QEMU

Guest(ubuntu 18.04) crashes when trying uploading file

Bug #1785670 reported by Zihan Yang on 2018-08-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	QEMU	Fix Released	Undecided	Unassigned

Bug Description

I speficy slirp network, and I can open websites, git clone repos. But when I try to upload a file to slack, or try to do a git push, it crashes.

My host is ubuntu 16.04 with kernel 4.15.0-29-generic, and qemu is latest source in git(commit 1fb57da72ae0886e). The command I use is

./x86_64-softmmu/qemu-system-x86_64 -machine q35,accel=kvm -m 2048 -drive file=../qcow2/guest.qcow2 -netdev user,id=realnet0 -device e1000e,netdev=realnet0

The trace is as follows

*** Error in `./x86_64-softmmu/qemu-system-x86_64': free(): invalid next size (normal): 0x00007f66d80b7300 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f66fb7967e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f66fb79f37a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f66fb7a353c]
./x86_64-softmmu/qemu-system-x86_64(+0x6a8549)[0x55dc10c7d549]
./x86_64-softmmu/qemu-system-x86_64(+0x6a99d4)[0x55dc10c7e9d4]
./x86_64-softmmu/qemu-system-x86_64(+0x6ad09a)[0x55dc10c8209a]
./x86_64-softmmu/qemu-system-x86_64(+0x6a3feb)[0x55dc10c78feb]
./x86_64-softmmu/qemu-system-x86_64(+0x6a746e)[0x55dc10c7c46e]
./x86_64-softmmu/qemu-system-x86_64(+0x68fe2c)[0x55dc10c64e2c]
./x86_64-softmmu/qemu-system-x86_64(+0x685b3b)[0x55dc10c5ab3b]
./x86_64-softmmu/qemu-system-x86_64(+0x685bfd)[0x55dc10c5abfd]
./x86_64-softmmu/qemu-system-x86_64(+0x6885a8)[0x55dc10c5d5a8]
./x86_64-softmmu/qemu-system-x86_64(+0x688717)[0x55dc10c5d717]
./x86_64-softmmu/qemu-system-x86_64(+0x685d27)[0x55dc10c5ad27]
./x86_64-softmmu/qemu-system-x86_64(+0x685d54)[0x55dc10c5ad54]
./x86_64-softmmu/qemu-system-x86_64(+0x586bb8)[0x55dc10b5bbb8]
./x86_64-softmmu/qemu-system-x86_64(+0x586d92)[0x55dc10b5bd92]
./x86_64-softmmu/qemu-system-x86_64(+0x586ecd)[0x55dc10b5becd]
./x86_64-softmmu/qemu-system-x86_64(+0x593ea8)[0x55dc10b68ea8]
./x86_64-softmmu/qemu-system-x86_64(+0x59419d)[0x55dc10b6919d]
./x86_64-softmmu/qemu-system-x86_64(+0x5947df)[0x55dc10b697df]
./x86_64-softmmu/qemu-system-x86_64(+0x597ddf)[0x55dc10b6cddf]
./x86_64-softmmu/qemu-system-x86_64(+0x5989e7)[0x55dc10b6d9e7]
./x86_64-softmmu/qemu-system-x86_64(+0x58ae11)[0x55dc10b5fe11]
./x86_64-softmmu/qemu-system-x86_64(+0x30d4f6)[0x55dc108e24f6]
./x86_64-softmmu/qemu-system-x86_64(+0x30d70e)[0x55dc108e270e]
./x86_64-softmmu/qemu-system-x86_64(+0x310336)[0x55dc108e5336]
./x86_64-softmmu/qemu-system-x86_64(+0x2ac368)[0x55dc10881368]
./x86_64-softmmu/qemu-system-x86_64(+0x2ac4b2)[0x55dc108814b2]
./x86_64-softmmu/qemu-system-x86_64(+0x2ac7b8)[0x55dc108817b8]
./x86_64-softmmu/qemu-system-x86_64(+0x2ac809)[0x55dc10881809]
./x86_64-softmmu/qemu-system-x86_64(+0x32b673)[0x55dc10900673]
./x86_64-softmmu/qemu-system-x86_64(+0x2f2875)[0x55dc108c7875]
./x86_64-softmmu/qemu-system-x86_64(+0x81b91c)[0x55dc10df091c]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x76ba)[0x7f66fbaf06ba]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x6d)[0x7f66fb82641d]
======= Memory map: ========
55dc105d5000-55dc112a9000 r-xp 00000000 103:02 5767220 /home/biggerfish/src/qemu/x86_64-softmmu/qemu-system-x86_64
55dc114a9000-55dc115bd000 r--p 00cd4000 103:02 5767220 /home/biggerfish/src/qemu/x86_64-softmmu/qemu-system-x86_64
55dc115bd000-55dc11773000 rw-p 00de8000 103:02 5767220 /home/biggerfish/src/qemu/x86_64-softmmu/qemu-system-x86_64
55dc11773000-55dc117b5000 rw-p 00000000 00:00 0
55dc134d6000-55dc14e20000 rw-p 00000000 00:00 0 [heap]
7f6634000000-7f6634021000 rw-p 00000000 00:00 0
7f6634021000-7f6638000000 ---p 00000000 00:00 0
7f663c000000-7f663c021000 rw-p 00000000 00:00 0
