[Qemu-devel] [Bug 1840865] [NEW] qemu crashes when doing iotest on virtio-9p filesystem

[Qemu-devel] [Bug 1840865] [NEW] qemu crashes when doing iotest on virtio-9p filesystem

[fangying]

Public bug reported:

Qemu crashes when doing avocado-vt test on virtio-9p filesystem.
This bug can be reproduced running https://github.com/autotest/tp-qemu/blob/master/qemu/tests/9p.py.
The crash stack goes like:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  v9fs_mark_fids_unreclaim (pdu=pdu@entry=0xaaab00046868, path=path@entry=0xffff851e2fa8)
    at hw/9pfs/9p.c:505
#1  0x0000aaaae3585acc in v9fs_unlinkat (opaque=0xaaab00046868) at hw/9pfs/9p.c:2590
#2  0x0000aaaae3811c10 in coroutine_trampoline (i0=<optimized out>, i1=<optimized out>)
    at util/coroutine-ucontext.c:116
#3  0x0000ffffa13ddb20 in ?? () from /lib64/libc.so.6
Backtrace stopped: not enough registers or memory available to unwind further

A segment fault is triggered at hw/9pfs/9p.c line 505

    for (fidp = s->fid_list; fidp; fidp = fidp->next) {
        if (fidp->path.size != path->size) {     # fidp is invalid 
            continue;
        }

(gdb) p path
$10 = (V9fsPath *) 0xffff851e2fa8
(gdb) p *path
$11 = {size = 21, data = 0xaaaafed6f420 "./9p_test/p2a1/d0/f1"}
(gdb) p *fidp
Cannot access memory at address 0x101010101010101
(gdb) p *pdu
$12 = {size = 19, tag = 54, id = 76 'L', cancelled = 0 '\000', complete = {entries = {
      sqh_first = 0x0, sqh_last = 0xaaab00046870}}, s = 0xaaab000454b8, next = {
    le_next = 0xaaab000467c0, le_prev = 0xaaab00046f88}, idx = 88}
(gdb) 

Address Sanitizer shows error and saying that there is a heap-use-after-
free on *fidp*.

** Affects: qemu
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1840865

Title:
  qemu crashes when doing iotest on  virtio-9p filesystem

Status in QEMU:
  New

Bug description:
  Qemu crashes when doing avocado-vt test on virtio-9p filesystem.
  This bug can be reproduced running https://github.com/autotest/tp-qemu/blob/master/qemu/tests/9p.py.
  The crash stack goes like:

  Program terminated with signal SIGSEGV, Segmentation fault.
  #0  v9fs_mark_fids_unreclaim (pdu=pdu@entry=0xaaab00046868, path=path@entry=0xffff851e2fa8)
      at hw/9pfs/9p.c:505
  #1  0x0000aaaae3585acc in v9fs_unlinkat (opaque=0xaaab00046868) at hw/9pfs/9p.c:2590
  #2  0x0000aaaae3811c10 in coroutine_trampoline (i0=<optimized out>, i1=<optimized out>)
      at util/coroutine-ucontext.c:116
  #3  0x0000ffffa13ddb20 in ?? () from /lib64/libc.so.6
  Backtrace stopped: not enough registers or memory available to unwind further

  A segment fault is triggered at hw/9pfs/9p.c line 505

      for (fidp = s->fid_list; fidp; fidp = fidp->next) {
          if (fidp->path.size != path->size) {     # fidp is invalid 
              continue;
          }

  (gdb) p path
  $10 = (V9fsPath *) 0xffff851e2fa8
  (gdb) p *path
  $11 = {size = 21, data = 0xaaaafed6f420 "./9p_test/p2a1/d0/f1"}
  (gdb) p *fidp
  Cannot access memory at address 0x101010101010101
  (gdb) p *pdu
  $12 = {size = 19, tag = 54, id = 76 'L', cancelled = 0 '\000', complete = {entries = {
        sqh_first = 0x0, sqh_last = 0xaaab00046870}}, s = 0xaaab000454b8, next = {
      le_next = 0xaaab000467c0, le_prev = 0xaaab00046f88}, idx = 88}
  (gdb) 

