[{"id":1758714,"web_url":"http://patchwork.ozlabs.org/comment/1758714/","msgid":"<0f325bf7-c137-7f6e-5f70-10910a241d54@amsat.org>","list_archive_url":null,"date":"2017-08-28T16:59:03","subject":"Re: [Qemu-devel] [PATCH for-2.11] ide: ahci: unparent children\n\tbuses before freeing their memory","submitter":{"id":70924,"url":"http://patchwork.ozlabs.org/api/people/70924/","name":"Philippe Mathieu-Daudé","email":"f4bug@amsat.org"},"content":"On 08/28/2017 01:34 PM, Igor Mammedov wrote:\n> Fixes read after freeing error reported\n> https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg04243.html\n> Message-Id: <59a56959-ca12-ea75-33fa-ff07eba1b090@redhat.com>\n> \n> ich9-ahci device creates ide buses and attaches them as QOM children\n> at realize time, however it forgets to properly clean them up\n> at unrealize time and frees memory containing these children,\n> with following call-chain:\n> \n> qdev_device_add()\n> object_property_set_bool('realized', true)\n> device_set_realized()\n> ...\n> pci_qdev_realize() -> pci_ich9_ahci_realize() -> ahci_realize()\n> ...\n> s->dev = g_new0(AHCIDevice, ports);\n> ...\n> AHCIDevice *ad = &s->dev[i];\n> ide_bus_new(&ad->port, sizeof(ad->port), qdev, i, 1);\n> ^^^ creates bus in memory allocated by above gnew()\n> and adds it as child propety to ahci device\n> ...\n> hotplug_handler_plug(); -> goto post_realize_fail;\n> pci_qdev_unrealize() -> pci_ich9_uninit() -> ahci_uninit()\n> ...\n> g_free(s->dev);\n> ^^^ free memory that holds children busses\n> \n> return with error from device_set_realized()\n> \n> As result later when qdev_device_add() tries to unparent ich9-ahci\n> after failed device_set_realized(),\n> object_unparent() -> object_property_del_child()\n> iterates over existing QOM children including buses added by\n> ide_bus_new() and tries to unparent them, which causes access to\n> freed memory where they where located.\n> \n> Reported-by: Thomas Huth \n> Signed-off-by: Igor Mammedov \n\nReviewed-by: Philippe Mathieu-Daudé \n\n> ---\n> hw/ide/ahci.c | 1 +\n> 1 file changed, 1 insertion(+)\n> \n> diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c\n> index 406a1b5..ccbe091 100644\n> --- a/hw/ide/ahci.c\n> +++ b/hw/ide/ahci.c\n> @@ -1495,6 +1495,7 @@ void ahci_uninit(AHCIState *s)\n> \n> ide_exit(s);\n> }\n> + object_unparent(OBJECT(&ad->port));\n> }\n> \n> g_free(s->dev);\n>","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=)","ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n\tunprotected) header.d=gmail.com header.i=@gmail.com\n\theader.b=\"h1G79P73\"; dkim-atps=neutral"],"Received":["from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xgyg45Znhz9s7m\n\tfor ;\n\tTue, 29 Aug 2017 02:59:41 +1000 (AEST)","from localhost ([::1]:40697 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t)\n\tid 1dmNNu-00018V-Kx\n\tfor incoming@patchwork.ozlabs.org; Mon, 28 Aug 2017 12:59:34 -0400","from eggs.gnu.org ([2001:4830:134:3::10]:51466)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from )\n\tid 1dmNNa-00016R-MS\n\tfor qemu-devel@nongnu.org; Mon, 28 Aug 2017 12:59:15 -0400","from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from )\n\tid 1dmNNZ-0004yy-Q6\n\tfor qemu-devel@nongnu.org; Mon, 28 Aug 2017 12:59:14 -0400","from mail-qt0-x243.google.com ([2607:f8b0:400d:c0d::243]:36291)\n\tby eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.71) (envelope-from )\n\tid 1dmNNT-0004YY-Jf; Mon, 28 Aug 2017 12:59:07 -0400","by