7f663c021000-7f6640000000 ---p 00000000 00:00 0
7f6642000000-7f6644000000 rw-s 00000000 00:05 4882443 /SYSV00000000 (deleted)
7f6644000000-7f6644021000 rw-p 00000000 00:00 0
7f6644021000-7f6648000000 ---p 00000000 00:00 0
7f66491cc000-7f66491cd000 ---p 00000000 00:00 0
7f66491cd000-7f66499cd000 rw-p 00000000 00:00 0
7f66499cd000-7f66499ce000 ---p 00000000 00:00 0
7f66499ce000-7f664a1ce000 rw-p 00000000 00:00 0
7f664a1ce000-7f664a1cf000 ---p 00000000 00:00 0
7f664a1cf000-7f664a9cf000 rw-p 00000000 00:00 0
7f664a9cf000-7f664a9d0000 ---p 00000000 00:00 0
7f664a9d0000-7f664b1d0000 rw-p 00000000 00:00 0
7f664b1d0000-7f664b1d1000 ---p 00000000 00:00 0
7f664b1d1000-7f664b9d1000 rw-p 00000000 00:00 0
7f664b9d1000-7f664b9d2000 ---p 00000000 00:00 0
7f664b9d2000-7f664bad2000 rw-p 00000000 00:00 0
7f664bad2000-7f664bad3000 ---p 00000000 00:00 0
7f664bad3000-7f664bbd3000 rw-p 00000000 00:00 0
7f664bbd3000-7f664bbd4000 ---p 00000000 00:00 0
7f664bbd4000-7f664bcd4000 rw-p 00000000 00:00 0
7f664bcd4000-7f664bcd5000 ---p 00000000 00:00 0
7f664bcd5000-7f664c4d5000 rw-p 00000000 00:00 0
7f664c4d5000-7f664c4d6000 ---p 00000000 00:00 0
7f664c4d6000-7f664c5d6000 rw-p 00000000 00:00 0
7f664c5d6000-7f664c5d7000 ---p 00000000 00:00 0
7f664c5d7000-7f664c6d7000 rw-p 00000000 00:00 0
7f664c6d7000-7f664c6d8000 ---p 00000000 00:00 0
7f664c6d8000-7f664c7d8000 rw-p 00000000 00:00 0
7f664c7d8000-7f664c7d9000 ---p 00000000 00:00 0
7f664c7d9000-7f664c8d9000 rw-p 00000000 00:00 0
7f664c8d9000-7f664c8da000 ---p 00000000 00:00 0
7f664c8da000-7f664c9da000 rw-p 00000000 00:00 0
7f664c9da000-7f664c9db000 ---p 00000000 00:00 0
7f664c9db000-7f664cadb000 rw-p 00000000 00:00 0
7f664cadb000-7f664cadc000 ---p 00000000 00:00 0
7f664cadc000-7f664cbdc000 rw-p 00000000 00:00 0
7f664cbdc000-7f664cbdd000 ---p 00000000 00:00 0
7f664cbdd000-7f664ccdd000 rw-p 00000000 00:00 0
7f664ccdd000-7f664ccde000 ---p 00000000 00:00 0
7f664ccde000-7f664cdde000 rw-p 00000000 00:00 0
7f664cdde000-7f664cddf000 ---p 00000000 00:00 0
7f664cddf000-7f664cedf000 rw-p 00000000 00:00 0
7f664cedf000-7f664cee0000 ---p 00000000 00:00 0
7f664cee0000-7f664cfe0000 rw-p 00000000 00:00 0
7f664cfe0000-7f664cfe1000 ---p 00000000 00:00 0
7f664cfe1000-7f664d0e1000 rw-p 00000000 00:00 0
7f664d0e1000-7f664d0e2000 ---p 00000000 00:00 0
7f664d0e2000-7f664d1e2000 rw-p 00000000 00:00 0
7f664d1e2000-7f664d1e3000 ---p 00000000 00:00 0
7f664d1e3000-7f664d2e3000 rw-p 00000000 00:00 0
7f664d2e3000-7f664d2e4000 ---p 00000000 00:00 0
7f664d2e4000-7f664d3e4000 rw-p 00000000 00:00 0
7f664d3e4000-7f664d3e5000 ---p 00000000 00:00 0
7f664d3e5000-7f664d4e5000 rw-p 00000000 00:00 0
7f664d4e5000-7f664d4e6000 ---p 00000000 00:00 0
7f664d4e6000-7f664d5e6000 rw-p 00000000 00:00 0
7f664d5e6000-7f664d5e7000 ---p 00000000 00:00 0
7f664d5e7000-7f664d6e7000 rw-p 00000000 00:00 0
7f664d6e7000-7f664d6e8000 ---p 00000000 00:00 0
7f664d6e8000-7f664d7e8000 rw-p 00000000 00:00 0
7f664d7e8000-7f664d7e9000 ---p 00000000 00:00 0
7f664d7e9000-7f664d8e9000 rw-p 00000000 00:00 0
7f664d8e9000-7f664d8ea000 ---p 00000000 00:00 0
7f664d8ea000-7f664d9ea000 rw-p 00000000 00:00 0
7f664d9ea000-7f664d9eb000 ---p 00000000 00:00 0
7f664d9eb000-7f664daeb000 rw-p 00000000 00:00 0
7f664daeb000-7f664daec000 ---p 00000000 00:00 0
7f664daec000-7f664dbec000 rw-p 00000000 00:00 0
7f664dbec000-7f664dbed000 ---p 00000000 00:00 0
7f664dbed000-7f664dced000 rw-p 00000000 00:00 0
7f664dced000-7f664dcee000 ---p 00000000 00:00 0
7f664dcee000-7f664ddee000 rw-p 00000000 00:00 0
7f664ddee000-7f664ddef000 ---p 00000000 00:00 0
7f664ddef000-7f664deef000 rw-p 00000000 00:00 0
7f664deef000-7f664def0000 ---p 00000000 00:00 0
7f664def0000-7f664dff0000 rw-p 00000000 00:00 0
7f664dff0000-7f664dff1000 ---p 00000000 00:00 0
