From: "Michael S. Tsirkin" <mst@redhat.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Stefan Hajnoczi" <stefanha@gmail.com>,
peter.maydell@linaro.org, bsd@redhat.com,
qemu-devel <qemu-devel@nongnu.org>,
"Andreas Färber" <afaerber@suse.de>
Subject: Re: [Qemu-devel] Use-after-free during unrealize in system_reset
Date: Mon, 9 Jun 2014 11:15:51 +0300 [thread overview]
Message-ID: <20140609081551.GA12135@redhat.com> (raw)
In-Reply-To: <5395679C.6070605@redhat.com>
On Mon, Jun 09, 2014 at 09:51:56AM +0200, Paolo Bonzini wrote:
> Il 08/06/2014 16:52, Michael S. Tsirkin ha scritto:
> >On Sun, Jun 08, 2014 at 04:40:56PM +0200, Paolo Bonzini wrote:
> >>Il 08/06/2014 12:46, Michael S. Tsirkin ha scritto:
> >>>Tested-by: Michael S. Tsirkin <mst@redhat.com>
> >>
> >>You probably tested the reversal, actually. :)
> >>
> >>Actually, there is a reason for it. "Unassembling" the device
> >>(unparent) should come after "powering it down" (unrealize).
> >>
> >>However, the bus is missing a recursive unrealization of the devices
> >>below it prior to calling bc->unrealize:
> >>
> >>diff --git a/hw/core/qdev.c b/hw/core/qdev.c
> >>index e65a5aa..4282491 100644
> >>--- a/hw/core/qdev.c
> >>+++ b/hw/core/qdev.c
> >>@@ -567,32 +567,35 @@ static void bus_set_realized(Object *obj, bool value,
> >>Error **errp)
> >> {
> >> BusState *bus = BUS(obj);
> >> BusClass *bc = BUS_GET_CLASS(bus);
> >>+ BusChild *kid;
> >> Error *local_err = NULL;
> >>
> >> if (value && !bus->realized) {
> >> if (bc->realize) {
> >> bc->realize(bus, &local_err);
> >>-
> >>- if (local_err != NULL) {
> >>- goto error;
> >>- }
> >>-
> >> }
> >>+
> >>+ /* TODO: recursive realization */
> >> } else if (!value && bus->realized) {
> >>- if (bc->unrealize) {
> >>+ QTAILQ_FOREACH(kid, &bus->children, sibling) {
> >>+ DeviceState *dev = kid->child;
> >>+ object_property_set_bool(OBJECT(dev), false, "realized",
> >>+ &local_err);
> >>+ if (local_err != NULL) {
> >>+ break;
> >>+ }
> >>+ }
> >>+ if (bc->unrealize && local_err == NULL) {
> >> bc->unrealize(bus, &local_err);
> >>-
> >>- if (local_err != NULL) {
> >>- goto error;
> >>- }
> >> }
> >> }
> >>
> >>+ if (local_err != NULL) {
> >>+ error_propagate(errp, local_err);
> >>+ return;
> >>+ }
> >>+
> >> bus->realized = value;
> >>- return;
> >>-
> >>-error:
> >>- error_propagate(errp, local_err);
> >> }
> >>
> >> void qbus_create_inplace(void *bus, size_t size, const char *typename,
> >>
> >>
> >>This seems to fix the bug too.
> >>
> >>Paolo
> >
> >Want to submit as a proper patch?
>
> I can, but I suppose Andreas will watch this when he's back and comment.
>
> Paolo
I don't think we want to keep such serious memory corruptors out of
tree. We can always revert the fix if necessary, for now
it's impossible for people to test hotplug properly,
this blocks progress.
--
MST
next prev parent reply other threads:[~2014-06-09 8:15 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-05 15:31 [Qemu-devel] Use-after-free during unrealize in system_reset Stefan Hajnoczi
2014-06-05 16:18 ` Michael S. Tsirkin
2014-06-06 9:03 ` Stefan Hajnoczi
2014-06-06 9:52 ` Paolo Bonzini
2014-06-08 10:46 ` Michael S. Tsirkin
2014-06-08 14:40 ` Paolo Bonzini
2014-06-08 14:52 ` Michael S. Tsirkin
2014-06-08 14:52 ` Michael S. Tsirkin
2014-06-09 7:51 ` Paolo Bonzini
2014-06-09 8:15 ` Michael S. Tsirkin [this message]
2014-06-09 17:02 ` Bandan Das
2014-06-11 12:03 ` Andreas Färber
2014-06-11 12:24 ` Paolo Bonzini
2014-06-11 15:51 ` Bandan Das
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140609081551.GA12135@redhat.com \
--to=mst@redhat.com \
--cc=afaerber@suse.de \
--cc=bsd@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).