mail-qt0-x243.google.com with SMTP id e2so920369qta.3;\n\tMon, 28 Aug 2017 09:59:07 -0700 (PDT)","from [192.168.1.10] ([181.93.89.178])\n\tby smtp.gmail.com with ESMTPSA id\n\tk81sm579958qkk.39.2017.08.28.09.59.04\n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);\n\tMon, 28 Aug 2017 09:59:06 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;\n\th=sender:subject:to:cc:references:from:message-id:date:user-agent\n\t:mime-version:in-reply-to:content-language:content-transfer-encoding; \n\tbh=zPVbKh/GoigEjDVtYiwrQhph5kugUqt3Sgn7iEwm+Qw=;\n\tb=h1G79P73Z3DWi8Vi6OZMwbXg5lHjhfyHC0pVXNTHDZDRLkTWwyNRdOctxH+fgWvVZb\n\tS499m/Dts14EKdUl8oBgpqtSJgu1kId0BIu+ZH9N7pL924tbFIXYEh/EvFZyu0laIoPN\n\ty2YukXjyyK1b9HrlZ/EQaof/PaHxEPV6i7sEwCrBZnTCmDqF25DMFmQ895rMCz7QRlE1\n\t1EGXkwt9mJmOItdb3NyngxKXgy+xGf2aotmXS6uBybdS+N/duRq9y7xQtstOswFKz0Dr\n\t9dnWZ7/uB52EcsgRQ9v/xV7YVnP9nl2VZ2aaKcrMjKeRSO9o5GbdWqw42fT7sXlYqlRX\n\tCuVA==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:sender:subject:to:cc:references:from:message-id\n\t:date:user-agent:mime-version:in-reply-to:content-language\n\t:content-transfer-encoding;\n\tbh=zPVbKh/GoigEjDVtYiwrQhph5kugUqt3Sgn7iEwm+Qw=;\n\tb=XtTAcEDUncXu/cWAOvnYq8SFQgHFo5YXUTkUS0siYr92phzD8cFyHi2cY7mVNRN1Xx\n\tdIpk/W7ayBRRJ871tqxLLNBJNuCptkNSPNjrFoncM8DT6TQ++p+n/mu/gPB3Hkq1gatp\n\teeLL6S2YopcA9iF87IEE1opwI0QGkSeWFg1GpKPlB7GTmb1Hc0cS95XY1u8QIWiP5oNf\n\tfYuKE+1LQ+ABYXc51jSTF1OKhlD107XK99MulNaylaZh3B+KUR7SS4DXVLrdxlMZc2UJ\n\tiryFbJT3YOIwnPWp3HKXTawhdL07foFxCCoRVqWrykwqD2uGuv/6V7gtuj8Qz0FMHbWZ\n\tFYIg==","X-Gm-Message-State":"AHYfb5g0ya5d47ruH+YG/ynBYuWKgV+uPFHbZNyvpC9Q6lXdvbx/nXZA\n\tmIU+adXmydhHGQ==","X-Received":"by 10.200.55.111 with SMTP id p44mr1739232qtb.130.1503939546937; \n\tMon, 28 Aug 2017 09:59:06 -0700 (PDT)","To":"Igor Mammedov , qemu-devel@nongnu.org","References":"<1503938085-169486-1-git-send-email-imammedo@redhat.com>","From":"=?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= ","Message-ID":"<0f325bf7-c137-7f6e-5f70-10910a241d54@amsat.org>","Date":"Mon, 28 Aug 2017 13:59:03 -0300","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.3.0","MIME-Version":"1.0","In-Reply-To":"<1503938085-169486-1-git-send-email-imammedo@redhat.com>","Content-Type":"text/plain; charset=utf-8; format=flowed","Content-Language":"en-US","Content-Transfer-Encoding":"8bit","X-detected-operating-system":"by eggs.gnu.org: Genre and OS details not\n\trecognized.","X-Received-From":"2607:f8b0:400d:c0d::243","Subject":"Re: [Qemu-devel] [PATCH for-2.11] ide: ahci: unparent children\n\tbuses before freeing their memory","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Cc":"thuth@redhat.com, jsnow@redhat.com, qemu-block@nongnu.org, mst@redhat.com","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n\t"}},{"id":1758749,"web_url":"http://patchwork.ozlabs.org/comment/1758749/","msgid":"","list_archive_url":null,"date":"2017-08-28T17:56:08","subject":"Re: [Qemu-devel] [PATCH for-2.11] ide: ahci: unparent children\n\tbuses before freeing their memory","submitter":{"id":66152,"url":"http://patchwork.ozlabs.org/api/people/66152/","name":"Thomas Huth","email":"thuth@redhat.com"},"content":"On 28.08.2017 18:34, Igor Mammedov wrote:\n> Fixes read after freeing error reported\n> https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg04243.html\n> Message-Id: <59a56959-ca12-ea75-33fa-ff07eba1b090@redhat.com>\n> \n> ich9-ahci device creates ide buses and attaches them as QOM children\n> at realize time, however it forgets to properly clean them up\n> at unrealize time and frees memory containing these children,\n> with following call-chain:\n> \n> qdev_device_add()\n> object_property_set_bool('realized', true)\n> device_set_realized()\n> ...