7f664dff1000-7f664e0f1000 rw-p 00000000 00:00 0
7f664e0f1000-7f664e0f2000 ---p 00000000 00:00 0
7f664e0f2000-7f664e1f2000 rw-p 00000000 00:00 0
7f664e1f2000-7f664e1f3000 ---p 00000000 00:00 0
7f664e1f3000-7f664e2f3000 rw-p 00000000 00:00 0
7f664e2f3000-7f664e2f4000 ---p 00000000 00:00 0
7f664e2f4000-7f664e3f4000 rw-p 00000000 00:00 0
7f664e3f4000-7f664e3f5000 ---p 00000000 00:00 0
7f664e3f5000-7f664e4f5000 rw-p 00000000 00:00 0
7f664e4f5000-7f664e4f6000 ---p 00000000 00:00 0
7f664e4f6000-7f664e5f6000 rw-p 00000000 00:00 0
7f664e5f6000-7f664e5f7000 ---p 00000000 00:00 0
7f664e5f7000-7f664e6f7000 rw-p 00000000 00:00 0
7f664e6f7000-7f664e6f8000 ---p 00000000 00:00 0
7f664e6f8000-7f664e7f8000 rw-p 00000000 00:00 0
7f664e7f8000-7f664e7f9000 ---p 00000000 00:00 0
7f664e7f9000-7f664e8f9000 rw-p 00000000 00:00 0
7f664e8f9000-7f664e8fa000 ---p 00000000 00:00 0
7f664e8fa000-7f664e9fa000 rw-p 00000000 00:00 0
7f664e9fa000-7f664e9fb000 ---p 00000000 00:00 0
7f664e9fb000-7f664eafb000 rw-p 00000000 00:00 0
7f664eafb000-7f664eafc000 ---p 00000000 00:00 0
7f664eafc000-7f664ebfc000 rw-p 00000000 00:00 0
7f664ebfc000-7f664ebfd000 ---p 00000000 00:00 0
7f664ebfd000-7f664ecfd000 rw-p 00000000 00:00 0
7f664ecfd000-7f664ecfe000 ---p 00000000 00:00 0
7f664ecfe000-7f664edfe000 rw-p 00000000 00:00 0
7f664edfe000-7f664edff000 ---p 00000000 00:00 0
7f664edff000-7f664eeff000 rw-p 00000000 00:00 0
7f664eeff000-7f664ef00000 ---p 00000000 00:00 0
7f664ef00000-7f664f000000 rw-p 00000000 00:00 0
7f664f6fe000-7f664f6ff000 ---p 00000000 00:00 0
7f664f6ff000-7f664f7ff000 rw-p 00000000 00:00 0
7f664f7ff000-7f664f800000 ---p 00000000 00:00 0
7f664f800000-7f6650000000 rw-p 00000000 00:00 0
7f6650000000-7f6650022000 rw-p 00000000 00:00 0
7f6650022000-7f6654000000 ---p 00000000 00:00 0
7f66540f5000-7f66540f6000 ---p 00000000 00:00 0
7f66540f6000-7f66541f6000 rw-p 00000000 00:00 0
7f66541f6000-7f66541f7000 ---p 00000000 00:00 0
7f66541f7000-7f66542f7000 rw-p 00000000 00:00 0
7f66542f7000-7f66542f8000 ---p 00000000 00:00 0
7f66542f8000-7f66543f8000 rw-p 00000000 00:00 0
7f66543f8000-7f66543f9000 ---p 00000000 00:00 0
7f66543f9000-7f66544f9000 rw-p 00000000 00:00 0
7f66544f9000-7f66544fa000 ---p 00000000 00:00 0
7f66544fa000-7f66545fa000 rw-p 00000000 00:00 0
7f66545fa000-7f66545fb000 ---p 00000000 00:00 0
7f66545fb000-7f66546fb000 rw-p 00000000 00:00 0
7f66546fb000-7f66546fc000 ---p 00000000 00:00 0
7f66546fc000-7f66547fc000 rw-p 00000000 00:00 0
7f66547fc000-7f66547fd000 ---p 00000000 00:00 0
7f66547fd000-7f66548fd000 rw-p 00000000 00:00 0
7f66548fd000-7f66548fe000 ---p 00000000 00:00 0
7f66548fe000-7f66549fe000 rw-p 00000000 00:00 0
7f66549fe000-7f66549ff000 ---p 00000000 00:00 0
7f66549ff000-7f6654aff000 rw-p 00000000 00:00 0
7f6654aff000-7f6654b00000 ---p 00000000 00:00 0
7f6654b00000-7f6654c00000 rw-p 00000000 00:00 0
7f6654c00000-7f6654c01000 rw-p 00000000 00:00 0
7f6654c01000-7f6654c02000 ---p 00000000 00:00 0
7f6654cff000-7f6654d00000 ---p 00000000 00:00 0
7f6654d00000-7f6654e00000 rw-p 00000000 00:00 0
7f6654e00000-7f6654e01000 rw-p 00000000 00:00 0
7f6654e01000-7f6654e02000 ---p 00000000 00:00 0
7f6654eff000-7f6654f00000 ---p 00000000 00:00 0
7f6654f00000-7f6655000000 rw-p 00000000 00:00 0
7f6655000000-7f6655200000 rw-p 00000000 00:00 0
7f6655200000-7f6655201000 ---p 00000000 00:00 0
7f665523b000-7f6656af1000 r-xp 00000000 103:02 2233416 /usr/lib/x86_64-linux-gnu/libicudata.so.55.1
7f6656af1000-7f6656cf0000 ---p 018b6000 103:02 2233416 /usr/lib/x86_64-linux-gnu/libicudata.so.55.1
7f6656cf0000-7f6656cf1000 r--p 018b5000 103:02 2233416 /usr/lib/x86_64-linux-gnu/libicudata.so.55.1
7f6656cf1000-7f6656cf2000 rw-p 018b6000 103:02 2233416 /usr/lib/x86_64-linux-gnu/libicudata.so.55.1
