* [Qemu-devel] [Bug 1813398] Re: qemu user calls malloc after fork in multi-threaded process
[not found] <154851076407.2082.8506477460504942900.malonedeb@wampee.canonical.com>
@ 2019-01-26 13:57 ` Szabolcs Nagy
2019-02-07 17:35 ` Bugdal
` (3 subsequent siblings)
4 siblings, 0 replies; 5+ messages in thread
From: Szabolcs Nagy @ 2019-01-26 13:57 UTC (permalink / raw)
To: qemu-devel
** Also affects: qemu
Importance: Undecided
Status: New
** No longer affects: qemu (Ubuntu)
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1813398
Title:
qemu user calls malloc after fork in multi-threaded process
Status in QEMU:
New
Bug description:
qemu user may hang in malloc on a musl based system because
it calls malloc after fork (in a pthread_atfork handler)
in the child process.
this is undefined behaviour since the parent process is
multi-threaded and only as-safe functions may be called
in the child then. (if malloc/free is called concurrently
with fork the malloc state will be corrupted in the child,
it works on glibc because glibc takes the malloc locks
before the fork syscall, but that breaks the as-safety of
fork and thus non-conforming to posix)
discussed at
https://www.openwall.com/lists/musl/2019/01/26/1
the bug is hard to reproduce (requires the call_rcu thread
to call free concurrently with do_fork in the main thread),
this one is observed with qemu-arm 3.1.0 running on x86_64
executing an arm busybox sh:
(gdb) bt
#0 malloc (n=<optimized out>, n@entry=9) at src/malloc/malloc.c:306
#1 0x0000000060184ad3 in g_malloc (n_bytes=n_bytes@entry=9) at gmem.c:99
#2 0x000000006018bcab in g_strdup (str=<optimized out>, str@entry=0x60200abf "call_rcu") at gstrfuncs.c:363
#3 0x000000006016e31d in qemu_thread_create (thread=thread@entry=0x7ffe367d1870, name=name@entry=0x60200abf "call_rcu",
start_routine=start_routine@entry=0x60174c00 <call_rcu_thread>, arg=arg@entry=0x0, mode=mode@entry=1)
at /home/pmos/build/src/qemu-3.1.0/util/qemu-thread-posix.c:526
#4 0x0000000060174b99 in rcu_init_complete () at /home/pmos/build/src/qemu-3.1.0/util/rcu.c:327
#5 0x00000000601c4fac in __fork_handler (who=1) at src/thread/pthread_atfork.c:26
#6 0x00000000601be8db in fork () at src/process/fork.c:33
#7 0x000000006009d191 in do_fork (env=0x627aaed0, flags=flags@entry=17, newsp=newsp@entry=0, parent_tidptr=parent_tidptr@entry=0,
newtls=newtls@entry=0, child_tidptr=child_tidptr@entry=0) at /home/pmos/build/src/qemu-3.1.0/linux-user/syscall.c:5528
#8 0x00000000600af894 in do_syscall1 (cpu_env=cpu_env@entry=0x627aaed0, num=num@entry=2, arg1=arg1@entry=0, arg2=arg2@entry=-8700192,
arg3=<optimized out>, arg4=8, arg5=1015744, arg6=-74144, arg7=0, arg8=0) at /home/pmos/build/src/qemu-3.1.0/linux-user/syscall.c:7042
#9 0x00000000600a835c in do_syscall (cpu_env=cpu_env@entry=0x627aaed0, num=2, arg1=0, arg2=-8700192, arg3=<optimized out>,
arg4=<optimized out>, arg5=1015744, arg6=-74144, arg7=0, arg8=0) at /home/pmos/build/src/qemu-3.1.0/linux-user/syscall.c:11533
#10 0x00000000600c265f in cpu_loop (env=env@entry=0x627aaed0) at /home/pmos/build/src/qemu-3.1.0/linux-user/arm/cpu_loop.c:360
#11 0x00000000600417a2 in main (argc=<optimized out>, argv=0x7ffe367d57b8, envp=<optimized out>)
at /home/pmos/build/src/qemu-3.1.0/linux-user/main.c:819
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1813398/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Qemu-devel] [Bug 1813398] Re: qemu user calls malloc after fork in multi-threaded process
[not found] <154851076407.2082.8506477460504942900.malonedeb@wampee.canonical.com>
2019-01-26 13:57 ` [Qemu-devel] [Bug 1813398] Re: qemu user calls malloc after fork in multi-threaded process Szabolcs Nagy
@ 2019-02-07 17:35 ` Bugdal
2019-02-10 12:51 ` Szabolcs Nagy
` (2 subsequent siblings)
4 siblings, 0 replies; 5+ messages in thread
From: Bugdal @ 2019-02-07 17:35 UTC (permalink / raw)
To: qemu-devel
I'm not sure how extensively the RCU code is used (it looks like not
much), but I don't think this bug is fixable without disabling it, or at
least getting rid of the RCU thread in cases where the emulated process
is not multithreaded.
