm.c
>>> @@ -40,7 +40,7 @@ static void apm_ioport_writeb(void *opaque, hwaddr
>>> addr, uint64_t val,
>>> if (addr == 0) {
>>> apm->apmc = val;
>>>
>>> - if (apm->callback) {
>>> + if (apm->callback && !qtest_enabled()) {
>>> (apm->callback)(val, apm->arg);
>>> }
>>
>> But the other failure mode reported on the bug thread was via the
>> monitor - so I'm not sure just checking for qtest catches that.
>
> Ah indeed.
>
> in exec.c:
>
> /* current CPU in the current thread. It is only valid inside
> cpu_exec() */
> __thread CPUState *current_cpu;
>
> Maybe we shouldn't use current_cpu out of exec.c...
I meant, out of cpu_exec(), a cpu thread. Here we access it
from an I/O thread.
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1878645
Title:
null-ptr dereference in ich9_apm_ctrl_changed
Status in QEMU:
New
Bug description:
Hello,
While fuzzing, I found an input which triggers a NULL pointer dereference in
tcg_handle_interrupt. It seems the culprint is a "cpu" pointer - maybe this bug
is specific to QTest?
==23862==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000b4 (pc 0x55b9dc7c9dce bp 0x7ffc346a0900 sp 0x7ffc346a0880 T0)
==23862==The signal is caused by a READ memory access.
==23862==Hint: address points to the zero page.
#0 0x55b9dc7c9dce in tcg_handle_interrupt /home/alxndr/Development/qemu/accel/tcg/tcg-all.c:57:21
#1 0x55b9dc904799 in cpu_interrupt /home/alxndr/Development/qemu/include/hw/core/cpu.h:872:5
#2 0x55b9dc9085e8 in ich9_apm_ctrl_changed /home/alxndr/Development/qemu/hw/isa/lpc_ich9.c:442:13
#3 0x55b9dd19cdc8 in apm_ioport_writeb /home/alxndr/Development/qemu/hw/isa/apm.c:50:13
#4 0x55b9dc73f8b4 in memory_region_write_accessor /home/alxndr/Development/qemu/memory.c:483:5
#5 0x55b9dc73f289 in access_with_adjusted_size /home/alxndr/Development/qemu/memory.c:544:18
#6 0x55b9dc73ddf5 in memory_region_dispatch_write /home/alxndr/Development/qemu/memory.c:1476:16
#7 0x55b9dc577bf3 in flatview_write_continue /home/alxndr/Development/qemu/exec.c:3137:23
#8 0x55b9dc567ad8 in flatview_write /home/alxndr/Development/qemu/exec.c:3177:14
#9 0x55b9dc567608 in address_space_write /home/alxndr/Development/qemu/exec.c:3268:18
#10 0x55b9dc723fe7 in cpu_outb /home/alxndr/Development/qemu/ioport.c:60:5
#11 0x55b9dc72d3c0 in qtest_process_command /home/alxndr/Development/qemu/qtest.c:392:13
#12 0x55b9dc72b186 in qtest_process_inbuf /home/alxndr/Development/qemu/qtest.c:710:9
#13 0x55b9dc72a8b3 in qtest_read /home/alxndr/Development/qemu/qtest.c:722:5
#14 0x55b9ddc6e60b in qemu_chr_be_write_impl /home/alxndr/Development/qemu/chardev/char.c:183:9
#15 0x55b9ddc6e75a in qemu_chr_be_write /home/alxndr/Development/qemu/chardev/char.c:195:9
#16 0x55b9ddc77979 in fd_chr_read /home/alxndr/Development/qemu/chardev/char-fd.c:68:9
#17 0x55b9ddcff0e9 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/io/channel-watch.c:84:12
#18 0x7f7161eac897 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e897)
#19 0x55b9ddebcb84 in glib_pollfds_poll /home/alxndr/Development/qemu/util/main-loop.c:219:9
#20 0x55b9ddebb57d in os_host_main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:242:5
#21 0x55b9ddebb176 in main_loop_wait /home/alxndr/Development/qemu/util/main-loop.c:518:11
#22 0x55b9dcb4bd1d in qemu_main_loop /home/alxndr/Development/qemu/softmmu/vl.c:1664:9
#23 0x55b9ddd1629c in main /home/alxndr/Development/qemu/softmmu/main.c:49:5
#24 0x7f7160a5ce0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16
#25 0x55b9dc49c819 in _start (/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0xc9c819)
I can reproduce this in qemu 5.0 built with AddressSanitizer using these qtest commands:
cat << EOF | ./qemu-system-i386 \
-qtest stdio -nographic -monitor none -serial none \
-M pc-q35-5.0
outl 0xcf8 0x8400f841
outl 0xcfc 0xaa215d6d
outl 0x6d30 0x2ef8ffbe
outb 0xb2 0x20
EOF
Please let me know if I can provide any further info.