7f6656cf2000-7f6656e71000 r-xp 00000000 103:02 2233420 /usr/lib/x86_64-linux-gnu/libicuuc.so.55.1
7f6656e71000-7f6657071000 ---p 0017f000 103:02 2233420 /usr/lib/x86_64-linux-gnu/libicuuc.so.55.1
7f6657071000-7f6657081000 r--p 0017f000 103:02 2233420 /usr/lib/x86_64-linux-gnu/libicuuc.so.55.1
7f6657081000-7f6657082000 rw-p 0018f000 103:02 2233420 /usr/lib/x86_64-linux-gnu/libicuuc.so.55.1
7f6657082000-7f6657086000 rw-p 00000000 00:00 0
7f6657086000-7f6657237000 r-xp 00000000 103:02 2237922 /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3
7f6657237000-7f6657436000 ---p 001b1000 103:02 2237922 /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3
7f6657436000-7f665743e000 r--p 001b0000 103:02 2237922 /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3
7f665743e000-7f6657440000 rw-p 001b8000 103:02 2237922 /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3
7f6657440000-7f6657441000 rw-p 00000000 00:00 0
7f6657441000-7f6657e00000 r--p 00000000 103:02 2235565 /usr/lib/locale/locale-archive
7f6657e00000-7f66d7e00000 rw-p 00000000 00:00 0
7f66d7e00000-7f66d7e01000 ---p 00000000 00:00 0
7f66d7eff000-7f66d7f00000 ---p 00000000 00:00 0
7f66d7f00000-7f66d8000000 rw-p 00000000 00:00 0
7f66d8000000-7f66d8b29000 rw-p 00000000 00:00 0
7f66d8b29000-7f66dc000000 ---p 00000000 00:00 0
7f66dc000000-7f66dc022000 rw-p 00000000 00:00 0
7f66dc022000-7f66e0000000 ---p 00000000 00:00 0
7f66e008a000-7f66e008b000 ---p 00000000 00:00 0
7f66e008b000-7f66e018b000 rw-p 00000000 00:00 0
7f66e018b000-7f66e01c2000 r-xp 00000000 103:02 2236734 /usr/lib/x86_64-linux-gnu/libcroco-0.6.so.3.0.1
7f66e01c2000-7f66e03c2000 ---p 00037000 103:02 2236734 /usr/lib/x86_64-linux-gnu/libcroco-0.6.so.3.0.1
7f66e03c2000-7f66e03c5000 r--p 00037000 103:02 2236734 /usr/lib/x86_64-linux-gnu/libcroco-0.6.so.3.0.1
7f66e03c5000-7f66e03c6000 rw-p 0003a000 103:02 2236734 /usr/lib/x86_64-linux-gnu/libcroco-0.6.so.3.0.1
7f66e03c6000-7f66e03fb000 r-xp 00000000 103:02 2237572 /usr/lib/x86_64-linux-gnu/librsvg-2.so.2.40.13
7f66e03fb000-7f66e05fb000 ---p 00035000 103:02 2237572 /usr/lib/x86_64-linux-gnu/librsvg-2.so.2.40.13
7f66e05fb000-7f66e05fc000 r--p 00035000 103:02 2237572 /usr/lib/x86_64-linux-gnu/librsvg-2.so.2.40.13
7f66e05fc000-7f66e05fd000 rw-p 00036000 103:02 2237572 /usr/lib/x86_64-linux-gnu/librsvg-2.so.2.40.13
7f66e05fd000-7f66e05ff000 r-xp 00000000 103:02 2493292 /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so
7f66e05ff000-7f66e07fe000 ---p 00002000 103:02 2493292 /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so
7f66e07fe000-7f66e07ff000 r--p 00001000 103:02 2493292 /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so
7f66e07ff000-7f66e0800000 rw-p 00002000 103:02 2493292 /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so
7f66e0800000-7f66e0840000 rw-p 00000000 00:00 0
7f66e0840000-7f66e0841000 ---p 00000000 00:00 0
7f66e08ff000-7f66e0900000 ---p 00000000 00:00 0
7f66e0900000-7f66e0a00000 rw-p 00000000 00:00 0
7f66e0a00000-7f66e0a10000 rw-p 00000000 00:00 0
7f66e0a10000-7f66e0a11000 ---p 00000000 00:00 0
7f66e0aff000-7f66e0b00000 ---p 00000000 00:00 0
7f66e0b00000-7f66e0c00000 rw-p 00000000 00:00 0
7f66e0c00000-7f66e1c00000 rw-p 00000000 00:00 0
7f66e1c00000-7f66e1c01000 ---p 00000000 00:00 0
7f66e1cff000-7f66e1d00000 ---p 00000000 00:00 0
7f66e1d00000-7f66e1e00000 rw-p 00000000 00:00 0
7f66e1e00000-7f66e1e20000 rw-p 00000000 00:00 0
7f66e1e20000-7f66e1e21000 ---p 00000000 00:00 0
7f66e1e5c000-7f66e1eb3000 r--p 00000000 103:02 3277771 /usr/share/fonts/truetype/ubuntu-font-family/Ubuntu-R.ttf
7f66e1eb3000-7f66e1ebe000 r--s 00000000 103:02 3019418 /var/cache/fontconfig/945677eb7aeaf62f1d50efc3fb3ec7d8-le64.cache-6
