From: "Michael S. Tsirkin" <mst@redhat.com>
To: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Cc: qemu-devel@nongnu.org, "Peter Maydell" <peter.maydell@linaro.org>,
"Joelle van Dyne" <j@getutm.app>,
"Akihiko Odaki" <odaki@rsg.ci.i.u-tokyo.ac.jp>,
"Alex Bennée" <alex.bennee@linaro.org>
Subject: Re: [PULL 41/51] virtio-gpu-virgl: correct parent for blob memory region
Date: Thu, 12 Feb 2026 01:29:03 -0500 [thread overview]
Message-ID: <20260212012653-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <4eb93d7a-1fa9-4b3c-8ad7-a2eb64f025a0@collabora.com>
On Wed, Feb 11, 2026 at 11:46:51PM +0300, Dmitry Osipenko wrote:
> On 2/4/26 22:04, Michael S. Tsirkin wrote:
> > From: Joelle van Dyne <j@getutm.app>
> >
> > When `owner` == `mr`, `object_unparent` will crash:
> >
> > object_unparent(mr) ->
> > object_property_del_child(mr, mr) ->
> > object_finalize_child_property(mr, name, mr) ->
> > object_unref(mr) ->
> > object_finalize(mr) ->
> > object_property_del_all(mr) ->
> > object_finalize_child_property(mr, name, mr) ->
> > object_unref(mr) ->
> > fail on g_assert(obj->ref > 0)
> >
> > However, passing a different `owner` to `memory_region_init` does not
> > work. `memory_region_ref` has an optimization where it takes a ref
> > only on the owner. That means when flatviews are created, it does not
> > take a ref on the region and you can get a UAF from `flatview_destroy`
> > called from RCU.
> >
> > The correct fix therefore is to use `NULL` as the name which will set
> > the `owner` but not the `parent` (which is still NULL). This allows us
> > to use `memory_region_ref` on itself while not having to rely on unparent
> > for cleanup.
> >
> > Signed-off-by: Joelle van Dyne <j@getutm.app>
> > Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
> > Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
> > Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> > Message-Id: <20260103214400.71694-1-j@getutm.app>
> > ---
> > hw/display/virtio-gpu-virgl.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c
> > index 07f6355ad6..6a83fb63c8 100644
> > --- a/hw/display/virtio-gpu-virgl.c
> > +++ b/hw/display/virtio-gpu-virgl.c
> > @@ -120,7 +120,7 @@ virtio_gpu_virgl_map_resource_blob(VirtIOGPU *g,
> > vmr->g = g;
> >
> > mr = &vmr->mr;
> > - memory_region_init_ram_ptr(mr, OBJECT(mr), "blob", size, data);
> > + memory_region_init_ram_ptr(mr, OBJECT(mr), NULL, size, data);
> > memory_region_add_subregion(&b->hostmem, offset, mr);
> > memory_region_set_enabled(mr, true);
> >
> > @@ -186,7 +186,7 @@ virtio_gpu_virgl_unmap_resource_blob(VirtIOGPU *g,
> > /* memory region owns self res->mr object and frees it by itself */
> > memory_region_set_enabled(mr, false);
> > memory_region_del_subregion(&b->hostmem, mr);
> > - object_unparent(OBJECT(mr));
> > + object_unref(OBJECT(mr));
> > }
> >
> > return 0;
>
> Hello Michael,
>
> This patch introduces regression. Running any venus application results
> in a crash:
>
> Thread 2 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
> (gdb) bt
> #0 0x00007ffff56565e2 in __strcmp_evex () at /lib64/libc.so.6
> #1 0x0000555555841bdb in find_fd (head=0x5555572337d0 <cpr_state>,
> name=0x0, id=0) at ../migration/cpr.c:68
> #2 cpr_delete_fd (name=name@entry=0x0, id=id@entry=0) at
> ../migration/cpr.c:77
> #3 0x000055555582290a in qemu_ram_free (block=0x7ff7e93aa7f0) at
> ../system/physmem.c:2615
> #4 0x000055555581ae02 in memory_region_finalize (obj=<optimized out>)
> at ../system/memory.c:1816
> #5 0x0000555555a70ab9 in object_deinit (obj=<optimized out>,
> type=<optimized out>) at ../qom/object.c:715
> #6 object_finalize (data=0x7ff7e936eff0) at ../qom/object.c:729
> #7 object_unref (objptr=0x7ff7e936eff0) at ../qom/object.c:1232
> #8 0x0000555555814fae in memory_region_unref (mr=<optimized out>) at
> ../system/memory.c:1848
> #9 flatview_destroy (view=0x555559ed6c40) at ../system/memory.c:301
> #10 0x0000555555bfc122 in call_rcu_thread (opaque=<optimized out>) at
> ../util/rcu.c:324
> #11 0x0000555555bf17a7 in qemu_thread_start (args=0x555557b99520) at
> ../util/qemu-thread-posix.c:393
> #12 0x00007ffff556f464 in start_thread () at /lib64/libc.so.6
> #13 0x00007ffff55f25ac in __clone3 () at /lib64/libc.so.6
>
> There is a v2 version of this patch that doesn't crash [1]. Was v1
> applied by mistake instead of v2?