\n> pci_qdev_realize() -> pci_ich9_ahci_realize() -> ahci_realize()\n> ...\n> s->dev = g_new0(AHCIDevice, ports);\n> ...\n> AHCIDevice *ad = &s->dev[i];\n> ide_bus_new(&ad->port, sizeof(ad->port), qdev, i, 1);\n> ^^^ creates bus in memory allocated by above gnew()\n> and adds it as child propety to ahci device\n> ...\n> hotplug_handler_plug(); -> goto post_realize_fail;\n> pci_qdev_unrealize() -> pci_ich9_uninit() -> ahci_uninit()\n> ...\n> g_free(s->dev);\n> ^^^ free memory that holds children busses\n> \n> return with error from device_set_realized()\n> \n> As result later when qdev_device_add() tries to unparent ich9-ahci\n> after failed device_set_realized(),\n> object_unparent() -> object_property_del_child()\n> iterates over existing QOM children including buses added by\n> ide_bus_new() and tries to unparent them, which causes access to\n> freed memory where they where located.\n> \n> Reported-by: Thomas Huth \n> Signed-off-by: Igor Mammedov \n> ---\n> hw/ide/ahci.c | 1 +\n> 1 file changed, 1 insertion(+)\n> \n> diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c\n> index 406a1b5..ccbe091 100644\n> --- a/hw/ide/ahci.c\n> +++ b/hw/ide/ahci.c\n> @@ -1495,6 +1495,7 @@ void ahci_uninit(AHCIState *s)\n> \n> ide_exit(s);\n> }\n> + object_unparent(OBJECT(&ad->port));\n> }\n> \n> g_free(s->dev);\n> \n\nThanks, this fixes the problem for me with both, x86_64 and mips64el!\n\nTested-by: Thomas Huth ","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=)","ext-mx05.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com","ext-mx05.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=thuth@redhat.com"],"Received":["from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xh03g2YSHz9s4q\n\tfor ;\n\tTue, 29 Aug 2017 04:02:39 +1000 (AEST)","from localhost ([::1]:40929 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t)\n\tid 1dmOMv-0001jD-AM\n\tfor incoming@patchwork.ozlabs.org; Mon, 28 Aug 2017 14:02:37 -0400","from eggs.gnu.org ([2001:4830:134:3::10]:35493)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from ) id 1dmOGu-0005em-Bs\n\tfor qemu-devel@nongnu.org; Mon, 28 Aug 2017 13:56:25 -0400","from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from ) id 1dmOGt-0006Nk-8v\n\tfor qemu-devel@nongnu.org; Mon, 28 Aug 2017 13:56:24 -0400","from mx1.redhat.com ([209.132.183.28]:62793)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from )\n\tid 1dmOGm-0006As-VL; Mon, 28 Aug 2017 13:56:17 -0400","from smtp.corp.redhat.com\n\t(int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id BAC7B13A5D;\n\tMon, 28 Aug 2017 17:56:15 +0000 (UTC)","from [10.36.116.110] (ovpn-116-110.ams2.redhat.com [10.36.116.110])\n\tby smtp.corp.redhat.com (Postfix) with ESMTPS id CD17A7FB4C;\n\tMon, 28 Aug 2017 17:56:09 +0000 (UTC)"],"DMARC-Filter":"OpenDMARC Filter v1.3.2 mx1.redhat.com BAC7B13A5D","To":"Igor Mammedov , qemu-devel@nongnu.org","References":"<1503938085-169486-1-git-send-email-imammedo@redhat.com>","From":"Thomas Huth ","Message-ID":"","Date":"Mon, 28 Aug 2017 19:56:08 +0200","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.3.0","MIME-Version":"1.0","In-Reply-To":"<1503938085-169486-1-git-send-email-imammedo@redhat.com>","Content-Type":"text/plain; charset=utf-8","Content-Language":"en-US","Content-Transfer-Encoding":"7bit","X-Scanned-By":"MIMEDefang 