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1813398
Title:
qemu user calls malloc after fork in multi-threaded process
Status in QEMU:
New
Bug description:
qemu user may hang in malloc on a musl based system because
it calls malloc after fork (in a pthread_atfork handler)
in the child process.
this is undefined behaviour since the parent process is
multi-threaded and only as-safe functions may be called
in the child then. (if malloc/free is called concurrently
with fork the malloc state will be corrupted in the child,
it works on glibc because glibc takes the malloc locks
before the fork syscall, but that breaks the as-safety of
fork and thus non-conforming to posix)
discussed at
https://www.openwall.com/lists/musl/2019/01/26/1
the bug is hard to reproduce (requires the call_rcu thread
to call free concurrently with do_fork in the main thread),
this one is observed with qemu-arm 3.1.0 running on x86_64
executing an arm busybox sh:
(gdb) bt
#0 malloc (n=<optimized out>, n@entry=9) at src/malloc/malloc.c:306
#1 0x0000000060184ad3 in g_malloc (n_bytes=n_bytes@entry=9) at gmem.c:99
#2 0x000000006018bcab in g_strdup (str=<optimized out>, str@entry=0x60200abf "call_rcu") at gstrfuncs.c:363
#3 0x000000006016e31d in qemu_thread_create (thread=thread@entry=0x7ffe367d1870, name=name@entry=0x60200abf "call_rcu",
start_routine=start_routine@entry=0x60174c00 <call_rcu_thread>, arg=arg@entry=0x0, mode=mode@entry=1)
at /home/pmos/build/src/qemu-3.1.0/util/qemu-thread-posix.c:526
#4 0x0000000060174b99 in rcu_init_complete () at /home/pmos/build/src/qemu-3.1.0/util/rcu.c:327
#5 0x00000000601c4fac in __fork_handler (who=1) at src/thread/pthread_atfork.c:26
#6 0x00000000601be8db in fork () at src/process/fork.c:33
#7 0x000000006009d191 in do_fork (env=0x627aaed0, flags=flags@entry=17, newsp=newsp@entry=0, parent_tidptr=parent_tidptr@entry=0,
newtls=newtls@entry=0, child_tidptr=child_tidptr@entry=0) at /home/pmos/build/src/qemu-3.1.0/linux-user/syscall.c:5528
#8 0x00000000600af894 in do_syscall1 (cpu_env=cpu_env@entry=0x627aaed0, num=num@entry=2, arg1=arg1@entry=0, arg2=arg2@entry=-8700192,
arg3=<optimized out>, arg4=8, arg5=1015744, arg6=-74144, arg7=0, arg8=0) at /home/pmos/build/src/qemu-3.1.0/linux-user/syscall.c:7042
#9 0x00000000600a835c in do_syscall (cpu_env=cpu_env@entry=0x627aaed0, num=2, arg1=0, arg2=-8700192, arg3=<optimized out>,
arg4=<optimized out>, arg5=1015744, arg6=-74144, arg7=0, arg8=0) at /home/pmos/build/src/qemu-3.1.0/linux-user/syscall.c:11533
#10 0x00000000600c265f in cpu_loop (env=env@entry=0x627aaed0) at /home/pmos/build/src/qemu-3.1.0/linux-user/arm/cpu_loop.c:360
#11 0x00000000600417a2 in main (argc=<optimized out>, argv=0x7ffe367d57b8, envp=<optimized out>)
at /home/pmos/build/src/qemu-3.1.0/linux-user/main.c:819
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1813398/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Qemu-devel] [Bug 1813398] Re: qemu user calls malloc after fork in multi-threaded process
[not found] <154851076407.2082.8506477460504942900.malonedeb@wampee.canonical.com>
2019-01-26 13:57 ` [Qemu-devel] [Bug 1813398] Re: qemu user calls malloc after fork in multi-threaded process Szabolcs Nagy
2019-02-07 17:35 ` Bugdal
@ 2019-02-10 12:51 ` Szabolcs Nagy
2021-04-20 8:07 ` Thomas Huth
2021-06-20 4:17 ` Launchpad Bug Tracker
4 siblings, 0 replies; 5+ messages in thread
From: Szabolcs Nagy @ 2019-02-10 12:51 UTC (permalink / raw)
To: qemu-devel
note that the bug affects qemu-user on a glibc system too in case
malloc is interposed: glibc can only take the internal locks of
its own malloc implementation, any other malloc has the same issue
as musl's after fork.
