qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: QEMU 6.2.0: Segfault while calling address_space_init from emulated

From: Karthik Poduval
Subject: Re: QEMU 6.2.0: Segfault while calling address_space_init from emulated device
Date: Mon, 16 May 2022 20:38:10 -0700 
Ok digging deeper, there was a compiler warning about a missing
prototype of get_system_memory but I never thought it would lead to
this sort of an issue. The fix now is pretty simple to include the
header where get_system_memory is defined.
https://github.com/qemu/qemu/commit/620dba22bf389c6f9b9f039ad01fc5e1365d8216

I always thought that compilers figured things out about function
prototypes but in this case it caused a very serious issue that almost
seemed like memory corruption. Lesson learned, never miss function
prototypes.

On Mon, May 16, 2022 at 8:31 PM Karthik Poduval
<karthik.poduval@gmail.com> wrote:
>
> I was able to get it to work with a workaround. After doing some gdb
> debugging it shows that the system_memory global was being populated
> before the m2m_scaler device was being initialized. Printing
> system_meory vs mr (argumet) to the crashing function shows the
> pointer value to be truncated.
>
> (gdb) p system_memory
>
> $1 = (MemoryRegion *) 0x555556ae16e0
>
> (gdb) p mr
>
> $2 = (MemoryRegion *) 0x56ae16e0
>
> (gdb)
>
> The following workaround resolves the issue for now. It accesses the
> system_memory global variable directly instead of getting it from the
> function get_system_memory.
> https://github.com/karthikpoduval/qemu/commit/00580c9f3c60a7d9c3bb43bc9589f76e663197e4
>
> On Mon, May 16, 2022 at 7:13 PM Karthik Poduval
> <karthik.poduval@gmail.com> wrote:
> >
> > Hi All,
> >
> > I still need help, any help would be greatly appreciated. Turned on
> > address sanitizers (config option --enable-sanitizers).
> > It pointed to a heap overflow in xilinx code.
> > SUMMARY: AddressSanitizer: heap-buffer-overflow
> > ../git/hw/dma/xlnx_csu_dma.c:722 in xlnx_csu_dma_class_init
> >
> > So disabled xilinx from the config.
> > diff --git a/configs/devices/aarch64-softmmu/default.mak
> > b/configs/devices/aarch64-softmmu/default.mak
> > index cf43ac8da1..cf8b98070e 100644
> > --- a/configs/devices/aarch64-softmmu/default.mak
> > +++ b/configs/devices/aarch64-softmmu/default.mak
> > @@ -3,6 +3,6 @@
> >  # We support all the 32 bit boards so need all their config
> >  include ../arm-softmmu/default.mak
> >
> > -CONFIG_XLNX_ZYNQMP_ARM=y
> > -CONFIG_XLNX_VERSAL=y
> > +CONFIG_XLNX_ZYNQMP_ARM=n
> > +CONFIG_XLNX_VERSAL=n
> >  CONFIG_SBSA_REF=y
> >
> > Even after doing that the code still crashes at the same point. It
> > seems to be a memory curruption issue or else how can
> > get_system_address() function provide an incorrect pointer.
> > build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/image/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/recipe-sysroot-native/usr/bin/qemu-system-aarch64
> > -device virtio-net-device,netdev=net0,mac=52:54:00:12:35:02 -netdev
> > user,id=net0,hostfwd=tcp::2222-:22,hostfwd=tcp::2323-:23,tftp=/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64
> > -object rng-random,filename=/dev/urandom,id=rng0 -device
> > virtio-rng-pci,rng=rng0 -drive
> > id=disk0,file=/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64/yoe-simple-image-qemuarm64-20220515002944.rootfs.ext4,if=none,format=raw
> > -device virtio-blk-device,drive=disk0 -device qemu-xhci -device
> > usb-tablet -device usb-kbd  -machine virt -cpu cortex-a57 -smp 4 -m
> > 1024 -serial mon:stdio -serial null -nographic -device virtio-gpu-pci
> > -kernel 
> > /home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64/Image--5.15.22+git0+2d38a472b2_7f685244af-r0.0-qemuarm64-20220306152158.bin
> > -append 'root=/dev/vda rw  mem=1024M ip=dhcp console=ttyAMA0
> > console=hvc0  '
> > ==2004211==WARNING: ASan doesn't fully support makecontext/swapcontext
> > functions and may produce false positives in some cases!