2.79 on 10.5.11.11","X-Greylist":"Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.29]);\n\tMon, 28 Aug 2017 17:56:15 +0000 (UTC)","X-detected-operating-system":"by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]","X-Received-From":"209.132.183.28","Subject":"Re: [Qemu-devel] [PATCH for-2.11] ide: ahci: unparent children\n\tbuses before freeing their memory","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Cc":"jsnow@redhat.com, f4bug@amsat.org, qemu-block@nongnu.org, mst@redhat.com","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n\t"}},{"id":1758754,"web_url":"http://patchwork.ozlabs.org/comment/1758754/","msgid":"<20170828210709-mutt-send-email-mst@kernel.org>","list_archive_url":null,"date":"2017-08-28T18:08:14","subject":"Re: [Qemu-devel] [PATCH for-2.11] ide: ahci: unparent children\n\tbuses before freeing their memory","submitter":{"id":2235,"url":"http://patchwork.ozlabs.org/api/people/2235/","name":"Michael S. Tsirkin","email":"mst@redhat.com"},"content":"On Mon, Aug 28, 2017 at 06:34:45PM +0200, Igor Mammedov wrote:\n> Fixes read after freeing error reported\n> https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg04243.html\n> Message-Id: <59a56959-ca12-ea75-33fa-ff07eba1b090@redhat.com>\n> \n> ich9-ahci device creates ide buses and attaches them as QOM children\n> at realize time, however it forgets to properly clean them up\n> at unrealize time and frees memory containing these children,\n> with following call-chain:\n> \n> qdev_device_add()\n> object_property_set_bool('realized', true)\n> device_set_realized()\n> ...\n> pci_qdev_realize() -> pci_ich9_ahci_realize() -> ahci_realize()\n> ...\n> s->dev = g_new0(AHCIDevice, ports);\n> ...\n> AHCIDevice *ad = &s->dev[i];\n> ide_bus_new(&ad->port, sizeof(ad->port), qdev, i, 1);\n> ^^^ creates bus in memory allocated by above gnew()\n> and adds it as child propety to ahci device\n> ...\n> hotplug_handler_plug(); -> goto post_realize_fail;\n> pci_qdev_unrealize() -> pci_ich9_uninit() -> ahci_uninit()\n> ...\n> g_free(s->dev);\n> ^^^ free memory that holds children busses\n> \n> return with error from device_set_realized()\n> \n> As result later when qdev_device_add() tries to unparent ich9-ahci\n> after failed device_set_realized(),\n> object_unparent() -> object_property_del_child()\n> iterates over existing QOM children including buses added by\n> ide_bus_new() and tries to unparent them, which causes access to\n> freed memory where they where located.\n> \n> Reported-by: Thomas Huth \n> Signed-off-by: Igor Mammedov \n\nReviewed-by: Michael S. Tsirkin \n\nPls merge through ide tree.\n\n> ---\n> hw/ide/ahci.c | 1 +\n> 1 file changed, 1 insertion(+)\n> \n> diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c\n> index 406a1b5..ccbe091 100644\n> --- a/hw/ide/ahci.c\n> +++ b/hw/ide/ahci.c\n> @@ -1495,6 +1495,7 @@ void ahci_uninit(AHCIState *s)\n> \n> ide_exit(s);\n> }\n> + object_unparent(OBJECT(&ad->port));\n> }\n> \n> g_free(s->dev);\n> -- \n> 2.7.4","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=)","ext-mx04.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com","ext-mx04.