From: Huang Rui <ray.huang@amd.com>
To: Akihiko Odaki <akihiko.odaki@daynix.com>
Cc: "Gerd Hoffmann" <kraxel@redhat.com>,
"Michael S . Tsirkin" <mst@redhat.com>,
"Stefano Stabellini" <sstabellini@kernel.org>,
"Anthony PERARD" <anthony.perard@citrix.com>,
"Antonio Caggiano" <antonio.caggiano@collabora.com>,
"Dr . David Alan Gilbert" <dgilbert@redhat.com>,
"Robert Beckett" <bob.beckett@collabora.com>,
"Dmitry Osipenko" <dmitry.osipenko@collabora.com>,
"Alex Bennée" <alex.bennee@linaro.org>,
"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
"xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>,
"Gurchetan Singh" <gurchetansingh@chromium.org>,
"ernunes@redhat.com" <ernunes@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Alyssa Ross" <hi@alyssa.is>,
"Roger Pau Monné" <roger.pau@citrix.com>,
"Deucher, Alexander" <Alexander.Deucher@amd.com>,
"Koenig, Christian" <Christian.Koenig@amd.com>,
"Ragiadakou, Xenia" <Xenia.Ragiadakou@amd.com>,
"Pelloux-Prayer,
Pierre-Eric" <Pierre-eric.Pelloux-prayer@amd.com>,
"Huang, Honglei1" <Honglei1.Huang@amd.com>,
"Zhang, Julia" <Julia.Zhang@amd.com>,
"Chen, Jiqian" <Jiqian.Chen@amd.com>
Subject: Re: [QEMU PATCH v4 07/13] softmmu/memory: enable automatic deallocation of memory regions
Date: Tue, 5 Sep 2023 17:07:20 +0800 [thread overview]
Message-ID: <ZPbvyDsikvvzierv@amd.com> (raw)
In-Reply-To: <b988f9d4-69d7-4cc4-b13e-3e697acf9fe9@daynix.com>
On Thu, Aug 31, 2023 at 06:10:08PM +0800, Akihiko Odaki wrote:
> On 2023/08/31 18:32, Huang Rui wrote:
> > From: Xenia Ragiadakou <xenia.ragiadakou@amd.com>
> >
> > When the memory region has a different life-cycle from that of her parent,
> > could be automatically released, once has been unparent and once all of her
> > references have gone away, via the object's free callback.
> >
> > However, currently, references to the memory region are held by its owner
> > without first incrementing the memory region object's reference count.
> > As a result, the automatic deallocation of the object, not taking into
> > account those references, results in use-after-free memory corruption.
> >
> > This patch increases the reference count of the memory region object on
> > each memory_region_ref() and decreases it on each memory_region_unref().
> >
> > Signed-off-by: Xenia Ragiadakou <xenia.ragiadakou@amd.com>
> > Signed-off-by: Huang Rui <ray.huang@amd.com>
> > ---
> >
> > New patch
> >
> > softmmu/memory.c | 19 +++++++++++++++++--
> > 1 file changed, 17 insertions(+), 2 deletions(-)
> >
> > diff --git a/softmmu/memory.c b/softmmu/memory.c
> > index 7d9494ce70..0fdd5eebf9 100644
> > --- a/softmmu/memory.c
> > +++ b/softmmu/memory.c
> > @@ -1797,6 +1797,15 @@ Object *memory_region_owner(MemoryRegion *mr)
> >
> > void memory_region_ref(MemoryRegion *mr)
> > {
> > + if (!mr) {
> > + return;
> > + }
> > +
> > + /* Obtain a reference to prevent the memory region object
> > + * from being released under our feet.
> > + */
> > + object_ref(OBJECT(mr));
> > +
> > /* MMIO callbacks most likely will access data that belongs
> > * to the owner, hence the need to ref/unref the owner whenever
> > * the memory region is in use.
> > @@ -1807,16 +1816,22 @@ void memory_region_ref(MemoryRegion *mr)
> > * Memory regions without an owner are supposed to never go away;
> > * we do not ref/unref them because it slows down DMA sensibly.
> > */
>
> The collapsed comment says:
> > The memory region is a child of its owner. As long as the
> > owner doesn't call unparent itself on the memory region,
> > ref-ing the owner will also keep the memory region alive.
> > Memory regions without an owner are supposed to never go away;
> > we do not ref/unref them because it slows down DMA sensibly.
>
> It contradicts with this patch.
The reason that we modify it is because we would like to address the memory
leak issue in the original codes. Please see below, we find the memory
region will be crashed once we free(unref) the simple resource, because the
region will be freed in object_finalize() after unparent and the ref count
is to 0. Then the VM will be crashed with this.
In virgl_cmd_resource_map_blob():
memory_region_init_ram_device_ptr(res->region, OBJECT(g), NULL, size, data);
OBJECT(res->region)->free = g_free;
memory_region_add_subregion(&b->hostmem, mblob.offset, res->region);
memory_region_set_enabled(res->region, true);
In virtio_gpu_virgl_resource_unmap():
memory_region_set_enabled(res->region, false);
memory_region_del_subregion(&b->hostmem, res->region);
object_unparent(OBJECT(res->region));
res->region = NULL;
I spent a bit more time to understand your point, do you want me to update
corresponding comments or you have some concern about this change?
