Memory Leak in hpet_timer results in unusable machine
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Fair warning: this might be specific to QTest (specifically its clock_step) command. This reproducer only works with -accel qtest. Build with --enable-sanitizers to exit once we hit 1G RSS.
export ASAN_OPTIONS=
cat << EOF | ./i386-
-nodefaults -qtest stdio -accel qtest
writeq 0xfed0000e 0x15151515151515f1
clock_step
clock_step
clock_step
clock_step
writeq 0xfed00100 0x5e90c5be00ff5e9e
writeq 0xfed00109 0xffffe0ff5cfec0ff
clock_step
EOF
On my machine it takes around 10 seconds to reach the RSS limit.
Unfortunately, I can't find a way to tell ASAN to log each malloc to figure out whats going on, but running the original fuzzing test case with the libfuzzer -trace_malloc=2 flag, I found that the allocations happen here:
MALLOC[130968] 0x60300069ac90 32
#0 0x55fa3f615851 in __sanitizer_
#1 0x55fa3f55fe88 in fuzzer:
#2 0x55fa3f5447d6 in fuzzer:
#3 0x55fa3f61bbb7 in __sanitizer:
#4 0x55fa3f596d75 in __asan:
#5 0x55fa3f596f7a in __asan:
#6 0x55fa3f60d173 in calloc (/home/
#7 0x7fb300737548 in g_malloc0 (/usr/lib/
#8 0x55fa40157689 in async_run_on_cpu /home/alxndr/
#9 0x55fa409fab83 in hpet_timer /home/alxndr/
#10 0x55fa416a5751 in timerlist_
#11 0x55fa3fcfdac4 in qtest_clock_warp /home/alxndr/
#12 0x55fa3fd65c35 in qtest_process_
#13 0x55fa3fd5e128 in qtest_process_inbuf /home/alxndr/
#14 0x55fa3fd5de67 in qtest_server_
#15 0x55fa4142b64b in qtest_sendf /home/alxndr/
#16 0x55fa4142c482 in qtest_clock_
#17 0x55fa414b12d1 in general_fuzz /home/alxndr/
It doesn't look like we ever exit out of the loop in timerlist_
Info From GDB:
#0 0x0000555558070d31 in address_
#1 0x0000555558071339 in address_
#2 0x000055555a6a6f95 in update_irq (timer=
#3 0x000055555a6ae55f in hpet_timer (opaque=
#4 0x000055555c03d178 in timerlist_
#5 0x000055555c03d6b5 in qemu_clock_
#6 0x0000555558c3d0c4 in qtest_clock_warp (dest=0x3461864) at /home/alxndr/
-Alex
Still reproduces with the current git version (commit 7fe7fae8b48e3f9 c647)