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=mst@redhat.com"],"Received":["from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xh0Bz1NFBz9sP5\n\tfor ;\n\tTue, 29 Aug 2017 04:08:57 +1000 (AEST)","from localhost ([::1]:40965 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t)\n\tid 1dmOT0-00046b-9C\n\tfor incoming@patchwork.ozlabs.org; Mon, 28 Aug 2017 14:08:54 -0400","from eggs.gnu.org ([2001:4830:134:3::10]:38994)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from ) id 1dmOSX-00044M-0W\n\tfor qemu-devel@nongnu.org; Mon, 28 Aug 2017 14:08:32 -0400","from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from ) id 1dmOSV-0004mb-Uv\n\tfor qemu-devel@nongnu.org; Mon, 28 Aug 2017 14:08:24 -0400","from mx1.redhat.com ([209.132.183.28]:37990)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from )\n\tid 1dmOSQ-0004iL-BP; Mon, 28 Aug 2017 14:08:18 -0400","from smtp.corp.redhat.com\n\t(int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id 597F280474;\n\tMon, 28 Aug 2017 18:08:17 +0000 (UTC)","from redhat.com (ovpn-120-146.rdu2.redhat.com [10.10.120.146])\n\tby smtp.corp.redhat.com (Postfix) with SMTP id C71CE60240;\n\tMon, 28 Aug 2017 18:08:14 +0000 (UTC)"],"DMARC-Filter":"OpenDMARC Filter v1.3.2 mx1.redhat.com 597F280474","Date":"Mon, 28 Aug 2017 21:08:14 +0300","From":"\"Michael S. Tsirkin\" ","To":"Igor Mammedov ","Message-ID":"<20170828210709-mutt-send-email-mst@kernel.org>","References":"<1503938085-169486-1-git-send-email-imammedo@redhat.com>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<1503938085-169486-1-git-send-email-imammedo@redhat.com>","X-Scanned-By":"MIMEDefang 2.79 on 10.5.11.12","X-Greylist":"Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.28]);\n\tMon, 28 Aug 2017 18:08:17 +0000 (UTC)","X-detected-operating-system":"by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]","X-Received-From":"209.132.183.28","Subject":"Re: [Qemu-devel] [PATCH for-2.11] ide: ahci: unparent children\n\tbuses before freeing their memory","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Cc":"thuth@redhat.com, jsnow@redhat.com, qemu-devel@nongnu.org,\n\tqemu-block@nongnu.org, f4bug@amsat.org","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n\t"}},{"id":1758907,"web_url":"http://patchwork.ozlabs.org/comment/1758907/","msgid":"","list_archive_url":null,"date":"2017-08-28T22:41:01","subject":"Re: [Qemu-devel] [PATCH for-2.11] ide: ahci: unparent children\n\tbuses before freeing their memory","submitter":{"id":64343,"url":"http://patchwork.ozlabs.org/api/people/64343/","name":"John Snow","email":"jsnow@redhat.com"},"content":"On 08/28/2017 12:34 PM, Igor Mammedov wrote:\n> Fixes read after freeing error reported\n> https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg04243.html\n> Message-Id: <59a56959-ca12-ea75-33fa-ff07eba1b090@redhat.com>\n> \n> ich9-ahci device creates ide buses and attaches them as QOM children\n> at realize time, however it forgets to properly clean them up\n> at unrealize time and frees memory containing these children,\n> with following call-chain:\n> \n> qdev_device_add()\n> object_property_set_bool('realized', true)\n> device_set_realized()\n> ...\n> pci_qdev_realize() -> pci_ich9_ahci_realize() -> ahci_realize()\n> ...\n> s->dev = g_new0(AHCIDevice, ports);\n> ...\n> AHCIDevice *ad = &s->dev[i];\n> ide_bus_new(&ad->port, sizeof(ad->port), qdev, i, 1);\n> ^^^ creates bus in memory allocated by above gnew()\n> and adds it as child propety to ahci device\n> ...\n> hotplug_handler_plug(); -> goto post_realize_fail;\n> pci_qdev_unrealize() -> pci_ich9_uninit() -> ahci_uninit()\n> ...