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1878645/+subscriptions
next prev parent reply other threads:[~2020-07-01 17:38 UTC|newest]
Thread overview: 98+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-01 13:56 [PATCH v4 00/40] testing/next (vm, gitlab, fixes) Alex Bennée
2020-07-01 13:56 ` [PATCH v4 01/40] hw/isa: check for current_cpu before generating IRQ Alex Bennée
2020-07-01 13:56 ` [Bug 1878645] " Alex Bennée
2020-07-01 15:51 ` Philippe Mathieu-Daudé
2020-07-01 15:51 ` [Bug 1878645] " Philippe Mathieu-Daudé
2020-07-01 16:40 ` Alex Bennée
2020-07-01 16:40 ` [Bug 1878645] " Alex Bennée
2020-07-01 16:47 ` Philippe Mathieu-Daudé
2020-07-01 16:47 ` [Bug 1878645] " Philippe Mathieu-Daudé
2020-07-01 17:09 ` Alex Bennée
2020-07-01 17:09 ` [Bug 1878645] " Alex Bennée
2020-07-01 17:34 ` Philippe Mathieu-Daudé
2020-07-01 17:34 ` [Bug 1878645] " Philippe Mathieu-Daudé
2020-07-01 17:37 ` Philippe Mathieu-Daudé [this message]
2020-07-01 17:37 ` Philippe Mathieu-Daudé
2020-07-01 17:48 ` Philippe Mathieu-Daudé
2020-07-01 17:48 ` [Bug 1878645] " Philippe Mathieu-Daudé
2020-07-01 18:13 ` Philippe Mathieu-Daudé
2020-07-01 18:13 ` [Bug 1878645] " Philippe Mathieu-Daudé
2020-07-01 13:56 ` [PATCH v4 02/40] iotests: Fix 051 output after qdev_init_nofail() removal Alex Bennée
2020-07-01 13:56 ` [PATCH v4 03/40] crypto/linux_keyring: fix 'secret_keyring' configure test Alex Bennée
2020-07-01 13:56 ` [PATCH v4 04/40] util/coroutine: Cleanup start_switch_fiber_ for TSAN Alex Bennée
2020-07-01 13:56 ` [PATCH v4 05/40] tests/vm: pass args through to BaseVM's __init__ Alex Bennée
2020-07-01 13:56 ` [PATCH v4 06/40] tests/vm: Add configuration to basevm.py Alex Bennée
2020-07-01 13:56 ` [PATCH v4 07/40] tests/vm: Added configuration file support Alex Bennée
2020-07-01 13:56 ` [PATCH v4 08/40] tests/vm: Add common Ubuntu python module Alex Bennée
2020-07-01 13:56 ` [PATCH v4 09/40] tests/vm: Added a new script for ubuntu.aarch64 Alex Bennée
2020-07-01 13:56 ` [PATCH v4 10/40] tests/vm: Added a new script for centos.aarch64 Alex Bennée
2020-07-01 13:56 ` [PATCH v4 11/40] tests/vm: change scripts to use self._config Alex Bennée
2020-07-10 18:16 ` Alex Bennée
2020-07-01 13:56 ` [PATCH v4 12/40] python/qemu: Add ConsoleSocket for optional use in QEMUMachine Alex Bennée
2020-07-01 13:56 ` [PATCH v4 13/40] tests/vm: Add workaround to consume console Alex Bennée
2020-07-01 13:56 ` [PATCH v4 14/40] tests/vm: switch from optsparse to argparse Alex Bennée
2020-07-01 13:56 ` [PATCH v4 15/40] tests/vm: allow us to take advantage of MTTCG Alex Bennée
2020-07-01 13:56 ` [PATCH v4 16/40] tests/docker: check for an parameters not empty string Alex Bennée
2020-07-01 13:56 ` [PATCH v4 17/40] tests/docker: change tag naming scheme of our images Alex Bennée
2020-07-01 13:56 ` [PATCH v4 18/40] .gitignore: un-ignore .gitlab-ci.d Alex Bennée
2020-07-01 13:56 ` [PATCH v4 19/40] gitlab-ci: Fix the change rules after moving the YML files Alex Bennée
2020-07-01 13:56 ` [PATCH v4 20/40] gitlab: introduce explicit "container" and "build" stages Alex Bennée
2020-07-01 13:56 ` [PATCH v4 21/40] gitlab: build all container images during CI Alex Bennée
2020-07-01 13:56 ` [PATCH v4 22/40] gitlab: convert jobs to use custom built containers Alex Bennée
2020-07-01 13:56 ` [PATCH v4 23/40] gitlab: build containers with buildkit and metadata Alex Bennée
2020-07-01 13:56 ` [PATCH v4 24/40] tests/docker: add --registry support to tooling Alex Bennée
2020-07-01 13:56 ` [PATCH v4 25/40] tests/docker: add packages needed for check-acceptance Alex Bennée