>
> [1] https://lore.kernel.org/qemu-devel/20251223184023.1913-1-j@getutm.app/
>
> --
> Best regards,
> Dmitry
According to my records, what was applied is v3:
https://lore.kernel.org/qemu-devel/20260103214400.71694-1-j@getutm.app/
--
MST
next prev parent reply other threads:[~2026-02-12 6:29 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-04 19:16 [PULL 00/51] virtio,pci,pc: features, fixes Michael S. Tsirkin
2026-02-04 19:02 ` [PULL 01/51] vhost-user: ancilliary -> ancillary Michael S. Tsirkin
2026-02-04 19:02 ` [PULL 02/51] hw/cxl/cxl-mailbox-utils: Move declaration of scrub and ECS feature attributes in cmd_features_set_feature() Michael S. Tsirkin
2026-02-04 19:02 ` [PULL 03/51] hw/cxl: Add support for Maintenance command and Post Package Repair (PPR) Michael S. Tsirkin
2026-02-04 19:02 ` [PULL 04/51] hw/cxl: Add emulation for memory sparing control feature Michael S. Tsirkin
2026-02-04 19:03 ` [PULL 05/51] qapi: cxl: Refactor CXL event injection for common commands arguments Michael S. Tsirkin
2026-02-05 6:45 ` Michael S. Tsirkin
2026-02-04 19:03 ` [PULL 06/51] hw/cxl/events: Update for rev3.2 common event record format Michael S. Tsirkin
2026-02-04 19:03 ` [PULL 07/51] hw/cxl/events: Updates for rev3.2 general media event record Michael S. Tsirkin
2026-02-04 19:03 ` [PULL 08/51] hw/cxl/events: Updates for rev3.2 DRAM " Michael S. Tsirkin
2026-02-04 19:03 ` [PULL 09/51] hw/cxl/events: Updates for rev3.2 memory module " Michael S. Tsirkin
2026-02-04 19:03 ` [PULL 10/51] pci/shpc: Do not unparent in instance_finalize() Michael S. Tsirkin
2026-02-04 19:03 ` [PULL 11/51] hw/pci-host: Set DEVICE_CATEGORY_BRIDGE once in parent class_init() Michael S. Tsirkin
2026-02-04 19:03 ` [PULL 12/51] intel_iommu: Add an IOMMU index for pre-translated addresses Michael S. Tsirkin
2026-02-04 19:03 ` [PULL 13/51] intel_iommu: Support memory operations with " Michael S. Tsirkin
2026-02-04 19:03 ` [PULL 14/51] pcie: Add a function to check if pasid privileged mode is enabled Michael S. Tsirkin
2026-02-04 19:03 ` [PULL 15/51] pci: Block ATS requests when privileged mode is disabled Michael S. Tsirkin
2026-02-04 19:03 ` [PULL 16/51] intel_iommu: Handle insufficient permissions during translation requests Michael S. Tsirkin
2026-02-04 19:03 ` [PULL 17/51] intel_iommu: Minimal handling of privileged ATS request Michael S. Tsirkin
2026-02-04 19:03 ` [PULL 18/51] intel_iommu: Add a CLI option to enable SVM Michael S. Tsirkin
2026-02-04 19:03 ` [PULL 19/51] x86: q35: ich9: add 'wdat' property Michael S. Tsirkin
2026-02-04 19:03 ` [PULL 20/51] acpi: add API to build WDAT instructions Michael S. Tsirkin
2026-02-04 19:03 ` [PULL 21/51] x86: q35: generate WDAT ACPI table Michael S. Tsirkin
2026-02-04 19:03 ` [PULL 22/51] tests: x86: q35: acpi: add WDAT table test case Michael S. Tsirkin
2026-02-04 19:03 ` [PULL 23/51] tests: acpi: update expected WDAT blob Michael S. Tsirkin
2026-02-04 19:03 ` [PULL 24/51] virtio/vhost: don't consider non-MAP_SHARED regions public Michael S. Tsirkin
2026-02-04 19:03 ` [PULL 25/51] vdpa: fix vhost-vdpa suspended state not be shared Michael S. Tsirkin
2026-02-04 19:03 ` [PULL 26/51] acpi/ghes: Automate data block cleanup in acpi_ghes_memory_errors() Michael S. Tsirkin
2026-02-04 19:03 ` [PULL 27/51] acpi/ghes: Abort in acpi_ghes_memory_errors() if necessary Michael S. Tsirkin
2026-02-04 19:03 ` [PULL 28/51] target/arm/kvm: Exit on error from acpi_ghes_memory_errors() Michael S. Tsirkin
2026-02-04 19:03 ` [PULL 29/51] acpi/ghes: Bail early on error from get_ghes_source_offsets() Michael S. Tsirkin