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1813398
Title:
qemu user calls malloc after fork in multi-threaded process
Status in QEMU:
New
Bug description:
qemu user may hang in malloc on a musl based system because
it calls malloc after fork (in a pthread_atfork handler)
in the child process.
this is undefined behaviour since the parent process is
multi-threaded and only as-safe functions may be called
in the child then. (if malloc/free is called concurrently
with fork the malloc state will be corrupted in the child,
it works on glibc because glibc takes the malloc locks
before the fork syscall, but that breaks the as-safety of
fork and thus non-conforming to posix)
discussed at
https://www.openwall.com/lists/musl/2019/01/26/1
the bug is hard to reproduce (requires the call_rcu thread
to call free concurrently with do_fork in the main thread),
this one is observed with qemu-arm 3.1.0 running on x86_64
executing an arm busybox sh:
(gdb) bt
#0 malloc (n=<optimized out>, n@entry=9) at src/malloc/malloc.c:306
#1 0x0000000060184ad3 in g_malloc (n_bytes=n_bytes@entry=9) at gmem.c:99
#2 0x000000006018bcab in g_strdup (str=<optimized out>, str@entry=0x60200abf "call_rcu") at gstrfuncs.c:363
#3 0x000000006016e31d in qemu_thread_create (thread=thread@entry=0x7ffe367d1870, name=name@entry=0x60200abf "call_rcu",
start_routine=start_routine@entry=0x60174c00 <call_rcu_thread>, arg=arg@entry=0x0, mode=mode@entry=1)
at /home/pmos/build/src/qemu-3.1.0/util/qemu-thread-posix.c:526
#4 0x0000000060174b99 in rcu_init_complete () at /home/pmos/build/src/qemu-3.1.0/util/rcu.c:327
#5 0x00000000601c4fac in __fork_handler (who=1) at src/thread/pthread_atfork.c:26
#6 0x00000000601be8db in fork () at src/process/fork.c:33
#7 0x000000006009d191 in do_fork (env=0x627aaed0, flags=flags@entry=17, newsp=newsp@entry=0, parent_tidptr=parent_tidptr@entry=0,
newtls=newtls@entry=0, child_tidptr=child_tidptr@entry=0) at /home/pmos/build/src/qemu-3.1.0/linux-user/syscall.c:5528
#8 0x00000000600af894 in do_syscall1 (cpu_env=cpu_env@entry=0x627aaed0, num=num@entry=2, arg1=arg1@entry=0, arg2=arg2@entry=-8700192,
arg3=<optimized out>, arg4=8, arg5=1015744, arg6=-74144, arg7=0, arg8=0) at /home/pmos/build/src/qemu-3.1.0/linux-user/syscall.c:7042
#9 0x00000000600a835c in do_syscall (cpu_env=cpu_env@entry=0x627aaed0, num=2, arg1=0, arg2=-8700192, arg3=<optimized out>,
arg4=<optimized out>, arg5=1015744, arg6=-74144, arg7=0, arg8=0) at /home/pmos/build/src/qemu-3.1.0/linux-user/syscall.c:11533
#10 0x00000000600c265f in cpu_loop (env=env@entry=0x627aaed0) at /home/pmos/build/src/qemu-3.1.0/linux-user/arm/cpu_loop.c:360
#11 0x00000000600417a2 in main (argc=<optimized out>, argv=0x7ffe367d57b8, envp=<optimized out>)
at /home/pmos/build/src/qemu-3.1.0/linux-user/main.c:819
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1813398/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 1813398] Re: qemu user calls malloc after fork in multi-threaded process
[not found] <154851076407.2082.8506477460504942900.malonedeb@wampee.canonical.com>
` (2 preceding siblings ...)
