asan reports use-after-free from dino_pcihost_init, elroy_pcihost_init
If you build hppa to enable asan/ubsan:
'../../configure' '--target-list=hppa-softmmu,hppa-linux-user' '--enable-debug' '--cc=clang' '--cxx=clang++' '--disable-docs' '--disable-tools' '--enable-ubsan' '--enable-asan'then run 'make check' then (as well as a lot of leak issues, many of which we already know about) you get this use-after-free report when running device-introspect-test:
==1771223==ERROR: AddressSanitizer: heap-use-after-free on address 0x527000018f80 at pc 0x5b4b9d3369b5 bp 0x7ffd01929980 sp 0x7ffd01929978
WRITE of size 8 at 0x527000018f80 thread T0
#0 0x5b4b9d3369b4 in pci_host_bus_register /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:608:5
#1 0x5b4b9d321566 in pci_root_bus_internal_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:677:5
#2 0x5b4b9d3215e0 in pci_root_bus_new /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:706:5
#3 0x5b4b9d321fe5 in pci_register_root_bus /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:751:11
#4 0x5b4b9d390521 in dino_pcihost_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci-host/dino.c:473:16
#5 0x5b4b9e3fe9b1 in object_init_with_type /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:428:9
#6 0x5b4b9e3e5d1b in object_initialize_with_type /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:570:5
#7 0x5b4b9e3e763d in object_new_with_type /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:774:5
#8 0x5b4b9e3e7409 in object_new_with_class /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:782:12
#9 0x5b4b9ea609a5 in qmp_device_list_properties /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/qom-qmp-cmds.c:206:11
#10 0x5b4b9d9fe5fc in qdev_device_help /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../system/qdev-monitor.c:313:17
#11 0x5b4b9da048fc in hmp_device_add /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../system/qdev-monitor.c:989:9
#12 0x5b4b9dbec8ad in handle_hmp_command_exec /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../monitor/hmp.c:1106:9
#13 0x5b4b9dbe6cb5 in handle_hmp_command /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../monitor/hmp.c:1158:9
#14 0x5b4b9dbfa0ed in qmp_human_monitor_command /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../monitor/qmp-cmds.c:179:5
#15 0x5b4b9ebcbd2a in qmp_marshal_human_monitor_command /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qapi/qapi-commands-misc.c:347:14
#16 0x5b4b9eccb5b1 in do_qmp_dispatch_bh /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qapi/qmp-dispatch.c:128:5
#17 0x5b4b9eda6ccd in aio_bh_call /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../util/async.c:172:5
#18 0x5b4b9eda7b06 in aio_bh_poll /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../util/async.c:219:13
#19 0x5b4b9ed13d78 in aio_dispatch /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../util/aio-posix.c:436:5
#20 0x5b4b9edad7a6 in aio_ctx_dispatch /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../util/async.c:361:5
#21 0x799d827095c4 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5d5c4) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75)
#22 0x799d8270970f in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5d70f) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75)
#23 0x5b4b9edb0b99 in glib_pollfds_poll /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../util/main-loop.c:287:9
#24 0x5b4b9edaf654 in os_host_main_loop_wait /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../util/main-loop.c:310:5
#25 0x5b4b9edaf291 in main_loop_wait /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../util/main-loop.c:589:11
#26 0x5b4b9da20e56 in qemu_main_loop /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../system/runstate.c:905:9
#27 0x5b4b9ea78c8d in qemu_default_main /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../system/main.c:50:14
#28 0x5b4b9ea78bae in main /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../system/main.c:93:9
#29 0x799d8022a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#30 0x799d8022a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#31 0x5b4b9ca16ca4 in _start (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qemu-system-hppa+0x1712ca4) (BuildId: ca496bb2e4fc750ebd289b448bad8d99c0ecd140)
0x527000018f80 is located 1664 bytes inside of 12384-byte region [0x527000018900,0x52700001b960)
freed by thread T0 here:
#0 0x5b4b9cab185a in free (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qemu-system-hppa+0x17ad85a) (BuildId: ca496bb2e4fc750ebd289b448bad8d99c0ecd140)
#1 0x5b4b9e3ee723 in object_finalize /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:734:9
#2 0x5b4b9e3e69db in object_unref /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:1232:9
#3 0x5b4b9ea6173c in qmp_device_list_properties /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/qom-qmp-cmds.c:237:5
#4 0x5b4b9ec4e0f3 in qmp_marshal_device_list_properties /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qapi/qapi-commands-qdev.c:65:14
#5 0x5b4b9eccb5b1 in do_qmp_dispatch_bh /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qapi/qmp-dispatch.c:128:5
#6 0x5b4b9eda6ccd in aio_bh_call /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../util/async.c:172:5
#7 0x5b4b9eda7b06 in aio_bh_poll /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../util/async.c:219:13