7f66e1ebe000-7f66e1ed3000 r--s 00000000 103:02 3019394 /var/cache/fontconfig/04aabc0a78ac019cf9454389977116d2-le64.cache-6
7f66e1eff000-7f66e1f00000 ---p 00000000 00:00 0
7f66e1f00000-7f66e2000000 rw-p 00000000 00:00 0
7f66e2000000-7f66e2040000 rw-p 00000000 00:00 0
7f66e2040000-7f66e2041000 ---p 00000000 00:00 0
7f66e204a000-7f66e204b000 rw-p 00000000 00:00 0
7f66e204b000-7f66e2051000 r--s 00000000 103:02 3019400 /var/cache/fontconfig/2cd17615ca594fa2959ae173292e504c-le64.cache-6
7f66e2051000-7f66e2052000 r--s 00000000 103:02 3019397 /var/cache/fontconfig/0d8c3b2ac0904cb8a57a757ad11a4a08-le64.cache-6
7f66e2052000-7f66e2053000 r--s 00000000 103:02 3019399 /var/cache/fontconfig/1ac9eb803944fde146138c791f5cc56a-le64.cache-6
7f66e2053000-7f66e2057000 r--s 00000000 103:02 3019404 /var/cache/fontconfig/385c0604a188198f04d133e54aba7fe7-le64.cache-6
7f66e2057000-7f66e2058000 r--s 00000000 103:02 3019431 /var/cache/fontconfig/dc05db6664285cc2f12bf69c139ae4c3-le64.cache-6
7f66e2058000-7f66e205b000 r--s 00000000 103:02 3019414 /var/cache/fontconfig/767a8244fc0220cfb567a839d0392e0b-le64.cache-6
7f66e205b000-7f66e2060000 r--s 00000000 103:02 3019417 /var/cache/fontconfig/8801497958630a81b71ace7c5f9b32a8-le64.cache-6
7f66e2060000-7f66e2067000 r--s 00000000 103:02 3019401 /var/cache/fontconfig/3047814df9a2f067bd2d96a2b9c36e5a-le64.cache-6
7f66e2067000-7f66e206d000 r--s 00000000 103:02 3019422 /var/cache/fontconfig/b47c4e1ecd0709278f4910c18777a504-le64.cache-6
7f66e206d000-7f66e2080000 r--s 00000000 103:02 3019428 /var/cache/fontconfig/d52a8644073d54c13679302ca1180695-le64.cache-6
7f66e2080000-7f66e208b000 r--s 00000000 103:02 3019416 /var/cache/fontconfig/83bf95040141907cd45bb53cf7c1c148-le64.cache-6
7f66e208b000-7f66e209d000 r--s 00000000 103:02 3019420 /var/cache/fontconfig/9b89f8e3dae116d678bbf48e5f21f69b-le64.cache-6
7f66e209d000-7f66e20bc000 r--s 00000000 103:02 2752558 /usr/share/mime/mime.cache
7f66e20bc000-7f66e20bd000 ---p 00000000 00:00 0
7f66e20bd000-7f66e21bd000 rw-p 00000000 00:00 0
7f66e21bd000-7f66e21be000 ---p 00000000 00:00 0
7f66e21be000-7f66e2ca2000 rw-p 00000000 00:00 0
7f66e2ca2000-7f66e2ca3000 ---p 00000000 00:00 0
7f66e2ca3000-7f66e2da3000 rw-p 00000000 00:00 0
7f66e2da3000-7f66e2da4000 ---p 00000000 00:00 0
7f66e2da4000-7f66e35a4000 rw-p 00000000 00:00 0
7f66e35a4000-7f66e35ab000 r-xp 00000000 103:02 2237425 /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2
7f66e35ab000-7f66e37ab000 ---p 00007000 103:02 2237425 /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2
7f66e37ab000-7f66e37ac000 r--p 00007000 103:02 2237425 /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2
7f66e37ac000-7f66e37ad000 rw-p 00008000 103:02 2237425 /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2
7f66e37ad000-7f66e37d7000 r-xp 00000000 103:02 2233113 /usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7f66e37d7000-7f66e39d6000 ---p 0002a000 103:02 2233113 /usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7f66e39d6000-7f66e39d7000 r--p 00029000 103:02 2233113 /usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7f66e39d7000-7f66e39d8000 rw-p 0002a000 103:02 2233113 /usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7f66e39d8000-7f66e39e1000 r-xp 00000000 103:02 2237286 /usr/lib/x86_64-linux-gnu/libltdl.so.7.3.1
7f66e39e1000-7f66e3be0000 ---p 00009000 103:02 2237286 /usr/lib/x86_64-linux-gnu/libltdl.so.7.3.1
7f66e3be0000-7f66e3be1000 r--p 00008000 103:02 2237286 /usr/lib/x86_64-linux-gnu/libltdl.so.7.3.1
7f66e3be1000-7f66e3be2000 rw-p 00009000 103:02 2237286 /usr/lib/x86_64-linux-gnu/libltdl.so.7.3.1
7f66e3be2000-7f66e3bf6000 r-xp 00000000 103:02 2237676 /usr/lib/x86_64-linux-gnu/libtdb.so.1.3.8Aborted (core dumped)