2026-02-04 19:03 ` [PULL 30/51] acpi/ghes: Use error_fatal in acpi_ghes_memory_errors() Michael S. Tsirkin
2026-02-04 19:04 ` [PULL 31/51] vhost: accept indirect descriptors in shadow virtqueue Michael S. Tsirkin
2026-02-04 19:04 ` [PULL 32/51] virtio-dmabuf: Ensure UUID persistence for hash table insertion Michael S. Tsirkin
2026-02-04 19:04 ` [PULL 33/51] virtio: Fix crash when sriov-pf is set for non-PCI-Express device Michael S. Tsirkin
2026-02-04 19:04 ` [PULL 34/51] pcie_sriov: Fix PCI_SRIOV_* accesses in pcie_sriov_pf_exit() Michael S. Tsirkin
2026-02-04 19:04 ` [PULL 35/51] q35: Fix migration of SMRAM state Michael S. Tsirkin
2026-02-04 19:04 ` [PULL 36/51] standard-headers: Update virtio_spi.h from Linux v6.18-rc3 Michael S. Tsirkin
2026-02-04 19:04 ` [PULL 37/51] virtio-spi: Add vhost-user-spi device support Michael S. Tsirkin
2026-02-04 19:04 ` [PULL 38/51] hw/virtio/virtio-crypto: verify asym request size Michael S. Tsirkin
2026-02-04 19:04 ` [PULL 39/51] cryptodev-builtin: Limit the maximum size Michael S. Tsirkin
2026-02-04 19:04 ` [PULL 40/51] MAINTAINERS: Update VIOT maintainer Michael S. Tsirkin
2026-02-04 19:04 ` [PULL 41/51] virtio-gpu-virgl: correct parent for blob memory region Michael S. Tsirkin
2026-02-11 20:46 ` Dmitry Osipenko
2026-02-11 21:32 ` Joelle van Dyne
2026-02-11 22:53 ` Dmitry Osipenko
2026-02-12 7:01 ` Michael S. Tsirkin
2026-02-12 11:00 ` Dmitry Osipenko
2026-02-12 23:57 ` Joelle van Dyne
2026-02-13 0:01 ` Michael S. Tsirkin
2026-02-13 13:07 ` Dmitry Osipenko
2026-02-13 13:27 ` Dmitry Osipenko
2026-02-13 13:30 ` Michael Tokarev
2026-02-13 14:04 ` Dmitry Osipenko
2026-02-13 14:16 ` Dmitry Osipenko
2026-02-12 6:29 ` Michael S. Tsirkin [this message]
2026-02-13 14:29 ` Peter Maydell
2026-02-13 16:18 ` Alex Bennée
2026-02-13 19:48 ` Joelle van Dyne
2026-02-16 15:31 ` Dmitry Osipenko
2026-02-04 19:04 ` [PULL 42/51] virtio-pmem: ignore empty queue notifications Michael S. Tsirkin
2026-02-04 19:04 ` [PULL 43/51] virtio-gpu: fix error handling in virgl_cmd_resource_create_blob Michael S. Tsirkin
2026-02-04 19:04 ` [PULL 44/51] virtio-gpu: use consistent error checking for virtio_gpu_create_mapping_iov Michael S. Tsirkin
2026-02-04 19:04 ` [PULL 45/51] vhost-user.rst: specify vhost-user back-end action on GET_VRING_BASE Michael S. Tsirkin
2026-02-04 19:04 ` [PULL 46/51] vhost-user: introduce protocol feature for skip drain " Michael S. Tsirkin
2026-02-04 19:04 ` [PULL 47/51] vmstate: introduce VMSTATE_VBUFFER_UINT64 Michael S. Tsirkin
2026-02-04 19:04 ` [PULL 48/51] vhost: add vmstate for inflight region with inner buffer Michael S. Tsirkin
2026-02-04 19:04 ` [PULL 49/51] vhost-user-blk: support inter-host inflight migration Michael S. Tsirkin
2026-02-04 19:04 ` [PULL 50/51] hw/cxl: Check for overflow on santize media as both base and offset 64bit Michael S. Tsirkin
2026-02-04 19:04 ` [PULL 51/51] hw/cxl: Take into account how many media operations are requested for param check Michael S. Tsirkin
2026-02-05 6:31 ` [PULL 00/51] virtio,pci,pc: features, fixes Michael S. Tsirkin
2026-02-05 6:51 ` Michael S. Tsirkin
2026-02-05 7:00 ` Michael S. Tsirkin
2026-02-05 9:39 ` Igor Mammedov
2026-02-05 9:56 ` Peter Maydell
2026-02-05 12:08 ` [PULL v2 00/38] " Michael S. Tsirkin
2026-02-05 16:02 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260212012653-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=alex.bennee@linaro.org \
--cc=dmitry.osipenko@collabora.com \
--cc=j@getutm.app \
--cc=odaki@rsg.ci.i.u-tokyo.ac.jp \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.