From: Huang Rui <ray.huang@amd.com>
To: "Akihiko Odaki" <akihiko.odaki@daynix.com>,
"Marc-André Lureau" <marcandre.lureau@gmail.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Michael S . Tsirkin" <mst@redhat.com>,
"Stefano Stabellini" <sstabellini@kernel.org>,
"Anthony PERARD" <anthony.perard@citrix.com>,
"Antonio Caggiano" <quic_acaggian@quicinc.com>,
"Dr . David Alan Gilbert" <dgilbert@redhat.com>,
"Robert Beckett" <bob.beckett@collabora.com>,
"Dmitry Osipenko" <dmitry.osipenko@collabora.com>,
"Gert Wollny" <gert.wollny@collabora.com>,
"Alex Bennée" <alex.bennee@linaro.org>,
qemu-devel@nongnu.org
Cc: xen-devel@lists.xenproject.org,
"Gurchetan Singh" <gurchetansingh@chromium.org>,
ernunes@redhat.com, "Alyssa Ross" <hi@alyssa.is>,
"Roger Pau Monné" <roger.pau@citrix.com>,
"Alex Deucher" <alexander.deucher@amd.com>,
"Stefano Stabellini" <stefano.stabellini@amd.com>,
"Christian König" <christian.koenig@amd.com>,
"Xenia Ragiadakou" <xenia.ragiadakou@amd.com>,
"Pierre-Eric Pelloux-Prayer" <pierre-eric.pelloux-prayer@amd.com>,
"Honglei Huang" <honglei1.huang@amd.com>,
"Julia Zhang" <julia.zhang@amd.com>,
"Chen Jiqian" <Jiqian.Chen@amd.com>,
"Huang Rui" <ray.huang@amd.com>
Subject: [PATCH v6 06/11] softmmu/memory: enable automatic deallocation of memory regions
Date: Tue, 19 Dec 2023 15:53:15 +0800 [thread overview]
Message-ID: <20231219075320.165227-7-ray.huang@amd.com> (raw)
In-Reply-To: <20231219075320.165227-1-ray.huang@amd.com>
From: Xenia Ragiadakou <xenia.ragiadakou@amd.com>
When the memory region has a different life-cycle from that of her parent,
could be automatically released, once has been unparent and once all of her
references have gone away, via the object's free callback.
However, currently, the address space subsystem keeps references to the
memory region without first incrementing its object's reference count.
As a result, the automatic deallocation of the object, not taking into
account those references, results in use-after-free memory corruption.
More specifically, reference to the memory region is kept in flatview
ranges. If the reference count of the memory region is not incremented,
flatview_destroy(), that is asynchronous, may be called after memory
region's destruction. If the reference count of the memory region is
incremented, memory region's destruction will take place after
flatview_destroy() has released its references.
This patch increases the reference count of an owned memory region object
on each memory_region_ref() and decreases it on each memory_region_unref().
Signed-off-by: Xenia Ragiadakou <xenia.ragiadakou@amd.com>
Signed-off-by: Huang Rui <ray.huang@amd.com>
---
Changes in v6:
- remove in-code comment because it is confusing and explain the issue,
that the patch attempts to fix, with more details in commit message
system/memory.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/system/memory.c b/system/memory.c
index 304fa843ea..4d5e7e7a4c 100644
--- a/system/memory.c
+++ b/system/memory.c
@@ -1824,6 +1824,7 @@ void memory_region_ref(MemoryRegion *mr)
* we do not ref/unref them because it slows down DMA sensibly.