Tags:

Revision history for this message

Dr. David Alan Gilbert (dgilbert-h) wrote on 2018-08-06:

I can recreate this here.

Changed in qemu:
status:	New → Confirmed

Revision history for this message

Dr. David Alan Gilbert (dgilbert-h) wrote on 2018-08-06:

Download full text (5.0 KiB)

#0  0x00007fffec275feb in raise () at /lib64/libc.so.6
#1  0x00007fffec2605c1 in abort () at /lib64/libc.so.6
#2  0x00007fffec2b89d7 in __libc_message () at /lib64/libc.so.6
#3  0x00007fffec2beeac in  () at /lib64/libc.so.6
#4  0x00007fffec2c091c in _int_free () at /lib64/libc.so.6
#5  0x00007ffff725b4d2 in g_free () at /lib64/libglib-2.0.so.0
#6  0x0000555555b49551 in m_free (m=0x7fffc44b0dd0) at /home/dgilbert/git/qemu/slirp/mbuf.c:114
#7  0x0000555555b4a33d in sbappend (so=<optimized out>, m=<optimized out>) at /home/dgilbert/git/qemu/slirp/sbuf.c:82
#8  0x0000555555b4d6ae in tcp_input (m=0x7fffc44b0dd0, iphlen=<optimized out>, inso=<optimized out>, af=<optimized out>)
    at /home/dgilbert/git/qemu/slirp/tcp_input.c:1300
#9  0x0000555555b48d98 in slirp_input (slirp=<optimized out>, pkt=0x7fffc44ad900 "RU\n", pkt_len=pkt_len@entry=66)
    at /home/dgilbert/git/qemu/slirp/slirp.c:875
#10 0x0000555555b378e0 in net_slirp_receive (nc=<optimized out>, buf=<optimized out>, size=66) at /home/dgilbert/git/qemu/net/slirp.c:121
#11 0x0000555555b2ff4e in nc_sendv_compat (flags=<optimized out>, iovcnt=3, iov=0x7fffceff9a40, nc=0x5555567d5e60)
    at /home/dgilbert/git/qemu/net/net.c:701
#12 0x0000555555b2ff4e in qemu_deliver_packet_iov (sender=<optimized out>, flags=<optimized out>, iov=0x7fffceff9a40, iovcnt=3, opaque=0x5555567d5e60)
    at /home/dgilbert/git/qemu/net/net.c:728
#13 0x0000555555b32744 in qemu_net_queue_deliver_iov (iovcnt=3, iov=0x7fffceff9a40, flags=0, sender=0x555557a70ae0, queue=0x5555567d6010)
    at /home/dgilbert/git/qemu/net/queue.c:179
#14 0x0000555555b32744 in qemu_net_queue_send_iov (queue=0x5555567d6010, sender=0x555557a70ae0, flags=0, iov=0x7fffceff9a40, iovcnt=3, sent_cb=<optimized out>) at /home/dgilbert/git/qemu/net/queue.c:224
#15 0x0000555555a6ec61 in net_tx_pkt_sendv (pkt=0x555557a71010, iov_cnt=3, iov=0x7fffceff9a40, nc=0x555557a70ae0)
    at /home/dgilbert/git/qemu/hw/net/net_tx_pkt.c:546
#16 0x0000555555a6ec61 in net_tx_pkt_do_sw_fragmentation (pkt=pkt@entry=0x555557a71010, nc=nc@entry=0x555557a70ae0)
    at /home/dgilbert/git/qemu/hw/net/net_tx_pkt.c:588
#17 0x0000555555a6f87f in net_tx_pkt_send (pkt=0x555557a71010, nc=nc@entry=0x555557a70ae0) at /home/dgilbert/git/qemu/hw/net/net_tx_pkt.c:625
#18 0x0000555555a78ff8 in e1000e_tx_pkt_send (queue_index=<optimized out>, tx=0x555557a1d1e8, core=0x5555579fcf80)
    at /home/dgilbert/git/qemu/hw/net/e1000e_core.c:665
#19 0x0000555555a78ff8 in e1000e_process_tx_desc (queue_index=<optimized out>, dp=0x7fffceff9f30, tx=0x555557a1d1e8, core=0x5555579fcf80)
    at /home/dgilbert/git/qemu/hw/net/e1000e_core.c:742
#20 0x0000555555a78ff8 in e1000e_start_xmit (core=0x5555579fcf80, txr=<optimized out>, txr=<optimized out>)
    at /home/dgilbert/git/qemu/hw/net/e1000e_core.c:933
#21 0x0000555555a792b9 in e1000e_set_tdt (core=<optimized out>, index=<optimized out>, val=<optimized out>)
    at /home/dgilbert/git/qemu/hw/net/e1000e_core.c:2450
#22 0x0000555555a7c0a5 in e1000e_core_write (core=0x5555579fcf80, addr=<optimized out>, val=220, size=4)
    at /home/dgilbert/git/qemu/hw/net/e1000e_core.c:3255
#23 0x0000555555876c37 in memory_region_write_accessor (mr=0x5555579fcbb0, addr=14360, value=<optimized out>, size=4, shift=<optimized out>, mask=<optimized out>, attrs=...) at /home/dgilbert/git/qemu/memory.c:527
---Type <return> to continue, or q <return> to quit---
 out>, access_size_max=<optimized out>, access_fn=0x555555876bc0 <memory_region_write_accessor>, mr=0x5555579fcbb0, attrs=...) at /home/dgilbert/git/qemu/memory.c:594
#25 0x00005555558794c1 in memory_region_dispatch_write (mr=mr@entry=0x5555579fcbb0, addr=14360, data=<optimized out>, size=4, attrs=attrs@entry=...) at /home/dgilbert/git/qemu/memory.c:1479
#26 0x0000555555823833 in flatview_write_continue (fv=fv@entry=0x7fffc50aebc0, addr=addr@entry=4273485848, attrs=..., buf=buf@entry=0x7ffff7ff3028 <incomplete sequence \334>, len=len@entry=4, addr1=<optimized out>, l=<optimized out>, mr=0x5555579fcbb0) at /home/dgilbert/git/qemu/exec.c:3255
#27 0x0000555555823a59 in flatview_write (fv=0x7fffc50aebc0, addr=4273485848, attrs=..., buf=0x7ffff7ff3028 <incomplete sequence \334>, len=4) at /home/dgilbert/git/qemu/exec.c:3294
#28 0x000055555582737f in address_space_write (as=<optimized out>, addr=<optimized out>, attrs=..., buf=buf@entry=0x7ffff7ff3028 <incomplete sequence \334>, len=<optimized out>) at /home/dgilbert/git/qemu/exec.c:3384
#29 0x000055555582740a in address_space_rw (as=<optimized out>, addr=<optimized out>, attrs=..., attrs@entry=..., buf=buf@entry=0x7ffff7ff3028 <incomplete sequence \334>, len=<optimized out>, is_write=<optimized out>)
    at /home/dgilbert/git/qemu/exec.c:3395
#30 0x000055555588b7b8 in kvm_cpu_exec (cpu=cpu@entry=0x55555683ddf0) at /home/dgilbert/git/qemu/accel/kvm/kvm-all.c:1979
#31 0x0000555555862896 in qemu_kvm_cpu_thread_fn (arg=0x55555683ddf0) at /home/dgilbert/git/qemu/cpus.c:1215
#32 0x00007fffec605594 in start_thread () at /lib64/libpthread.so.0
#33 0x00007fffec3390df in clone () at /lib64/libc.so.6

(This is with a fedora guest, so that's irrelevant)

Revision history for this message

Dr. David Alan Gilbert (dgilbert-h) wrote on 2018-08-06:

Looks like it might be e1000e specific?
I can recreate it with either q35 with no extra options (it has e1000e by default), pc or q35 specifying e1000e, but plain pc works fine.

Simple test; scp bigfile from guest to user@10.0.2.2: (i.e. host)

Dave

Revision history for this message

Zihan Yang (bigerfish) wrote on 2018-08-07:

It's indeed e1000e specific, when I change e1000e to e1000, I can upload file freely. Looks like there is an overflow somewhere in e1000e that corrupted the heap chunk header.

