[PATCH 0/3] Three small fixes over qom-list-properties crash

[PATCH 0/3] Three small fixes over qom-list-properties crash

[Peter Xu]

Markus's report is here:

https://lore.kernel.org/r/87a4uvw066.fsf@pond.sub.org

These three that are relevant to either migration or memory, so I had a
look.

Peter Xu (3):
  colo-compare: Fix QMP qom-list-properties crashing
  system/ioport: Fix qom-list-properties crash on portio list obj
  qio: Fix qom-list-properties crash on net listener object

 io/net-listener.c  | 14 +++++++++-----
 net/colo-compare.c |  9 +++++++++
 system/ioport.c    | 11 +++++++++--
 3 files changed, 27 insertions(+), 7 deletions(-)

-- 
2.53.0

[PATCH 1/3] colo-compare: Fix QMP qom-list-properties crashing

[Peter Xu]

Many of the colo_compare_finalize() code relies on complete() done in the
first place, hence the crash.  Fix it by detecting if complete() is
executed, skip the rest when not.

Link: https://lore.kernel.org/r/87a4uvw066.fsf@pond.sub.org
Reported-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Peter Xu <peterx@redhat.com>
---
 net/colo-compare.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/net/colo-compare.c b/net/colo-compare.c
index c356419d6a..bae9d9c07a 100644
--- a/net/colo-compare.c
+++ b/net/colo-compare.c
@@ -1416,6 +1416,15 @@ static void colo_compare_finalize(Object *obj)
             break;
         }
     }
+    /*
+     * If this object is never visible (colo_compare_complete() not invoked
+     * or failed), skip the rest.  One path to trigger this is QMP command
+     * qom-list-properties.
+     */
+    if (tmp != s) {
+        qemu_mutex_unlock(&colo_compare_mutex);
+        return;
+    }
     if (QTAILQ_EMPTY(&net_compares)) {
         colo_compare_active = false;
         qemu_mutex_destroy(&event_mtx);
-- 
2.53.0

[PATCH 2/3] system/ioport: Fix qom-list-properties crash on portio list obj

[Peter Xu]

Currently qom-list-properties QMP command will crash when querying the
portio list MR object.  It's because its finalize() assumes full
initialization done in portio_list_add_1().

Provide a simple fix for now to avoid the crash.  There is chance for a
longer term fix, ideally MR should be initialized in instance_init().

However that'll need more work, and that should also be done with cleaning
the hard-coded MR operations in portio_list_add_1().  To be explored.

Cc: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Link: https://lore.kernel.org/r/87a4uvw066.fsf@pond.sub.org
Reported-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Peter Xu <peterx@redhat.com>
---
 system/ioport.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/system/ioport.c b/system/ioport.c
index 9209bff2ea..1a0e01fd06 100644
--- a/system/ioport.c
+++ b/system/ioport.c
@@ -346,8 +346,15 @@ static void memory_region_portio_list_finalize(Object *obj)
 {
     MemoryRegionPortioList *mrpio = MEMORY_REGION_PORTIO_LIST(obj);
 
-    object_unref(&mrpio->mr);
-    g_free(mrpio->ports);
+    /*
+     * This check makes sure any random object_new() (without doing the
+     * rest inits in portio_list_add_1()) will not crash when finalizing.
+     * One example is QMP command qom-list-properties.
+     */
+    if (mrpio->ports) {
+        object_unref(&mrpio->mr);
+        g_free(mrpio->ports);
+    }
 }
 
 static const TypeInfo memory_region_portio_list_info = {
-- 
2.53.0

[PATCH 3/3] qio: Fix qom-list-properties crash on net listener object

[Peter Xu]

The QIO net listener object will crash with raw object_new() then
dereference the object, like what QMP command qom-list-properties would do.
Fix it by moving mutex init into instance_init().