*/
if (mr && mr->owner) {
+ object_ref(OBJECT(mr));
object_ref(mr->owner);
}
}
@@ -1832,6 +1833,7 @@ void memory_region_unref(MemoryRegion *mr)
{
if (mr && mr->owner) {
object_unref(mr->owner);
+ object_unref(OBJECT(mr));
}
}
--
2.25.1
next prev parent reply other threads:[~2023-12-19 7:56 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-19 7:53 [PATCH v6 00/11] Support blob memory and venus on qemu Huang Rui
2023-12-19 7:53 ` [PATCH v6 01/11] linux-headers: Update to kernel headers to add venus capset Huang Rui
2023-12-19 12:20 ` Akihiko Odaki
2023-12-19 13:47 ` Huang Rui
2023-12-19 14:14 ` Peter Maydell
2023-12-21 6:55 ` Akihiko Odaki
2024-01-02 10:42 ` Marc-André Lureau
2024-01-03 6:35 ` Huang Rui
2024-01-03 6:03 ` Huang Rui
2024-01-03 5:58 ` Huang Rui
2023-12-19 7:53 ` [PATCH v6 02/11] virtio-gpu: Configure new feature flag context_create_with_flags for virglrenderer Huang Rui
2023-12-19 9:09 ` Antonio Caggiano
2023-12-19 11:41 ` Huang Rui
2024-01-05 16:18 ` Alex Bennée
2023-12-19 7:53 ` [PATCH v6 03/11] virtio-gpu: Support context init feature with virglrenderer Huang Rui
2024-01-02 11:43 ` Marc-André Lureau
2024-01-03 8:46 ` Huang Rui
2024-01-04 12:16 ` Akihiko Odaki
2023-12-19 7:53 ` [PATCH v6 04/11] virtio-gpu: Don't require udmabuf when blobs and virgl are enabled Huang Rui
2024-01-02 11:50 ` Marc-André Lureau
2023-12-19 7:53 ` [PATCH v6 05/11] virtio-gpu: Introduce virgl_gpu_resource structure Huang Rui
2023-12-19 12:35 ` Akihiko Odaki
2023-12-19 13:27 ` Huang Rui
2023-12-21 5:43 ` Akihiko Odaki
2024-01-03 8:48 ` Huang Rui
2024-01-02 11:52 ` Marc-André Lureau
2024-01-04 7:27 ` Huang Rui
2023-12-19 7:53 ` Huang Rui [this message]
2023-12-21 5:45 ` [PATCH v6 06/11] softmmu/memory: enable automatic deallocation of memory regions Akihiko Odaki
2023-12-21 7:35 ` Xenia Ragiadakou
2023-12-21 7:50 ` Akihiko Odaki
2023-12-21 8:32 ` Xenia Ragiadakou
2023-12-19 7:53 ` [PATCH v6 07/11] virtio-gpu: Handle resource blob commands Huang Rui
2023-12-21 5:57 ` Akihiko Odaki
2023-12-21 7:39 ` Xenia Ragiadakou
2023-12-21 8:09 ` Akihiko Odaki
2024-01-10 12:59 ` Pierre-Eric Pelloux-Prayer
2024-01-02 12:38 ` Marc-André Lureau
2024-01-09 16:50 ` Pierre-Eric Pelloux-Prayer
2024-01-10 8:51 ` Pierre-Eric Pelloux-Prayer
2024-02-23 6:34 ` Huang Rui
2024-02-23 6:34 ` Huang Rui via
2023-12-19 7:53 ` [PATCH v6 08/11] virtio-gpu: Resource UUID Huang Rui
2023-12-21 6:03 ` Akihiko Odaki
2024-01-02 12:49 ` Marc-André Lureau
2024-02-23 9:04 ` Huang Rui
2023-12-19 7:53 ` [PATCH v6 09/11] virtio-gpu: Support Venus capset Huang Rui
2023-12-19 10:42 ` Pierre-Eric Pelloux-Prayer
2023-12-19 7:53 ` [PATCH v6 10/11] virtio-gpu: Initialize Venus Huang Rui
2024-01-02 13:33 ` Marc-André Lureau
2024-02-23 9:15 ` Huang Rui
2024-03-26 8:53 ` Pierre-Eric Pelloux-Prayer
2023-12-19 7:53 ` [PATCH v6 11/11] virtio-gpu: make blob scanout use dmabuf fd Huang Rui
2023-12-21 6:25 ` Akihiko Odaki
2024-01-04 11:19 ` Pierre-Eric Pelloux-Prayer
2024-01-05 13:28 ` Alex Bennée
2024-01-05 16:09 ` Alex Bennée
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231219075320.165227-7-ray.huang@amd.com \
--to=ray.huang@amd.com \
--cc=Jiqian.Chen@amd.com \
--cc=akihiko.odaki@daynix.com \
--cc=alex.bennee@linaro.org \
--cc=alexander.deucher@amd.com \
--cc=anthony.perard@citrix.com \
--cc=bob.beckett@collabora.com \
--cc=christian.koenig@amd.com \
--cc=dgilbert@redhat.com \
--cc=dmitry.osipenko@collabora.com \
--cc=ernunes@redhat.com \
--cc=gert.wollny@collabora.com \
--cc=gurchetansingh@chromium.org \
--cc=hi@alyssa.is \
--cc=honglei1.huang@amd.com \
--cc=julia.zhang@amd.com \
--cc=kraxel@redhat.com \
--cc=marcandre.lureau@gmail.com \
--cc=mst@redhat.com \
--cc=philmd@linaro.org \
--cc=pierre-eric.pelloux-prayer@amd.com \
--cc=qemu-devel@nongnu.org \
--cc=quic_acaggian@quicinc.com \
--cc=roger.pau@citrix.com \
--cc=sstabellini@kernel.org \
--cc=stefano.stabellini@amd.com \
--cc=xen-devel@lists.xenproject.org \
--cc=xenia.ragiadakou@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.