Revision history for this message

Li Qiang (liq3ea) wrote on 2018-08-07:

Download full text (6.7 KiB)

Hi,

I have find the overflow point using ASAN.

void
m_cat(struct mbuf *m, struct mbuf *n)
{
/*
  * If there's no room, realloc
  */
if (M_FREEROOM(m) < n->m_len)
  m_inc(m, m->m_len + n->m_len);

memcpy(m->m_data+m->m_len, n->m_data, n->m_len);
m->m_len += n->m_len;

m_free(n);
}

/* make m 'size' bytes large from m_data */
void
m_inc(struct mbuf *m, int size)
{
int datasize;

    /* some compilers throw up on gotos. This one we can fake. */
    if (m->m_size > size) {
        return;
    }

    if (m->m_flags & M_EXT) {
        datasize = m->m_data - m->m_ext;
        m->m_ext = g_realloc(m->m_ext, size + datasize);
    } else {
        datasize = m->m_data - m->m_dat;
        m->m_ext = g_malloc(size + datasize);
        memcpy(m->m_ext, m->m_dat, m->m_size);
        m->m_flags |= M_EXT;
    }

m->m_data = m->m_ext + datasize;
m->m_size = size + datasize;
}

Here m_cat catenates two mbuf, when the first has no buffer, it allocates an M_EXT.
In m_inc, g_malloc called, then return m_cat, the next call to m_cat will trigger oob write.

Seems the m_len is too big.
In my debug, I see the m->m_len is 0x5b0, but datasize in m_inc is 0x40. Is this right?

Thanks,
Li Qiang

==17835==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f000041dd0 at pc 0x7ffff6e9ad7b bp 0x7fffc6b215d0 sp 0x7fffc6b20d80
WRITE of size 28 at 0x61f000041dd0 thread T4
    #0 0x7ffff6e9ad7a (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a)
    #1 0x55555663fa71 in m_cat slirp/mbuf.c:143
    #2 0x555556632cdd in ip_reass slirp/ip_input.c:341
    #3 0x555556631609 in ip_input slirp/ip_input.c:190
    #4 0x55555663bd91 in slirp_input slirp/slirp.c:874
    #5 0x555556600d6f in net_slirp_receive net/slirp.c:121
    #6 0x5555565e8192 in nc_sendv_compat net/net.c:701
    #7 0x5555565e8322 in qemu_deliver_packet_iov net/net.c:728
    #8 0x5555565edda2 in qemu_net_queue_deliver_iov net/queue.c:179
    #9 0x5555565edfaa in qemu_net_queue_send_iov net/queue.c:224
    #10 0x5555565e8547 in qemu_sendv_packet_async net/net.c:764
    #11 0x5555565e8574 in qemu_sendv_packet net/net.c:772
    #12 0x55555636657c in net_tx_pkt_sendv hw/net/net_tx_pkt.c:546
    #13 0x5555563668f3 in net_tx_pkt_do_sw_fragmentation hw/net/net_tx_pkt.c:588
    #14 0x555556366c93 in net_tx_pkt_send hw/net/net_tx_pkt.c:625
    #15 0x55555638586c in e1000e_tx_pkt_send hw/net/e1000e_core.c:665
    #16 0x555556385fca in e1000e_process_tx_desc hw/net/e1000e_core.c:742
    #17 0x555556387680 in e1000e_start_xmit hw/net/e1000e_core.c:933
    #18 0x55555638f390 in e1000e_set_tdt hw/net/e1000e_core.c:2450
    #19 0x5555563911cb in e1000e_core_write hw/net/e1000e_core.c:3255
    #20 0x555556370524 in e1000e_mmio_write hw/net/e1000e.c:105
    #21 0x555555d4ec07 in memory_region_write_accessor /home/liqiang02/qemu-devel/qemu/memory.c:527
    #22 0x555555d4eee3 in access_with_adjusted_size /home/liqiang02/qemu-devel/qemu/memory.c:594
    #23 0x555555d54d16 in memory_region_dispatch_write /home/liqiang02/qemu-devel/qemu/memory.c:1473
    #24 0x555555c94b76 in flatview_write_continue /home/liqiang02/qemu-devel/qemu/exec.c:3255
    #25 0x555555c94da1 in flatview_write /home/liqiang02/qem...

Hi, 
 
I have find the overflow point using ASAN.
 
void
m_cat(struct mbuf *m, struct mbuf *n)
{
 /*
  * If there's no room, realloc
  */
 if (M_FREEROOM(m) < n->m_len)
  m_inc(m, m->m_len + n->m_len);
 
 memcpy(m->m_data+m->m_len, n->m_data, n->m_len);
 m->m_len += n->m_len;
 
 m_free(n);
}

/* make m 'size' bytes large from m_data */
void
m_inc(struct mbuf *m, int size)
{
    int datasize;
 
    /* some compilers throw up on gotos.  This one we can fake. */
    if (m->m_size > size) {
        return;
    }
 
    if (m->m_flags & M_EXT) {
        datasize = m->m_data - m->m_ext;
        m->m_ext = g_realloc(m->m_ext, size + datasize);
    } else {
        datasize = m->m_data - m->m_dat;
        m->m_ext = g_malloc(size + datasize);
        memcpy(m->m_ext, m->m_dat, m->m_size);
        m->m_flags |= M_EXT;
    }
 
    m->m_data = m->m_ext + datasize;
    m->m_size = size + datasize;
}
 
Here m_cat catenates two mbuf, when the first has no buffer, it allocates an M_EXT.
In m_inc, g_malloc called, then return m_cat, the next call to m_cat will trigger oob write.
 
Seems the m_len is too big.
In my debug, I see the m->m_len is 0x5b0, but datasize in m_inc is 0x40. Is this right?
 