  Address Sanitizer shows error and saying that there is a heap-use-
  after-free on *fidp*.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1840865/+subscriptions

[Qemu-devel] [Bug 1840865] Re: qemu crashes when doing iotest on virtio-9p filesystem

[fangying]

** Description changed:

  Qemu crashes when doing avocado-vt test on virtio-9p filesystem.
- This bug can be reproduced running https://github.com/autotest/tp-qemu/blob/master/qemu/tests/9p.py.
+ This bug can be reproduced running https://github.com/autotest/tp-qemu/blob/master/qemu/tests/9p.py with the latest qemu-4.0.0.
  The crash stack goes like:
  
  Program terminated with signal SIGSEGV, Segmentation fault.
  #0  v9fs_mark_fids_unreclaim (pdu=pdu@entry=0xaaab00046868, path=path@entry=0xffff851e2fa8)
-     at hw/9pfs/9p.c:505
+     at hw/9pfs/9p.c:505
  #1  0x0000aaaae3585acc in v9fs_unlinkat (opaque=0xaaab00046868) at hw/9pfs/9p.c:2590
  #2  0x0000aaaae3811c10 in coroutine_trampoline (i0=<optimized out>, i1=<optimized out>)
-     at util/coroutine-ucontext.c:116
+     at util/coroutine-ucontext.c:116
  #3  0x0000ffffa13ddb20 in ?? () from /lib64/libc.so.6
  Backtrace stopped: not enough registers or memory available to unwind further
  
  A segment fault is triggered at hw/9pfs/9p.c line 505
  
-     for (fidp = s->fid_list; fidp; fidp = fidp->next) {
-         if (fidp->path.size != path->size) {     # fidp is invalid 
-             continue;
-         }
+     for (fidp = s->fid_list; fidp; fidp = fidp->next) {
+         if (fidp->path.size != path->size) {     # fidp is invalid
+             continue;
+         }
  
  (gdb) p path
  $10 = (V9fsPath *) 0xffff851e2fa8
  (gdb) p *path
  $11 = {size = 21, data = 0xaaaafed6f420 "./9p_test/p2a1/d0/f1"}
  (gdb) p *fidp
  Cannot access memory at address 0x101010101010101
  (gdb) p *pdu
  $12 = {size = 19, tag = 54, id = 76 'L', cancelled = 0 '\000', complete = {entries = {
-       sqh_first = 0x0, sqh_last = 0xaaab00046870}}, s = 0xaaab000454b8, next = {
-     le_next = 0xaaab000467c0, le_prev = 0xaaab00046f88}, idx = 88}
- (gdb) 
+       sqh_first = 0x0, sqh_last = 0xaaab00046870}}, s = 0xaaab000454b8, next = {
+     le_next = 0xaaab000467c0, le_prev = 0xaaab00046f88}, idx = 88}
+ (gdb)
  
  Address Sanitizer shows error and saying that there is a heap-use-after-
  free on *fidp*.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1840865

Title:
  qemu crashes when doing iotest on  virtio-9p filesystem

Status in QEMU:
  New

Bug description:
  Qemu crashes when doing avocado-vt test on virtio-9p filesystem.
  This bug can be reproduced running https://github.com/autotest/tp-qemu/blob/master/qemu/tests/9p.py with the latest qemu-4.0.0.
  The crash stack goes like:

  Program terminated with signal SIGSEGV, Segmentation fault.
  #0  v9fs_mark_fids_unreclaim (pdu=pdu@entry=0xaaab00046868, path=path@entry=0xffff851e2fa8)
      at hw/9pfs/9p.c:505
  #1  0x0000aaaae3585acc in v9fs_unlinkat (opaque=0xaaab00046868) at hw/9pfs/9p.c:2590
  #2  0x0000aaaae3811c10 in coroutine_trampoline (i0=<optimized out>, i1=<optimized out>)
      at util/coroutine-ucontext.c:116
  #3  0x0000ffffa13ddb20 in ?? () from /lib64/libc.so.6
  Backtrace stopped: not enough registers or memory available to unwind further