\n> g_free(s->dev);\n> ^^^ free memory that holds children busses\n> \n> return with error from device_set_realized()\n> \n> As result later when qdev_device_add() tries to unparent ich9-ahci\n> after failed device_set_realized(),\n> object_unparent() -> object_property_del_child()\n> iterates over existing QOM children including buses added by\n> ide_bus_new() and tries to unparent them, which causes access to\n> freed memory where they where located.\n> \n> Reported-by: Thomas Huth \n> Signed-off-by: Igor Mammedov \n> ---\n> hw/ide/ahci.c | 1 +\n> 1 file changed, 1 insertion(+)\n> \n> diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c\n> index 406a1b5..ccbe091 100644\n> --- a/hw/ide/ahci.c\n> +++ b/hw/ide/ahci.c\n> @@ -1495,6 +1495,7 @@ void ahci_uninit(AHCIState *s)\n> \n> ide_exit(s);\n> }\n> + object_unparent(OBJECT(&ad->port));\n> }\n> \n> g_free(s->dev);\n> \n\nNice, Thank you.\n\nReviewed-by: John Snow \n\nThanks, applied to my IDE tree:\n\nhttps://github.com/jnsnow/qemu/commits/ide\nhttps://github.com/jnsnow/qemu.git\n\n--js","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=)","ext-mx01.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com","ext-mx01.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=jsnow@redhat.com"],"Received":["from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xh6Fd0jJ1z9s7v\n\tfor ;\n\tTue, 29 Aug 2017 08:41:41 +1000 (AEST)","from localhost ([::1]:41693 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t)\n\tid 1dmSix-0003JM-2X\n\tfor incoming@patchwork.ozlabs.org; Mon, 28 Aug 2017 18:41:39 -0400","from eggs.gnu.org ([2001:4830:134:3::10]:59633)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from ) id 1dmSiX-0003HN-4y\n\tfor qemu-devel@nongnu.org; Mon, 28 Aug 2017 18:41:14 -0400","from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from ) id 1dmSiW-0005SX-0N\n\tfor qemu-devel@nongnu.org; Mon, 28 Aug 2017 18:41:13 -0400","from mx1.redhat.com ([209.132.183.28]:60364)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from )\n\tid 1dmSiQ-0005NM-FN; Mon, 28 Aug 2017 18:41:06 -0400","from smtp.corp.redhat.com\n\t(int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id DFA0381DF0;\n\tMon, 28 Aug 2017 22:41:04 +0000 (UTC)","from [10.18.17.231] (dhcp-17-231.bos.redhat.com [10.18.17.231])\n\tby smtp.corp.redhat.com (Postfix) with ESMTP id C569660A9B;\n\tMon, 28 Aug 2017 22:41:01 +0000 (UTC)"],"DMARC-Filter":"OpenDMARC Filter v1.3.2 mx1.redhat.com DFA0381DF0","To":"Igor Mammedov , qemu-devel@nongnu.org","References":"<1503938085-169486-1-git-send-email-imammedo@redhat.com>","From":"John Snow ","Message-ID":"","Date":"Mon, 28 Aug 2017 18:41:01 -0400","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.2.1","MIME-Version":"1.0","In-Reply-To":"<1503938085-169486-1-git-send-email-imammedo@redhat.com>","Content-Type":"text/plain; charset=utf-8","Content-Language":"en-US","Content-Transfer-Encoding":"7bit","X-Scanned-By":"MIMEDefang 2.79 on 10.5.11.13","X-Greylist":"Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.25]);\n\tMon, 28 Aug 2017 22:41:05 +0000 (UTC)","X-detected-operating-system":"by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]","X-Received-From":"209.132.183.28","Subject":"Re: [Qemu-devel] [PATCH for-2.11] ide: ahci: unparent children\n\tbuses before freeing their memory","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Cc":"thuth@redhat.com, f4bug@amsat.org, qemu-block@nongnu.org, mst@redhat.com","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n\t"}}]