Cc: Daniel P. Berrangé <berrange@redhat.com>
Link: https://lore.kernel.org/r/87a4uvw066.fsf@pond.sub.org
Reported-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Peter Xu <peterx@redhat.com>
---
 io/net-listener.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/io/net-listener.c b/io/net-listener.c
index 9410d72da9..a772756eb5 100644
--- a/io/net-listener.c
+++ b/io/net-listener.c
@@ -35,11 +35,7 @@ struct QIONetListenerSource {
 
 QIONetListener *qio_net_listener_new(void)
 {
-    QIONetListener *listener;
-
-    listener = QIO_NET_LISTENER(object_new(TYPE_QIO_NET_LISTENER));
-    qemu_mutex_init(&listener->lock);
-    return listener;
+    return QIO_NET_LISTENER(object_new(TYPE_QIO_NET_LISTENER));
 }
 
 void qio_net_listener_set_name(QIONetListener *listener,
@@ -440,6 +436,13 @@ qio_net_listener_get_local_address(QIONetListener *listener, size_t n,
     return qio_channel_socket_get_local_address(sioc, errp);
 }
 
+static void qio_net_listener_init(Object *obj)
+{
+    QIONetListener *listener = QIO_NET_LISTENER(obj);
+
+    qemu_mutex_init(&listener->lock);
+}
+
 static void qio_net_listener_finalize(Object *obj)
 {
     QIONetListener *listener = QIO_NET_LISTENER(obj);
@@ -462,6 +465,7 @@ static void qio_net_listener_finalize(Object *obj)
 static const TypeInfo qio_net_listener_info = {
     .parent = TYPE_OBJECT,
     .name = TYPE_QIO_NET_LISTENER,
+    .instance_init = qio_net_listener_init,
     .instance_size = sizeof(QIONetListener),
     .instance_finalize = qio_net_listener_finalize,
 };
-- 
2.53.0

Re: [PATCH 3/3] qio: Fix qom-list-properties crash on net listener object

[Daniel P. Berrangé]

On Thu, Apr 23, 2026 at 02:32:12PM -0400, Peter Xu wrote:
> The QIO net listener object will crash with raw object_new() then
> dereference the object, like what QMP command qom-list-properties would do.
> Fix it by moving mutex init into instance_init().
> 
> Cc: Daniel P. Berrangé <berrange@redhat.com>
> Link: https://lore.kernel.org/r/87a4uvw066.fsf@pond.sub.org
> Reported-by: Markus Armbruster <armbru@redhat.com>
> Signed-off-by: Peter Xu <peterx@redhat.com>
> ---
>  io/net-listener.c | 14 +++++++++-----
>  1 file changed, 9 insertions(+), 5 deletions(-)

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

Re: [PATCH 0/3] Three small fixes over qom-list-properties crash

[Markus Armbruster]

Peter Xu <peterx@redhat.com> writes:

> Markus's report is here:
>
> https://lore.kernel.org/r/87a4uvw066.fsf@pond.sub.org
>
> These three that are relevant to either migration or memory, so I had a
> look.

Thank you!

Series
Tested-by: Markus Armbruster <armbru@redhat.com>

Suggest to include the reproducer in the commit messages.

Re: [PATCH 0/3] Three small fixes over qom-list-properties crash

[Peter Xu]

On Fri, Apr 24, 2026 at 09:01:31AM +0200, Markus Armbruster wrote:
> Peter Xu <peterx@redhat.com> writes:
> 
> > Markus's report is here:
> >
> > https://lore.kernel.org/r/87a4uvw066.fsf@pond.sub.org
> >
> > These three that are relevant to either migration or memory, so I had a
> > look.
> 
> Thank you!
> 
> Series
> Tested-by: Markus Armbruster <armbru@redhat.com>
> 
> Suggest to include the reproducer in the commit messages.
> 

I saw Marc-André sent a more comprehensive series; I'll drop this one then.
Thanks for taking a look.

-- 
Peter Xu