#8 0x5b4b9ed13d78 in aio_dispatch /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../util/aio-posix.c:436:5
#9 0x5b4b9edad7a6 in aio_ctx_dispatch /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../util/async.c:361:5
#10 0x799d827095c4 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5d5c4) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75)
#11 0x799d8270970f in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5d70f) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75)
#12 0x5b4b9edb0b99 in glib_pollfds_poll /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../util/main-loop.c:287:9
#13 0x5b4b9edaf654 in os_host_main_loop_wait /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../util/main-loop.c:310:5
#14 0x5b4b9edaf291 in main_loop_wait /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../util/main-loop.c:589:11
#15 0x5b4b9da20e56 in qemu_main_loop /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../system/runstate.c:905:9
#16 0x5b4b9ea78c8d in qemu_default_main /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../system/main.c:50:14
#17 0x5b4b9ea78bae in main /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../system/main.c:93:9
#18 0x799d8022a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#19 0x799d8022a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#20 0x5b4b9ca16ca4 in _start (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qemu-system-hppa+0x1712ca4) (BuildId: ca496bb2e4fc750ebd289b448bad8d99c0ecd140)
previously allocated by thread T0 here:
#0 0x5b4b9cab1af3 in malloc (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qemu-system-hppa+0x17adaf3) (BuildId: ca496bb2e4fc750ebd289b448bad8d99c0ecd140)
#1 0x799d8270eb09 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62b09) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75)
#2 0x5b4b9e3e75fc in object_new_with_type /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:767:15
#3 0x5b4b9e3e7409 in object_new_with_class /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:782:12
#4 0x5b4b9ea609a5 in qmp_device_list_properties /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/qom-qmp-cmds.c:206:11
#5 0x5b4b9ec4e0f3 in qmp_marshal_device_list_properties /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qapi/qapi-commands-qdev.c:65:14
#6 0x5b4b9eccb5b1 in do_qmp_dispatch_bh /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qapi/qmp-dispatch.c:128:5
#7 0x5b4b9eda6ccd in aio_bh_call /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../util/async.c:172:5
#8 0x5b4b9eda7b06 in aio_bh_poll /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../util/async.c:219:13
#9 0x5b4b9ed13d78 in aio_dispatch /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../util/aio-posix.c:436:5
#10 0x5b4b9edad7a6 in aio_ctx_dispatch /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../util/async.c:361:5
#11 0x799d827095c4 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5d5c4) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75)
#12 0x799d8270970f in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5d70f) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75)
#13 0x5b4b9edb0b99 in glib_pollfds_poll /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../util/main-loop.c:287:9
#14 0x5b4b9edaf654 in os_host_main_loop_wait /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../util/main-loop.c:310:5
#15 0x5b4b9edaf291 in main_loop_wait /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../util/main-loop.c:589:11
#16 0x5b4b9da20e56 in qemu_main_loop /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../system/runstate.c:905:9
#17 0x5b4b9ea78c8d in qemu_default_main /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../system/main.c:50:14
#18 0x5b4b9ea78bae in main /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../system/main.c:93:9
#19 0x799d8022a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#20 0x799d8022a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#21 0x5b4b9ca16ca4 in _start (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qemu-system-hppa+0x1712ca4) (BuildId: ca496bb2e4fc750ebd289b448bad8d99c0ecd140)
SUMMARY: AddressSanitizer: heap-use-after-free /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:608:5 in pci_host_bus_register
Shadow bytes around the buggy address:
0x527000018d00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x527000018d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x527000018e00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x527000018e80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x527000018f00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x527000018f80:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x527000019000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x527000019080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x527000019100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x527000019180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x527000019200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1771223==ABORTINGPossibly this is the underlying cause of recently reported flakiness with the hppa device-introspect-test where it sometimes segfaults on s390 host.
The same bug also exists in the elroy-pcihost hppa device.
Edited by Peter Maydell