2020-07-01 13:56 ` [PATCH v4 26/40] tests/acceptance: skip s390x_ccw_vrtio_tcg on GitLab Alex Bennée
2020-07-01 13:56 ` [PATCH v4 27/40] tests/acceptance: fix dtb path for machine_rx_gdbsim Alex Bennée
2020-07-01 15:55 ` Philippe Mathieu-Daudé
2020-07-01 13:56 ` [PATCH v4 28/40] tests/acceptance: skip multicore mips_malta tests on GitLab Alex Bennée
2020-07-01 15:56 ` Philippe Mathieu-Daudé
2020-07-01 16:43 ` Alex Bennée
2020-07-01 17:01 ` Philippe Mathieu-Daudé
2020-07-02 3:06 ` Jiaxun Yang
2020-07-02 1:05 ` Aleksandar Markovic
2020-07-02 7:46 ` Alex Bennée
2020-07-01 13:56 ` [PATCH v4 29/40] tests/acceptance: skip LinuxInitrd 2gib with v4.16 " Alex Bennée
2020-07-01 15:57 ` Philippe Mathieu-Daudé
2020-07-01 13:56 ` [PATCH v4 30/40] gitlab: add acceptance testing to system builds Alex Bennée
2020-07-01 13:56 ` [PATCH v4 31/40] tests/tcg: add more default compilers to configure.sh Alex Bennée
2020-07-01 13:56 ` [PATCH v4 32/40] tests/docker: add a linux-user testing focused image Alex Bennée
2020-07-01 13:56 ` [PATCH v4 33/40] linux-user/elfload: use MAP_FIXED_NOREPLACE in pgb_reserved_va Alex Bennée
2020-07-01 13:56 ` [PATCH v4 34/40] gitlab: enable check-tcg for linux-user tests Alex Bennée
2020-07-01 13:56 ` [PATCH v4 35/40] gitlab: add avocado asset caching Alex Bennée
2020-07-01 13:56 ` [PATCH v4 36/40] gitlab: split build-disabled into two phases Alex Bennée
2020-07-10 13:16 ` Thomas Huth
2020-07-10 14:58 ` Alex Bennée
2020-07-10 16:01 ` Philippe Mathieu-Daudé
2020-07-10 16:26 ` Alex Bennée
2020-07-10 16:53 ` Philippe Mathieu-Daudé
2020-07-01 13:56 ` [PATCH v4 37/40] gitlab: limit re-builds of the containers Alex Bennée
2020-07-01 13:56 ` [PATCH v4 38/40] containers.yml: build with docker.py tooling Alex Bennée
2020-07-01 13:56 ` [PATCH v4 39/40] testing: add check-build target Alex Bennée
2020-07-01 15:59 ` Philippe Mathieu-Daudé
2020-07-01 13:56 ` [PATCH v4 40/40] shippable: pull images from registry instead of building Alex Bennée
-- strict thread matches above, loose matches on Subject: below --
2020-07-01 18:21 [RFC PATCH] cpus: Initialize current_cpu with the first vCPU created Philippe Mathieu-Daudé
2020-07-01 18:21 ` [Bug 1878645] " Philippe Mathieu-Daudé
2020-07-01 18:54 ` Alexander Bulekov
2020-07-01 18:54 ` [Bug 1878645] " Alexander Bulekov
2020-07-01 20:35 ` Peter Maydell
2020-07-01 20:35 ` [Bug 1878645] " Peter Maydell
2020-07-02 7:55 ` Philippe Mathieu-Daudé
2020-07-02 7:55 ` [Bug 1878645] " Philippe Mathieu-Daudé
2020-07-02 9:52 ` Paolo Bonzini
2020-07-02 10:49 ` Alex Bennée
2020-07-02 10:49 ` [Bug 1878645] " Alex Bennée
2020-09-07 20:35 ` Alexander Bulekov
2020-09-08 6:33 ` Paolo Bonzini
2020-09-08 6:39 ` Philippe Mathieu-Daudé
2020-09-08 11:43 ` Paolo Bonzini
2020-05-14 16:07 [Bug 1878645] [NEW] null-ptr dereference in tcg_handle_interrupt Alexander Bulekov
2020-06-29 16:03 ` [Bug 1878645] " Alexander Bulekov
2020-06-29 19:00 ` Alex Bennée
2020-06-29 19:00 ` Alex Bennée
2020-06-29 20:08 ` Alexander Bulekov
2020-06-29 20:08 ` Alexander Bulekov
2020-06-29 17:57 ` [Bug 1878645] Re: null-ptr dereference in ich9_apm_ctrl_changed Philippe Mathieu-Daudé
2020-10-22 14:15 ` Philippe Mathieu-Daudé
2021-08-21 4:08 ` Alexander Bulekov
2021-08-21 6:13 ` Thomas Huth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bc418946-9d67-6efa-d6c7-dd2d8c5d757c@redhat.com \
--to=philmd@redhat.com \
--cc=1878645@bugs.launchpad.net \
--cc=alex.bennee@linaro.org \
--cc=aurelien@aurel32.net \
--cc=berrange@redhat.com \
--cc=cota@braap.org \
--cc=fam@euphon.net \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.