> > AddressSanitizer:DEADLYSIGNAL
> > =================================================================
> > ==2004211==ERROR: AddressSanitizer: SEGV on unknown address
> > 0x000000005300 (pc 0x55dfdc2b47fc bp 0x61a0000028e8 sp 0x7ffcf813edc0
> > T0)
> > ==2004211==The signal is caused by a READ memory access.
> >     #0 0x55dfdc2b47fb in memory_region_ref ../git/softmmu/memory.c:1790
> >     #1 0x55dfdc2b47fb in address_space_init ../git/softmmu/memory.c:3005
> >     #2 0x55dfdacba208 in m2m_scaler_realize ../git/hw/misc/m2m_scaler.c:288
> >     #3 0x55dfdc7fb1eb in device_set_realized ../git/hw/core/qdev.c:531
> >     #4 0x55dfdc807c50 in property_set_bool ../git/qom/object.c:2268
> >     #5 0x55dfdc80f5ff in object_property_set ../git/qom/object.c:1403
> >     #6 0x55dfdc819253 in object_property_set_qobject 
> > ../git/qom/qom-qobject.c:28
> >     #7 0x55dfdc80feb5 in object_property_set_bool ../git/qom/object.c:1472
> >     #8 0x55dfdc7f9452 in qdev_realize_and_unref ../git/hw/core/qdev.c:340
> >     #9 0x55dfda8c9adc in sysbus_create_varargs ../git/hw/core/sysbus.c:236
> >     #10 0x55dfdb24d87e in sysbus_create_simple
> > /home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/git/include/hw/sysbus.h:104
> >     #11 0x55dfdb24d87e in create_m2m_scaler ../git/hw/arm/virt.c:1316
> >     #12 0x55dfdb24d87e in machvirt_init ../git/hw/arm/virt.c:2223
> >     #13 0x55dfda8bd006 in machine_run_board_init 
> > ../git/hw/core/machine.c:1187
> >     #14 0x55dfdc2c9f51 in qemu_init_board ../git/softmmu/vl.c:2656
> >     #15 0x55dfdc2c9f51 in qmp_x_exit_preconfig ../git/softmmu/vl.c:2746
> >     #16 0x55dfdc2d1425 in qemu_init ../git/softmmu/vl.c:3777
> >     #17 0x55dfda49c1fc in main ../git/softmmu/main.c:49
> >     #18 0x7f53e39ce57a
> > (/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/sysroots-uninative/x86_64-linux/lib/libc.so.6+0x2d57a)
> >     #19 0x7f53e39ce62f in __libc_start_main
> > (/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/sysroots-uninative/x86_64-linux/lib/libc.so.6+0x2d62f)
> >     #20 0x55dfda4d6f5d in _start
> > (/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/image/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/recipe-sysroot-native/usr/bin/qemu-system-aarch64+0x3b58f5d)
> >
> > AddressSanitizer can not provide additional info.
> > SUMMARY: AddressSanitizer: SEGV ../git/softmmu/memory.c:1790 in
> > memory_region_ref
> > ==2004211==ABORTING
> >
> > Any help would be greatly appreciated. Here is the link to the latest code.
> > https://github.com/karthikpoduval/qemu/tree/scaler-bringup
> >
> > On Sun, May 15, 2022 at 12:26 AM Karthik Poduval
> > <karthik.poduval@gmail.com> wrote:
> > >
> > > Hi All,
> > >
> > > I am trying to create a virtual mem2mem scaler device in QEMU (for the
> > > purposes of writing a mem2mem driver tutorial). I created the mem2mem
> > > device as shown here.
> > > https://github.com/karthikpoduval/qemu/blob/scaler-bringup/hw/misc/m2m_scaler.c
> > >
> > > I added this MMIO device to the arm virt.c (as shown here).
> > > https://github.com/karthikpoduval/qemu/blob/scaler-bringup/hw/arm/virt.c#L1306
> > >
> > > However while the device is getting created, there is a crash while
> > > launching QEMU.
