[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [qemu-xen master] ide: ahci: unparent children buses before freeing their memory

commit 83b23fe55c7b969e778c18960ea7c381e92070e8
Author:     Igor Mammedov <imammedo@xxxxxxxxxx>
AuthorDate: Mon Sep 18 15:01:25 2017 -0400
Commit:     Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
CommitDate: Fri Sep 22 18:12:41 2017 -0500

    ide: ahci: unparent children buses before freeing their memory
    
    Fixes read after freeing error reported
      https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg04243.html
      Message-Id: <59a56959-ca12-ea75-33fa-ff07eba1b090@xxxxxxxxxx>
    
    ich9-ahci device creates ide buses and attaches them as QOM children
    at realize time, however it forgets to properly clean them up
    at unrealize time and frees memory containing these children,
    with following call-chain:
    
       qdev_device_add()
         object_property_set_bool('realized', true)
           device_set_realized()
              ...
              pci_qdev_realize() -> pci_ich9_ahci_realize() -> ahci_realize()
                   ...
                   s->dev = g_new0(AHCIDevice, ports);
                   ...
                      AHCIDevice *ad = &s->dev[i];
                      ide_bus_new(&ad->port, sizeof(ad->port), qdev, i, 1);
                      ^^^ creates bus in memory allocated by above gnew()
                          and adds it as child propety to ahci device
              ...
              hotplug_handler_plug(); -> goto post_realize_fail;
              pci_qdev_unrealize() -> pci_ich9_uninit() -> ahci_uninit()
                  ...
                   g_free(s->dev);
                   ^^^ free memory that holds children busses
    
              return with error from device_set_realized()
    
    As result later when qdev_device_add() tries to unparent ich9-ahci
    after failed device_set_realized(),
        object_unparent() -> object_property_del_child()
    iterates over existing QOM children including buses added by
    ide_bus_new() and tries to unparent them, which causes access to
    freed memory where they where located.
    
    Reported-by: Thomas Huth <thuth@xxxxxxxxxx>
    Signed-off-by: Igor Mammedov <imammedo@xxxxxxxxxx>
    Reviewed-by: Philippe Mathieu-Daudé <f4bug@xxxxxxxxx>
    Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
    Tested-by: Thomas Huth <thuth@xxxxxxxxxx>
    Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
    Message-id: 1503938085-169486-1-git-send-email-imammedo@xxxxxxxxxx
    Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
    (cherry picked from commit 955f5c7ba127746345a3d43b4d7c885ca159ae6b)
    Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
---
 hw/ide/ahci.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index 406a1b5..ccbe091 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -1495,6 +1495,7 @@ void ahci_uninit(AHCIState *s)
 
             ide_exit(s);
         }
+        object_unparent(OBJECT(&ad->port));
     }
 
     g_free(s->dev);
--
generated by git-patchbot for /home/xen/git/qemu-xen.git#master


_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.