Thanks,
Ray
>
> > - if (mr && mr->owner) {
> > + if (mr->owner) {
> > object_ref(mr->owner);
> > }
> > }
> >
> > void memory_region_unref(MemoryRegion *mr)
> > {
> > - if (mr && mr->owner) {
> > + if (!mr) {
> > + return;
> > + }
> > +
> > + if (mr->owner) {
> > object_unref(mr->owner);
> > }
> > +
> > + object_unref(OBJECT(mr));
> > }
> >
> > uint64_t memory_region_size(MemoryRegion *mr)
next prev parent reply other threads:[~2023-09-05 9:13 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-31 9:32 [QEMU PATCH v4 00/13] Support blob memory and venus on qemu Huang Rui
2023-08-31 9:32 ` [QEMU PATCH v4 01/13] virtio: Add shared memory capability Huang Rui
2023-08-31 9:32 ` [QEMU PATCH v4 02/13] virtio-gpu: CONTEXT_INIT feature Huang Rui
2023-08-31 9:32 ` [QEMU PATCH v4 03/13] virtio-gpu: hostmem Huang Rui
2023-08-31 9:32 ` [QEMU PATCH v4 04/13] virtio-gpu: blob prep Huang Rui
2023-08-31 9:32 ` [QEMU PATCH v4 05/13] virtio-gpu: Support context init feature with virglrenderer Huang Rui
2023-08-31 9:41 ` Philippe Mathieu-Daudé
2023-08-31 9:32 ` [QEMU PATCH v4 06/13] virtio-gpu: Configure context init for virglrenderer Huang Rui
2023-08-31 9:39 ` Philippe Mathieu-Daudé
2023-09-04 6:45 ` Huang Rui via
2023-08-31 9:32 ` [QEMU PATCH v4 07/13] softmmu/memory: enable automatic deallocation of memory regions Huang Rui
2023-08-31 10:10 ` Akihiko Odaki
2023-09-05 9:07 ` Huang Rui [this message]
2023-09-05 9:17 ` Akihiko Odaki
2023-09-05 13:29 ` Huang Rui
2023-08-31 9:32 ` [QEMU PATCH v4 08/13] virtio-gpu: Don't require udmabuf when blobs and virgl are enabled Huang Rui
2023-08-31 9:32 ` [QEMU PATCH v4 09/13] virtio-gpu: Handle resource blob commands Huang Rui
2023-08-31 10:24 ` Akihiko Odaki
2023-09-05 9:08 ` Huang Rui
2023-09-05 9:20 ` Akihiko Odaki
2023-09-06 3:09 ` Huang Rui
2023-09-06 3:39 ` Akihiko Odaki
2023-09-06 7:56 ` Huang Rui
2023-09-06 14:16 ` Akihiko Odaki
2023-08-31 9:32 ` [QEMU PATCH v4 10/13] virtio-gpu: Resource UUID Huang Rui
2023-08-31 10:36 ` Akihiko Odaki
2023-09-09 9:09 ` Huang Rui
2023-09-10 4:21 ` Akihiko Odaki
2023-09-13 7:55 ` Albert Esteve
2023-09-13 10:34 ` Akihiko Odaki
2023-09-13 11:34 ` Albert Esteve
2023-09-13 12:22 ` Akihiko Odaki
2023-09-13 12:58 ` Albert Esteve
2023-09-13 13:43 ` Akihiko Odaki
2023-09-13 14:18 ` Albert Esteve
2023-09-13 14:27 ` Albert Esteve
2023-09-14 7:17 ` Akihiko Odaki
2023-09-14 8:29 ` Albert Esteve
2023-09-14 16:55 ` Akihiko Odaki
2023-09-15 9:56 ` Albert Esteve
2023-08-31 9:32 ` [QEMU PATCH v4 11/13] virtio-gpu: Support Venus capset Huang Rui
2023-08-31 10:43 ` Akihiko Odaki
2023-09-09 9:29 ` Huang Rui
2023-09-10 4:32 ` Akihiko Odaki
2023-08-31 9:32 ` [QEMU PATCH v4 12/13] virtio-gpu: Initialize Venus Huang Rui
2023-08-31 10:40 ` Antonio Caggiano
2023-08-31 15:51 ` Dmitry Osipenko
2023-09-09 10:53 ` Huang Rui via
2023-09-12 13:44 ` Dmitry Osipenko
2023-09-09 10:52 ` Huang Rui
2023-08-31 9:32 ` [QEMU PATCH v4 13/13] virtio-gpu: Enable virglrenderer render server flag for venus Huang Rui
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZPbvyDsikvvzierv@amd.com \
--to=ray.huang@amd.com \
--cc=Alexander.Deucher@amd.com \
--cc=Christian.Koenig@amd.com \
--cc=Honglei1.Huang@amd.com \
--cc=Jiqian.Chen@amd.com \
--cc=Julia.Zhang@amd.com \
--cc=Pierre-eric.Pelloux-prayer@amd.com \
--cc=Xenia.Ragiadakou@amd.com \
--cc=akihiko.odaki@daynix.com \
--cc=alex.bennee@linaro.org \
--cc=anthony.perard@citrix.com \
--cc=antonio.caggiano@collabora.com \
--cc=bob.beckett@collabora.com \
--cc=dgilbert@redhat.com \
--cc=dmitry.osipenko@collabora.com \
--cc=ernunes@redhat.com \
--cc=gurchetansingh@chromium.org \
--cc=hi@alyssa.is \
--cc=kraxel@redhat.com \
--cc=mst@redhat.com \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=roger.pau@citrix.com \
--cc=sstabellini@kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).