2019-02-10 12:51 ` Szabolcs Nagy
@ 2021-04-20 8:07 ` Thomas Huth
2021-06-20 4:17 ` Launchpad Bug Tracker
4 siblings, 0 replies; 5+ messages in thread
From: Thomas Huth @ 2021-04-20 8:07 UTC (permalink / raw)
To: qemu-devel
The QEMU project is currently considering to move its bug tracking to another system. For this we need to know which bugs are still valid and which could be closed already. Thus we are setting older bugs to "Incomplete" now.
If you still think this bug report here is valid, then please switch the state back to "New" within the next 60 days, otherwise this report will be marked as "Expired". Or mark it as "Fix Released" if the problem has been solved with a newer version of QEMU already. Thank you and sorry for the inconvenience.
** Changed in: qemu
Status: New => Incomplete
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1813398
Title:
qemu user calls malloc after fork in multi-threaded process
Status in QEMU:
Incomplete
Bug description:
qemu user may hang in malloc on a musl based system because
it calls malloc after fork (in a pthread_atfork handler)
in the child process.
this is undefined behaviour since the parent process is
multi-threaded and only as-safe functions may be called
in the child then. (if malloc/free is called concurrently
with fork the malloc state will be corrupted in the child,
it works on glibc because glibc takes the malloc locks
before the fork syscall, but that breaks the as-safety of
fork and thus non-conforming to posix)
discussed at
https://www.openwall.com/lists/musl/2019/01/26/1
the bug is hard to reproduce (requires the call_rcu thread
to call free concurrently with do_fork in the main thread),
this one is observed with qemu-arm 3.1.0 running on x86_64
executing an arm busybox sh:
(gdb) bt
#0 malloc (n=<optimized out>, n@entry=9) at src/malloc/malloc.c:306
#1 0x0000000060184ad3 in g_malloc (n_bytes=n_bytes@entry=9) at gmem.c:99
#2 0x000000006018bcab in g_strdup (str=<optimized out>, str@entry=0x60200abf "call_rcu") at gstrfuncs.c:363
#3 0x000000006016e31d in qemu_thread_create (thread=thread@entry=0x7ffe367d1870, name=name@entry=0x60200abf "call_rcu",
start_routine=start_routine@entry=0x60174c00 <call_rcu_thread>, arg=arg@entry=0x0, mode=mode@entry=1)
at /home/pmos/build/src/qemu-3.1.0/util/qemu-thread-posix.c:526
#4 0x0000000060174b99 in rcu_init_complete () at /home/pmos/build/src/qemu-3.1.0/util/rcu.c:327
#5 0x00000000601c4fac in __fork_handler (who=1) at src/thread/pthread_atfork.c:26
#6 0x00000000601be8db in fork () at src/process/fork.c:33
#7 0x000000006009d191 in do_fork (env=0x627aaed0, flags=flags@entry=17, newsp=newsp@entry=0, parent_tidptr=parent_tidptr@entry=0,
newtls=newtls@entry=0, child_tidptr=child_tidptr@entry=0) at /home/pmos/build/src/qemu-3.1.0/linux-user/syscall.c:5528
#8 0x00000000600af894 in do_syscall1 (cpu_env=cpu_env@entry=0x627aaed0, num=num@entry=2, arg1=arg1@entry=0, arg2=arg2@entry=-8700192,
arg3=<optimized out>, arg4=8, arg5=1015744, arg6=-74144, arg7=0, arg8=0) at /home/pmos/build/src/qemu-3.1.0/linux-user/syscall.c:7042
#9 0x00000000600a835c in do_syscall (cpu_env=cpu_env@entry=0x627aaed0, num=2, arg1=0, arg2=-8700192, arg3=<optimized out>,
arg4=<optimized out>, arg5=1015744, arg6=-74144, arg7=0, arg8=0) at /home/pmos/build/src/qemu-3.1.0/linux-user/syscall.c:11533
#10 0x00000000600c265f in cpu_loop (env=env@entry=0x627aaed0) at /home/pmos/build/src/qemu-3.1.0/linux-user/arm/cpu_loop.c:360
#11 0x00000000600417a2 in main (argc=<optimized out>, argv=0x7ffe367d57b8, envp=<optimized out>)
at /home/pmos/build/src/qemu-3.1.0/linux-user/main.c:819
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1813398/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 1813398] Re: qemu user calls malloc after fork in multi-threaded process
[not found] <154851076407.2082.8506477460504942900.malonedeb@wampee.canonical.com>
` (3 preceding siblings ...)
