• Igor Mammedov's avatar
    ide: ahci: unparent children buses before freeing their memory · 955f5c7b
    Igor Mammedov authored
    Fixes read after freeing error reported
      https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg04243.html
      Message-Id: <59a56959-ca12-ea75-33fa-ff07eba1b090@redhat.com>
    
    ich9-ahci device creates ide buses and attaches them as QOM children
    at realize time, however it forgets to properly clean them up
    at unrealize time and frees memory containing these children,
    with following call-chain:
    
       qdev_device_add()
         object_property_set_bool('realized', true)
           device_set_realized()
              ...
              pci_qdev_realize() -> pci_ich9_ahci_realize() -> ahci_realize()
                   ...
                   s->dev = g_new0(AHCIDevice, ports);
                   ...
                      AHCIDevice *ad = &s->dev[i];
                      ide_bus_new(&ad->port, sizeof(ad->port), qdev, i, 1);
                      ^^^ creates bus in memory allocated by above gnew()
                          and adds it as child propety to ahci device
              ...
              hotplug_handler_plug(); -> goto post_realize_fail;
              pci_qdev_unrealize() -> pci_ich9_uninit() -> ahci_uninit()
                  ...
                   g_free(s->dev);
                   ^^^ free memory that holds children busses
    
              return with error from device_set_realized()
    
    As result later when qdev_device_add() tries to unparent ich9-ahci
    after failed device_set_realized(),
        object_unparent() -> object_property_del_child()
    iterates over existing QOM children including buses added by
    ide_bus_new() and tries to unparent them, which causes access to
    freed memory where they where located.
    Reported-by: 's avatarThomas Huth <thuth@redhat.com>
    Signed-off-by: 's avatarIgor Mammedov <imammedo@redhat.com>
    Reviewed-by: 's avatarPhilippe Mathieu-Daudé <f4bug@amsat.org>
    Reviewed-by: 's avatarMichael S. Tsirkin <mst@redhat.com>
    Tested-by: 's avatarThomas Huth <thuth@redhat.com>
    Reviewed-by: 's avatarJohn Snow <jsnow@redhat.com>
    Message-id: 1503938085-169486-1-git-send-email-imammedo@redhat.com
    Signed-off-by: 's avatarJohn Snow <jsnow@redhat.com>
    955f5c7b
Name
Last commit
Last update
accel Loading commit data...
audio Loading commit data...
backends Loading commit data...
block Loading commit data...
bsd-user Loading commit data...
chardev Loading commit data...
contrib Loading commit data...
crypto Loading commit data...
default-configs Loading commit data...
disas Loading commit data...
docs Loading commit data...
dtc @ 558cd81b Loading commit data...
fpu Loading commit data...
fsdev Loading commit data...
gdb-xml Loading commit data...
hw Loading commit data...
include Loading commit data...
io Loading commit data...
libdecnumber Loading commit data...
linux-headers Loading commit data...
linux-user Loading commit data...
migration Loading commit data...
nbd Loading commit data...
net Loading commit data...
pc-bios Loading commit data...
po Loading commit data...
qapi Loading commit data...
qga Loading commit data...
qobject Loading commit data...
qom Loading commit data...
replay Loading commit data...
roms Loading commit data...
scripts Loading commit data...
slirp Loading commit data...
stubs Loading commit data...
target Loading commit data...
tcg Loading commit data...
tests Loading commit data...
trace Loading commit data...
ui Loading commit data...
util Loading commit data...
.dir-locals.el Loading commit data...
.editorconfig Loading commit data...
.exrc Loading commit data...
.gdbinit Loading commit data...
.gitignore Loading commit data...
.gitmodules Loading commit data...
.mailmap Loading commit data...
.shippable.yml Loading commit data...
.travis.yml Loading commit data...
CODING_STYLE Loading commit data...
COPYING Loading commit data...
COPYING.LIB Loading commit data...
COPYING.PYTHON Loading commit data...
Changelog Loading commit data...
HACKING Loading commit data...
LICENSE Loading commit data...
MAINTAINERS Loading commit data...
Makefile Loading commit data...
Makefile.objs Loading commit data...
Makefile.target Loading commit data...
README Loading commit data...
VERSION Loading commit data...
arch_init.c Loading commit data...
balloon.c Loading commit data...
block.c Loading commit data...
blockdev-nbd.c Loading commit data...
blockdev.c Loading commit data...
blockjob.c Loading commit data...
bootdevice.c Loading commit data...
bt-host.c Loading commit data...
bt-vhci.c Loading commit data...
configure Loading commit data...
cpus-common.c Loading commit data...
cpus.c Loading commit data...
device-hotplug.c Loading commit data...
device_tree.c Loading commit data...
disas.c Loading commit data...
dma-helpers.c Loading commit data...
dump.c Loading commit data...
exec.c Loading commit data...
gdbstub.c Loading commit data...
hax-stub.c Loading commit data...
hmp-commands-info.hx Loading commit data...
hmp-commands.hx Loading commit data...
hmp.c Loading commit data...
hmp.h Loading commit data...
ioport.c Loading commit data...
iothread.c Loading commit data...
memory.c Loading commit data...
memory_ldst.inc.c Loading commit data...
memory_mapping.c Loading commit data...
module-common.c Loading commit data...
monitor.c Loading commit data...
numa.c Loading commit data...
os-posix.c Loading commit data...
os-win32.c Loading commit data...
qapi-schema.json Loading commit data...
qdev-monitor.c Loading commit data...
qdict-test-data.txt Loading commit data...
qemu-bridge-helper.c Loading commit data...
qemu-doc.texi Loading commit data...
qemu-ga.texi Loading commit data...
qemu-img-cmds.hx Loading commit data...
qemu-img.c Loading commit data...
qemu-img.texi Loading commit data...
qemu-io-cmds.c Loading commit data...
qemu-io.c Loading commit data...
qemu-nbd.c Loading commit data...
qemu-nbd.texi Loading commit data...
qemu-option-trace.texi Loading commit data...
qemu-options-wrapper.h Loading commit data...
qemu-options.h Loading commit data...
qemu-options.hx Loading commit data...
qemu-seccomp.c Loading commit data...
qemu-tech.texi Loading commit data...
qemu.nsi Loading commit data...
qemu.sasl Loading commit data...
qmp.c Loading commit data...
qtest.c Loading commit data...
replication.c Loading commit data...
replication.h Loading commit data...
rules.mak Loading commit data...
thunk.c Loading commit data...
tpm.c Loading commit data...
trace-events Loading commit data...
version.rc Loading commit data...
vl.c Loading commit data...