> > > qemu-system-aarch64 -device
> > > virtio-net-device,netdev=net0,mac=52:54:00:12:35:02 -netdev
> > > user,id=net0,hostfwd=tcp::2222-:22,hostfwd=tcp::2323-:23,tftp=/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64
> > > -object rng-random,filename=/dev/urandom,id=rng0 -device
> > > virtio-rng-pci,rng=rng0 -drive
> > > id=disk0,file=/home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64/yoe-simple-image-qemuarm64-20220515002944.rootfs.ext4,if=none,format=raw
> > > -device virtio-blk-device,drive=disk0 -device qemu-xhci -device
> > > usb-tablet -device usb-kbd  -machine virt -cpu cortex-a57 -smp 4 -m
> > > 1024 -serial mon:stdio -serial null -nographic -device virtio-gpu-pci
> > > -kernel 
> > > /home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/deploy/images/qemuarm64/Image--5.15.22+git0+2d38a472b2_7f685244af-r0.0-qemua
> > > rm64-20220306152158.bin -append 'root=/dev/vda rw  mem=256M ip=dhcp
> > > console=ttyAMA0 console=hvc0  '
> > >
> > > Upon running gdb, the stack trace looks like.
> > > Thread 1 "qemu-system-aar" received signal SIGSEGV, Segmentation fault.
> > > 0x0000555555d2f6d6 in memory_region_ref (mr=0x56becae0) at
> > > ../git/softmmu/memory.c:3005
> > > 3005        memory_region_ref(root);
> > > (gdb) bt
> > > #0  0x0000555555d2f6d6 in memory_region_ref (mr=0x56becae0) at
> > > ../git/softmmu/memory.c:3005
> > > #1  address_space_init (as=0x5555570f8bb8, root=0x56becae0,
> > > name=0x5555560a9620 "m2m-scaler-dma") at ../git/softmmu/memory.c:3005
> > > #2  0x0000555555e0d5c8 in object_initialize_with_type
> > > (obj=obj@entry=0x5555570f8750, size=size@entry=1360,
> > > type=type@entry=0x555556a117d0) at ../git/qom/object.c:518
> > > #3  0x0000555555e0d719 in object_new_with_type (type=0x555556a117d0)
> > > at ../git/qom/object.c:733
> > > #4  0x0000555555e08e3a in qdev_new (name=name@entry=0x5555560a95eb
> > > "m2m_scaler") at ../git/hw/core/qdev.c:153
> > > #5  0x000055555595cafa in sysbus_create_varargs
> > > (name=name@entry=0x5555560a95eb "m2m_scaler", addr=addr@entry=0) at
> > > ../git/hw/core/sysbus.c:234
> > > #6  0x0000555555adf1a1 in sysbus_create_simple (irq=<optimized out>,
> > > addr=0, name=0x5555560a95eb "m2m_scaler")
> > >     at 
> > > /home/kpoduval/workspace/yoe-master-kpoduval/build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/git/include/hw/sysbus.h:104
> > > #7  create_m2m_scaler (vms=0x555556c31400) at ../git/hw/arm/virt.c:1317
> > > #8  machvirt_init (machine=0x555556c31400) at ../git/hw/arm/virt.c:2239
> > > #9  0x0000555555959929 in machine_run_board_init
> > > (machine=0x555556c31400) at ../git/hw/core/machine.c:1187
> > > #10 0x0000555555d3576f in qemu_init_board () at ../git/softmmu/vl.c:2656
> > > #11 qmp_x_exit_preconfig (errp=<optimized out>) at 
> > > ../git/softmmu/vl.c:2746
> > > #12 qmp_x_exit_preconfig (errp=<optimized out>) at 
> > > ../git/softmmu/vl.c:2739
> > > #13 0x0000555555d38f3b in qemu_init (argc=<optimized out>,
> > > argv=<optimized out>, envp=<optimized out>) at
> > > ../git/softmmu/vl.c:3777
> > > #14 0x000055555588e1bd in main (argc=<optimized out>, argv=<optimized
> > > out>, envp=<optimized out>) at ../git/softmmu/main.c:49
> > >
> > > I was able to do the same thing in QEMU 5.1.0 do not know why this
> > > does not work in QEMU 6.2.0. Kindly help me resolve this issue. I want
> > > my device to have access to the entire system RAM (as thi emulated
> > > device can read input image from DDR scale it and write back the input
> > > image to DDR so it needs to have access to the entire DDR memory).
> > >
> > > --
> > > Regards,
> > > Karthik Poduval
> >
> >
> >
> > --
> > Regards,
> > Karthik Poduval
>
>
>
> --
> Regards,
> Karthik Poduval



-- 
Regards,
Karthik Poduval
reply via email to
[Prev in Thread] Current Thread [Next in Thread]