Thanks,
Li Qiang
 
==17835==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f000041dd0 at pc 0x7ffff6e9ad7b bp 0x7fffc6b215d0 sp 0x7fffc6b20d80
WRITE of size 28 at 0x61f000041dd0 thread T4
    #0 0x7ffff6e9ad7a  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a)
    #1 0x55555663fa71 in m_cat slirp/mbuf.c:143
    #2 0x555556632cdd in ip_reass slirp/ip_input.c:341
    #3 0x555556631609 in ip_input slirp/ip_input.c:190
    #4 0x55555663bd91 in slirp_input slirp/slirp.c:874
    #5 0x555556600d6f in net_slirp_receive net/slirp.c:121
    #6 0x5555565e8192 in nc_sendv_compat net/net.c:701
    #7 0x5555565e8322 in qemu_deliver_packet_iov net/net.c:728
    #8 0x5555565edda2 in qemu_net_queue_deliver_iov net/queue.c:179
    #9 0x5555565edfaa in qemu_net_queue_send_iov net/queue.c:224
    #10 0x5555565e8547 in qemu_sendv_packet_async net/net.c:764
    #11 0x5555565e8574 in qemu_sendv_packet net/net.c:772
    #12 0x55555636657c in net_tx_pkt_sendv hw/net/net_tx_pkt.c:546
    #13 0x5555563668f3 in net_tx_pkt_do_sw_fragmentation hw/net/net_tx_pkt.c:588
    #14 0x555556366c93 in net_tx_pkt_send hw/net/net_tx_pkt.c:625
    #15 0x55555638586c in e1000e_tx_pkt_send hw/net/e1000e_core.c:665
    #16 0x555556385fca in e1000e_process_tx_desc hw/net/e1000e_core.c:742
    #17 0x555556387680 in e1000e_start_xmit hw/net/e1000e_core.c:933
    #18 0x55555638f390 in e1000e_set_tdt hw/net/e1000e_core.c:2450
    #19 0x5555563911cb in e1000e_core_write hw/net/e1000e_core.c:3255
    #20 0x555556370524 in e1000e_mmio_write hw/net/e1000e.c:105
    #21 0x555555d4ec07 in memory_region_write_accessor /home/liqiang02/qemu-devel/qemu/memory.c:527
    #22 0x555555d4eee3 in access_with_adjusted_size /home/liqiang02/qemu-devel/qemu/memory.c:594
    #23 0x555555d54d16 in memory_region_dispatch_write /home/liqiang02/qemu-devel/qemu/memory.c:1473
    #24 0x555555c94b76 in flatview_write_continue /home/liqiang02/qemu-devel/qemu/exec.c:3255
    #25 0x555555c94da1 in flatview_write /home/liqiang02/qemu-devel/qemu/exec.c:3294
    #26 0x555555c95354 in address_space_write /home/liqiang02/qemu-devel/qemu/exec.c:3384
    #27 0x555555c953a5 in address_space_rw /home/liqiang02/qemu-devel/qemu/exec.c:3395
    #28 0x555555d92c4d in kvm_cpu_exec /home/liqiang02/qemu-devel/qemu/accel/kvm/kvm-all.c:1979
    #29 0x555555d18936 in qemu_kvm_cpu_thread_fn /home/liqiang02/qemu-devel/qemu/cpus.c:1215
    #30 0x5555569afef1 in qemu_thread_start util/qemu-thread-posix.c:504
    #31 0x7fffdadbd493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
    #32 0x7fffdaafface in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8ace)
 
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a) 
Shadow bytes around the buggy address:
  0x0c3e80000360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e80000370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e80000380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e80000390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e800003a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c3e800003b0: fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa
  0x0c3e800003c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e800003d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e800003e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e800003f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e80000400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
Thread T4 created by T0 here:
    #0 0x7ffff6e6ef59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
    #1 0x5555569b012f in qemu_thread_create util/qemu-thread-posix.c:534
    #2 0x555555d1b7b9 in qemu_kvm_start_vcpu /home/liqiang02/qemu-devel/qemu/cpus.c:1935
    #3 0x555555d1bf6c in qemu_init_vcpu /home/liqiang02/qemu-devel/qemu/cpus.c:2001
    #4 0x555555f682de in x86_cpu_realizefn /home/liqiang02/qemu-devel/qemu/target/i386/cpu.c:4996
    #5 0x55555621c00c in device_set_realized hw/core/qdev.c:826
    #6 0x5555566f962f in property_set_bool qom/object.c:1984
    #7 0x5555566f5bfc in object_property_set qom/object.c:1176
    #8 0x5555566fbdce in object_property_set_qobject qom/qom-qobject.c:27
    #9 0x5555566f5f19 in object_property_set_bool qom/object.c:1242
    #10 0x555555edf7d7 in pc_new_cpu /home/liqiang02/qemu-devel/qemu/hw/i386/pc.c:1107
    #11 0x555555edfc98 in pc_cpus_init /home/liqiang02/qemu-devel/qemu/hw/i386/pc.c:1155
    #12 0x555555ef2451 in pc_q35_init /home/liqiang02/qemu-devel/qemu/hw/i386/pc_q35.c:130
    #13 0x555555ef37f4 in pc_init_v3_0 /home/liqiang02/qemu-devel/qemu/hw/i386/pc_q35.c:320
    #14 0x55555622ca6d in machine_run_board_init hw/core/machine.c:830
    #15 0x555556099045 in main /home/liqiang02/qemu-devel/qemu/vl.c:4516
    #16 0x7fffdaa372e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

Revision history for this message

Dr. David Alan Gilbert (dgilbert-h) wrote on 2018-08-07:

For me:
c22098c74a fails
864036e251 fails
3835c310bd doesn't crash, but sometimes the outbound connection hangs.

So perhaps the crash is 864036e251f54c99d31df124aad7f34f01f5344c

Revision history for this message

Peter Maydell (pmaydell) wrote on 2018-08-07:

http://patchwork.ozlabs.org/patch/954491/ is a patch which should fix this crash.

Revision history for this message

Zihan Yang (bigerfish) wrote on 2018-08-07:

Glad to see such a quick fix, and ASAN looks like a great tool :)

Revision history for this message

Thomas Huth (th-huth) wrote on 2018-08-15:

Fix has been included here:
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=09b94ac0f29db3b022a77

Changed in qemu:
status:	Confirmed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.