From: Paolo Bonzini <pbonzini@redhat.com>
To: Igor Mammedov <imammedo@redhat.com>, Fam Zheng <famz@redhat.com>
Cc: jsnow@redhat.com, qemu-devel@nongnu.org, ehabkost@redhat.com
Subject: Re: [Qemu-devel] [PATCH] qdev: Fix use after free in qdev_init_nofail error path
Date: Tue, 2 Aug 2016 15:05:28 +0200 [thread overview]
Message-ID: <d28c25cb-7e20-50b5-3a1c-361f7745d217@redhat.com> (raw)
In-Reply-To: <20160802095507.6055409b@nial.brq.redhat.com>
On 02/08/2016 09:55, Igor Mammedov wrote:
> On Tue, 2 Aug 2016 11:41:41 +0800
> Fam Zheng <famz@redhat.com> wrote:
>
>> Since 69382d8b (qdev: Fix object reference leak in case device.realize()
>> fails), object_property_set_bool could release the object. The error
>> path wants the type name, so hold an reference before realizing it.
>>
>> Cc: Igor Mammedov <imammedo@redhat.com>
>> Signed-off-by: Fam Zheng <famz@redhat.com>
>> ---
>> hw/core/qdev.c | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/hw/core/qdev.c b/hw/core/qdev.c
>> index ee4a083..5783442 100644
>> --- a/hw/core/qdev.c
>> +++ b/hw/core/qdev.c
>> @@ -354,12 +354,14 @@ void qdev_init_nofail(DeviceState *dev)
>>
>> assert(!dev->realized);
>>
>> + object_ref(OBJECT(dev));
>> object_property_set_bool(OBJECT(dev), true, "realized", &err);
>> if (err) {
>> error_reportf_err(err, "Initialization of device %s failed: ",
>> object_get_typename(OBJECT(dev)));
>> exit(1);
>> }
>> + object_unref(OBJECT(dev));
>> }
>>
>> void qdev_machine_creation_done(void)
>
> I'm not sure that this is the right fix, commit 69382d8b only affects
> reference created by realize() itself.
> Probably reference counting wrong somewhere else,
> for typical device call sequence is following:
>
> qdev_create() {
> object_new() -> ref == 1
> qdev_set_parent_bus() -> ref == 2
> object_unref() -> ref == 1
> } -> ref == 1
>
> do property settings and other stuff ...
>
>
> qdev_init_nofail() { called with ref == 1
> object_property_set_bool(true, "realized")
> if error:
> ref == 1
If there is an error and the device was unattached, you get here:
if (unattached_parent) {
object_unparent(OBJECT(dev));
unattached_count--;
}
and object_unparent undoes qdev_set_parent_bus so that the refcount
drops to 0.
Paolo
> else:
> ref == 2 (+1 for implicitly assigned parent)
> }
>
>
next prev parent reply other threads:[~2016-08-02 13:05 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-02 3:41 [Qemu-devel] [PATCH] qdev: Fix use after free in qdev_init_nofail error path Fam Zheng
2016-08-02 4:00 ` John Snow
2016-08-02 6:43 ` Paolo Bonzini
2016-08-02 8:14 ` Igor Mammedov
2016-08-02 8:17 ` Fam Zheng
2016-08-02 7:55 ` Igor Mammedov
2016-08-02 8:42 ` Fam Zheng
2016-08-02 13:05 ` Paolo Bonzini [this message]
2016-08-02 13:25 ` Igor Mammedov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d28c25cb-7e20-50b5-3a1c-361f7745d217@redhat.com \
--to=pbonzini@redhat.com \
--cc=ehabkost@redhat.com \
--cc=famz@redhat.com \
--cc=imammedo@redhat.com \
--cc=jsnow@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.