  A segment fault is triggered at hw/9pfs/9p.c line 505

      for (fidp = s->fid_list; fidp; fidp = fidp->next) {
          if (fidp->path.size != path->size) {     # fidp is invalid
              continue;
          }

  (gdb) p path
  $10 = (V9fsPath *) 0xffff851e2fa8
  (gdb) p *path
  $11 = {size = 21, data = 0xaaaafed6f420 "./9p_test/p2a1/d0/f1"}
  (gdb) p *fidp
  Cannot access memory at address 0x101010101010101
  (gdb) p *pdu
  $12 = {size = 19, tag = 54, id = 76 'L', cancelled = 0 '\000', complete = {entries = {
        sqh_first = 0x0, sqh_last = 0xaaab00046870}}, s = 0xaaab000454b8, next = {
      le_next = 0xaaab000467c0, le_prev = 0xaaab00046f88}, idx = 88}
  (gdb)

  Address Sanitizer shows error and saying that there is a heap-use-
  after-free on *fidp*.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1840865/+subscriptions

[Bug 1840865] Re: qemu crashes when doing iotest on virtio-9p filesystem

[Thomas Huth]

This is an automated cleanup. This bug report has been moved to QEMU's
new bug tracker on gitlab.com and thus gets marked as 'expired' now.
Please continue with the discussion here:

 https://gitlab.com/qemu-project/qemu/-/issues/181


** Changed in: qemu
       Status: New => Expired

** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #181
   https://gitlab.com/qemu-project/qemu/-/issues/181

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1840865

Title:
  qemu crashes when doing iotest on  virtio-9p filesystem

Status in QEMU:
  Expired

Bug description:
  Qemu crashes when doing avocado-vt test on virtio-9p filesystem.
  This bug can be reproduced running https://github.com/autotest/tp-qemu/blob/master/qemu/tests/9p.py with the latest qemu-4.0.0.
  The crash stack goes like:

  Program terminated with signal SIGSEGV, Segmentation fault.
  #0  v9fs_mark_fids_unreclaim (pdu=pdu@entry=0xaaab00046868, path=path@entry=0xffff851e2fa8)
      at hw/9pfs/9p.c:505
  #1  0x0000aaaae3585acc in v9fs_unlinkat (opaque=0xaaab00046868) at hw/9pfs/9p.c:2590
  #2  0x0000aaaae3811c10 in coroutine_trampoline (i0=<optimized out>, i1=<optimized out>)
      at util/coroutine-ucontext.c:116
  #3  0x0000ffffa13ddb20 in ?? () from /lib64/libc.so.6
  Backtrace stopped: not enough registers or memory available to unwind further

  A segment fault is triggered at hw/9pfs/9p.c line 505

      for (fidp = s->fid_list; fidp; fidp = fidp->next) {
          if (fidp->path.size != path->size) {     # fidp is invalid
              continue;
          }

  (gdb) p path
  $10 = (V9fsPath *) 0xffff851e2fa8
  (gdb) p *path
  $11 = {size = 21, data = 0xaaaafed6f420 "./9p_test/p2a1/d0/f1"}
  (gdb) p *fidp
  Cannot access memory at address 0x101010101010101
  (gdb) p *pdu
  $12 = {size = 19, tag = 54, id = 76 'L', cancelled = 0 '\000', complete = {entries = {
        sqh_first = 0x0, sqh_last = 0xaaab00046870}}, s = 0xaaab000454b8, next = {
      le_next = 0xaaab000467c0, le_prev = 0xaaab00046f88}, idx = 88}
  (gdb)

  Address Sanitizer shows error and saying that there is a heap-use-
  after-free on *fidp*.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1840865/+subscriptions