Alexander Bulekov <alx...@bu.edu> 于2020年8月13日周四 上午12:56写道: > > On 200813 0024, Li Qiang wrote: > > Alexander Bulekov <1891...@bugs.launchpad.net> 于2020年8月13日周四 上午12:21写道: > > > > > > Public bug reported: > > > > > > Hello, > > > Reproducer: > > > > > > cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \ > > > -trace usb\* -device usb-audio -device usb-storage,drive=mydrive \ > > > -drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \ > > > -nodefaults -nographic -qtest stdio > > > outl 0xcf8 0x80001010 > > > outl 0xcfc 0xc0202 > > > outl 0xcf8 0x80001004 > > > outl 0xcfc 0x1c77695e > > > writel 0xc0040 0xffffd855 > > > writeq 0xc2000 0xff05140100000000 > > > write 0x1d 0x1 0x27 > > > write 0x2d 0x1 0x2e > > > write 0x17232 0x1 0x03 > > > write 0x17254 0x1 0x05 > > > write 0x17276 0x1 0x72 > > > write 0x17278 0x1 0x02 > > > write 0x3d 0x1 0x27 > > > write 0x40 0x1 0x2e > > > write 0x41 0x1 0x72 > > > write 0x42 0x1 0x01 > > > write 0x4d 0x1 0x2e > > > write 0x4f 0x1 0x01 > > > write 0x2007c 0x1 0xc7 > > > writeq 0xc2000 0x5c05140100000000 > > > write 0x20070 0x1 0x80 > > > write 0x20078 0x1 0x08 > > > write 0x2007c 0x1 0xfe > > > write 0x2007d 0x1 0x08 > > > write 0x20081 0x1 0xff > > > write 0x20082 0x1 0x0b > > > write 0x20089 0x1 0x8c > > > write 0x2008d 0x1 0x04 > > > write 0x2009d 0x1 0x10 > > > writeq 0xc2000 0x2505ef019e092f00 > > > EOF > > > > > > 20091==ERROR: AddressSanitizer: heap-use-after-free on address > > > 0x611000045030 at pc 0x55db79edeef2 bp 0x7ffc4020b2b0 sp 0x7ffc4020b2a8 > > > READ of size 4 at 0x611000045030 thread T0 > > > #0 0x55db79edeef1 in usb_packet_unmap hw/usb/libhw.c:64:28 > > > #1 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5 > > > #2 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5 > > > #3 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9 > > > #4 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13 > > > #5 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13 > > > #6 0x55db792c6b8e in memory_region_write_accessor > > > softmmu/memory.c:483:5 > > > #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18 > > > #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c > > > #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23 > > > #10 0x55db78cfee6b in flatview_write exec.c:3216:14 > > > #11 0x55db78cfee6b in address_space_write exec.c:3308:18 > > > #12 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13 > > > #13 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9 > > > #14 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9 > > > #15 0x7fc5d7f1a897 in g_main_context_dispatch > > > #16 0x55db7aa571b3 in glib_pollfds_poll util/main-loop.c:217:9 > > > #17 0x55db7aa571b3 in os_host_main_loop_wait util/main-loop.c:240:5 > > > #18 0x55db7aa571b3 in main_loop_wait util/main-loop.c:516:11 > > > #19 0x55db79315008 in qemu_main_loop softmmu/vl.c:1676:9 > > > #20 0x55db7a8860fd in main softmmu/main.c:49:5 > > > > > > 0x611000045030 is located 48 bytes inside of 256-byte region > > > [0x611000045000,0x611000045100) > > > freed by thread T0 here: > > > #0 0x55db78cac16d in free > > > (build/i386-softmmu/qemu-system-i386+0x250e16d) > > > #1 0x55db79f7c0e8 in xhci_ep_nuke_xfers hw/usb/hcd-xhci.c:1252:9 > > > #2 0x55db79f7b454 in xhci_disable_ep hw/usb/hcd-xhci.c:1279:5 > > > #3 0x55db79f79af7 in xhci_disable_slot hw/usb/hcd-xhci.c:2048:13 > > > #4 0x55db79f5aea3 in xhci_reset hw/usb/hcd-xhci.c:2706:9 > > > #5 0x55db79f82f49 in xhci_oper_write hw/usb/hcd-xhci.c:2966:13 > > > #6 0x55db792c6b8e in memory_region_write_accessor > > > softmmu/memory.c:483:5 > > > #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18 > > > #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c > > > #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23 > > > #10 0x55db78cfee6b in flatview_write exec.c:3216:14 > > > #11 0x55db78cfee6b in address_space_write exec.c:3308:18 > > > #12 0x55db78d01fe7 in address_space_unmap exec.c:3634:9 > > > #13 0x55db79edebbb in dma_memory_unmap include/sysemu/dma.h:145:5 > > > #14 0x55db79edebbb in usb_packet_unmap hw/usb/libhw.c:65:9 > > > #15 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5 > > > #16 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5 > > > #17 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9 > > > #18 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13 > > > #19 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13 > > > #20 0x55db792c6b8e in memory_region_write_accessor > > > softmmu/memory.c:483:5 > > > #21 0x55db792c658b in access_with_adjusted_size > > > softmmu/memory.c:544:18 > > > #22 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c > > > #23 0x55db78d094d2 in flatview_write_continue exec.c:3176:23 > > > #24 0x55db78cfee6b in flatview_write exec.c:3216:14 > > > #25 0x55db78cfee6b in address_space_write exec.c:3308:18 > > > #26 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13 > > > #27 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9 > > > #28 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9 > > > #29 0x7fc5d7f1a897 in g_main_context_dispatch > > > > > > > This issue as far as I can see, is the DMA to MMIO issue. > > Another one - Interesting... > So it joins these: > https://bugs.launchpad.net/qemu/+bug/1888606 > https://bugs.launchpad.net/qemu/+bug/1886362 > > Could this one be dealt with by moving xhci_reset into a BH?
If we would want to use BH to solve this issue using BH. I think we should use it in the first MMIO write. xhci_doorbell_write->xhci_kick_epctx. But we may think out a more general method to solve these issues, maybe in the core code other than per-device solution. Thanks, Li Qiang #0 0x55db78cac16d in free (build/i386-softmmu/qemu-system-i386+0x250e16d) #1 0x55db79f7c0e8 in xhci_ep_nuke_xfers hw/usb/hcd-xhci.c:1252:9 #2 0x55db79f7b454 in xhci_disable_ep hw/usb/hcd-xhci.c:1279:5 #3 0x55db79f79af7 in xhci_disable_slot hw/usb/hcd-xhci.c:2048:13 #4 0x55db79f5aea3 in xhci_reset hw/usb/hcd-xhci.c:2706:9 #5 0x55db79f82f49 in xhci_oper_write hw/usb/hcd-xhci.c:2966:13 #6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5 #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18 #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23 #10 0x55db78cfee6b in flatview_write exec.c:3216:14 #11 0x55db78cfee6b in address_space_write exec.c:3308:18 #12 0x55db78d01fe7 in address_space_unmap exec.c:3634:9 #13 0x55db79edebbb in dma_memory_unmap include/sysemu/dma.h:145:5 #14 0x55db79edebbb in usb_packet_unmap hw/usb/libhw.c:65:9 #15 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5 #16 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5 #17 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9 #18 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13 #19 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13 -->Here use a BH. #20 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5 #21 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18 #22 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c #23 0x55db78d094d2 in flatview_write_continue exec.c:3176:23 #24 0x55db78cfee6b in flatview_write exec.c:3216:14 #25 0x55db78cfee6b in address_space_write exec.c:3308:18 #26 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13 #27 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9 #28 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9 #29 0x7fc5d7f1a897 in g_main_context_dispatch > -Alex > > > Thanks, > > Li Qiang > > > > > > > previously allocated by thread T0 here: > > > #0 0x55db78cac562 in calloc > > > (build/i386-softmmu/qemu-system-i386+0x250e562) > > > #1 0x7fc5d7f20548 in g_malloc0 > > > (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54548) > > > #2 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13 > > > #3 0x55db792c6b8e in memory_region_write_accessor > > > softmmu/memory.c:483:5 > > > #4 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18 > > > #5 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c > > > #6 0x55db78d094d2 in flatview_write_continue exec.c:3176:23 > > > #7 0x55db78cfee6b in flatview_write exec.c:3216:14 > > > #8 0x55db78cfee6b in address_space_write exec.c:3308:18 > > > #9 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13 > > > #10 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9 > > > #11 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9 > > > #12 0x7fc5d7f1a897 in g_main_context_dispatch > > > > > > -Alex > > > > > > ** Affects: qemu > > > Importance: Undecided > > > Status: New > > > > > > -- > > > You received this bug notification because you are a member of qemu- > > > devel-ml, which is subscribed to QEMU. > > > https://bugs.launchpad.net/bugs/1891354 > > > > > > Title: > > > Heap-use-after-free in usb_packet_unmap > > > > > > Status in QEMU: > > > New > > > > > > Bug description: > > > Hello, > > > Reproducer: > > > > > > cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \ > > > -trace usb\* -device usb-audio -device usb-storage,drive=mydrive \ > > > -drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \ > > > -nodefaults -nographic -qtest stdio > > > outl 0xcf8 0x80001010 > > > outl 0xcfc 0xc0202 > > > outl 0xcf8 0x80001004 > > > outl 0xcfc 0x1c77695e > > > writel 0xc0040 0xffffd855 > > > writeq 0xc2000 0xff05140100000000 > > > write 0x1d 0x1 0x27 > > > write 0x2d 0x1 0x2e > > > write 0x17232 0x1 0x03 > > > write 0x17254 0x1 0x05 > > > write 0x17276 0x1 0x72 > > > write 0x17278 0x1 0x02 > > > write 0x3d 0x1 0x27 > > > write 0x40 0x1 0x2e > > > write 0x41 0x1 0x72 > > > write 0x42 0x1 0x01 > > > write 0x4d 0x1 0x2e > > > write 0x4f 0x1 0x01 > > > write 0x2007c 0x1 0xc7 > > > writeq 0xc2000 0x5c05140100000000 > > > write 0x20070 0x1 0x80 > > > write 0x20078 0x1 0x08 > > > write 0x2007c 0x1 0xfe > > > write 0x2007d 0x1 0x08 > > > write 0x20081 0x1 0xff > > > write 0x20082 0x1 0x0b > > > write 0x20089 0x1 0x8c > > > write 0x2008d 0x1 0x04 > > > write 0x2009d 0x1 0x10 > > > writeq 0xc2000 0x2505ef019e092f00 > > > EOF > > > > > > 20091==ERROR: AddressSanitizer: heap-use-after-free on address > > > 0x611000045030 at pc 0x55db79edeef2 bp 0x7ffc4020b2b0 sp 0x7ffc4020b2a8 > > > READ of size 4 at 0x611000045030 thread T0 > > > #0 0x55db79edeef1 in usb_packet_unmap hw/usb/libhw.c:64:28 > > > #1 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5 > > > #2 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5 > > > #3 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9 > > > #4 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13 > > > #5 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13 > > > #6 0x55db792c6b8e in memory_region_write_accessor > > > softmmu/memory.c:483:5 > > > #7 0x55db792c658b in access_with_adjusted_size > > > softmmu/memory.c:544:18 > > > #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c > > > #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23 > > > #10 0x55db78cfee6b in flatview_write exec.c:3216:14 > > > #11 0x55db78cfee6b in address_space_write exec.c:3308:18 > > > #12 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13 > > > #13 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9 > > > #14 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9 > > > #15 0x7fc5d7f1a897 in g_main_context_dispatch > > > #16 0x55db7aa571b3 in glib_pollfds_poll util/main-loop.c:217:9 > > > #17 0x55db7aa571b3 in os_host_main_loop_wait util/main-loop.c:240:5 > > > #18 0x55db7aa571b3 in main_loop_wait util/main-loop.c:516:11 > > > #19 0x55db79315008 in qemu_main_loop softmmu/vl.c:1676:9 > > > #20 0x55db7a8860fd in main softmmu/main.c:49:5 > > > > > > 0x611000045030 is located 48 bytes inside of 256-byte region > > > [0x611000045000,0x611000045100) > > > freed by thread T0 here: > > > #0 0x55db78cac16d in free > > > (build/i386-softmmu/qemu-system-i386+0x250e16d) > > > #1 0x55db79f7c0e8 in xhci_ep_nuke_xfers hw/usb/hcd-xhci.c:1252:9 > > > #2 0x55db79f7b454 in xhci_disable_ep hw/usb/hcd-xhci.c:1279:5 > > > #3 0x55db79f79af7 in xhci_disable_slot hw/usb/hcd-xhci.c:2048:13 > > > #4 0x55db79f5aea3 in xhci_reset hw/usb/hcd-xhci.c:2706:9 > > > #5 0x55db79f82f49 in xhci_oper_write hw/usb/hcd-xhci.c:2966:13 > > > #6 0x55db792c6b8e in memory_region_write_accessor > > > softmmu/memory.c:483:5 > > > #7 0x55db792c658b in access_with_adjusted_size > > > softmmu/memory.c:544:18 > > > #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c > > > #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23 > > > #10 0x55db78cfee6b in flatview_write exec.c:3216:14 > > > #11 0x55db78cfee6b in address_space_write exec.c:3308:18 > > > #12 0x55db78d01fe7 in address_space_unmap exec.c:3634:9 > > > #13 0x55db79edebbb in dma_memory_unmap include/sysemu/dma.h:145:5 > > > #14 0x55db79edebbb in usb_packet_unmap hw/usb/libhw.c:65:9 > > > #15 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5 > > > #16 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5 > > > #17 0x55db79f67143 in xhci_fire_ctl_transfer > > > hw/usb/hcd-xhci.c:1722:9 > > > #18 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13 > > > #19 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13 > > > #20 0x55db792c6b8e in memory_region_write_accessor > > > softmmu/memory.c:483:5 > > > #21 0x55db792c658b in access_with_adjusted_size > > > softmmu/memory.c:544:18 > > > #22 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c > > > #23 0x55db78d094d2 in flatview_write_continue exec.c:3176:23 > > > #24 0x55db78cfee6b in flatview_write exec.c:3216:14 > > > #25 0x55db78cfee6b in address_space_write exec.c:3308:18 > > > #26 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13 > > > #27 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9 > > > #28 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9 > > > #29 0x7fc5d7f1a897 in g_main_context_dispatch > > > > > > previously allocated by thread T0 here: > > > #0 0x55db78cac562 in calloc > > > (build/i386-softmmu/qemu-system-i386+0x250e562) > > > #1 0x7fc5d7f20548 in g_malloc0 > > > (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54548) > > > #2 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13 > > > #3 0x55db792c6b8e in memory_region_write_accessor > > > softmmu/memory.c:483:5 > > > #4 0x55db792c658b in access_with_adjusted_size > > > softmmu/memory.c:544:18 > > > #5 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c > > > #6 0x55db78d094d2 in flatview_write_continue exec.c:3176:23 > > > #7 0x55db78cfee6b in flatview_write exec.c:3216:14 > > > #8 0x55db78cfee6b in address_space_write exec.c:3308:18 > > > #9 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13 > > > #10 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9 > > > #11 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9 > > > #12 0x7fc5d7f1a897 in g_main_context_dispatch > > > > > > -Alex > > > > > > To manage notifications about this bug go to: > > > https://bugs.launchpad.net/qemu/+bug/1891354/+subscriptions > > > > >