2021-04-20 8:07 ` Thomas Huth
@ 2021-06-20 4:17 ` Launchpad Bug Tracker
4 siblings, 0 replies; 5+ messages in thread
From: Launchpad Bug Tracker @ 2021-06-20 4:17 UTC (permalink / raw)
To: qemu-devel
[Expired for QEMU because there has been no activity for 60 days.]
** Changed in: qemu
Status: Incomplete => Expired
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1813398
Title:
qemu user calls malloc after fork in multi-threaded process
Status in QEMU:
Expired
Bug description:
qemu user may hang in malloc on a musl based system because
it calls malloc after fork (in a pthread_atfork handler)
in the child process.
this is undefined behaviour since the parent process is
multi-threaded and only as-safe functions may be called
in the child then. (if malloc/free is called concurrently
with fork the malloc state will be corrupted in the child,
it works on glibc because glibc takes the malloc locks
before the fork syscall, but that breaks the as-safety of
fork and thus non-conforming to posix)
discussed at
https://www.openwall.com/lists/musl/2019/01/26/1
the bug is hard to reproduce (requires the call_rcu thread
to call free concurrently with do_fork in the main thread),
this one is observed with qemu-arm 3.1.0 running on x86_64
executing an arm busybox sh:
(gdb) bt
#0 malloc (n=<optimized out>, n@entry=9) at src/malloc/malloc.c:306
#1 0x0000000060184ad3 in g_malloc (n_bytes=n_bytes@entry=9) at gmem.c:99
#2 0x000000006018bcab in g_strdup (str=<optimized out>, str@entry=0x60200abf "call_rcu") at gstrfuncs.c:363
#3 0x000000006016e31d in qemu_thread_create (thread=thread@entry=0x7ffe367d1870, name=name@entry=0x60200abf "call_rcu",
start_routine=start_routine@entry=0x60174c00 <call_rcu_thread>, arg=arg@entry=0x0, mode=mode@entry=1)
at /home/pmos/build/src/qemu-3.1.0/util/qemu-thread-posix.c:526
#4 0x0000000060174b99 in rcu_init_complete () at /home/pmos/build/src/qemu-3.1.0/util/rcu.c:327
#5 0x00000000601c4fac in __fork_handler (who=1) at src/thread/pthread_atfork.c:26
#6 0x00000000601be8db in fork () at src/process/fork.c:33
#7 0x000000006009d191 in do_fork (env=0x627aaed0, flags=flags@entry=17, newsp=newsp@entry=0, parent_tidptr=parent_tidptr@entry=0,
newtls=newtls@entry=0, child_tidptr=child_tidptr@entry=0) at /home/pmos/build/src/qemu-3.1.0/linux-user/syscall.c:5528
#8 0x00000000600af894 in do_syscall1 (cpu_env=cpu_env@entry=0x627aaed0, num=num@entry=2, arg1=arg1@entry=0, arg2=arg2@entry=-8700192,
arg3=<optimized out>, arg4=8, arg5=1015744, arg6=-74144, arg7=0, arg8=0) at /home/pmos/build/src/qemu-3.1.0/linux-user/syscall.c:7042
#9 0x00000000600a835c in do_syscall (cpu_env=cpu_env@entry=0x627aaed0, num=2, arg1=0, arg2=-8700192, arg3=<optimized out>,
arg4=<optimized out>, arg5=1015744, arg6=-74144, arg7=0, arg8=0) at /home/pmos/build/src/qemu-3.1.0/linux-user/syscall.c:11533
#10 0x00000000600c265f in cpu_loop (env=env@entry=0x627aaed0) at /home/pmos/build/src/qemu-3.1.0/linux-user/arm/cpu_loop.c:360
#11 0x00000000600417a2 in main (argc=<optimized out>, argv=0x7ffe367d57b8, envp=<optimized out>)
at /home/pmos/build/src/qemu-3.1.0/linux-user/main.c:819
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1813398/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-06-20 4:38 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <154851076407.2082.8506477460504942900.malonedeb@wampee.canonical.com>
2019-01-26 13:57 ` [Qemu-devel] [Bug 1813398] Re: qemu user calls malloc after fork in multi-threaded process Szabolcs Nagy
2019-02-07 17:35 ` Bugdal
2019-02-10 12:51 ` Szabolcs Nagy
2021-04-20 8:07 ` Thomas Huth
2021-06-20 4:17 ` Launchpad Bug Tracker
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).