Xen project Mailing List

Re: [QEMU PATCH v4 07/13] softmmu/memory: enable automatic deallocation of memory regions

To: Akihiko Odaki <akihiko.odaki@xxxxxxxxxx>

Date: Tue, 5 Sep 2023 21:29:52 +0800

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=H0EvEhSxCOUFPRdO6OaJzKLDAzBGY2q3d/3oKLd5TG0=; b=HHsbF7JerWClNZ59LGKb3Up+e6e2kfyGkDS4SnunoXcmYjZBL4fZcL6/gAku4amW1DaRuJ0B+ZMOaWtUCA5GQzBX+Z4+k9GqXN+ZtVgGcTVVT7puRXb9FR1MJDIjTCTzb6CKwNMfZAFs8ZblMPy+0YSrkzipuq8w4Qo2p44M5E5N7tmqHKV6dMTG+f6h5kiDudWzW6Xw2qz8wWN6ar1NzD5sNPph3t4fPQ4RH8oRtSdwVqcSyUT5Xv6TuzNJKNG9BmLSDjVGoRXmDISp257saMU0+DwzZV4CinMXVUPc53PGmvTlnddGHHCXmk4EE1Qz6un2/dvelZ2M8LDyqfp5UQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MIfWOeEtFjTmuOKYVogyoWUFs19QXdkV/FRr/wRg7xFroqTxkJGKJ1Bx6ttfi5V3ZpMom8R1r1FSOb3+JjGbRfC9eoZe0nQgQuhI536ZuZNp2xjp8dift024IycJ7743UKYbjWEHyLtcJvNE0gQZxGG18k9bS26VnTT65PGdFT50LcJupVjybQo63HqjU42X/v00ArvDuisJn2JjI3q3FlM4VvmpO9Bu9EEuR9XZcuyGCG4PQYcxplYW0AyLnlmoPU8cavhjpVmD2weATWdU3gdqmu1XS5fxJdzwARVHLbNGLURBCPXiuE1JcQKysjRgywnxHBeJAX7KRrlnzQLomw==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=amd.com;

Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>, "Michael S . Tsirkin" <mst@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Antonio Caggiano <antonio.caggiano@xxxxxxxxxxxxx>, "Dr . David Alan Gilbert" <dgilbert@xxxxxxxxxx>, Robert Beckett <bob.beckett@xxxxxxxxxxxxx>, Dmitry Osipenko <dmitry.osipenko@xxxxxxxxxxxxx>, Alex Bennée <alex.bennee@xxxxxxxxxx>, "qemu-devel@xxxxxxxxxx" <qemu-devel@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Gurchetan Singh <gurchetansingh@xxxxxxxxxxxx>, "ernunes@xxxxxxxxxx" <ernunes@xxxxxxxxxx>, Philippe Mathieu-Daudé <philmd@xxxxxxxxxx>, Alyssa Ross <hi@xxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, "Deucher, Alexander" <Alexander.Deucher@xxxxxxx>, "Koenig, Christian" <Christian.Koenig@xxxxxxx>, "Ragiadakou, Xenia" <Xenia.Ragiadakou@xxxxxxx>, "Pelloux-Prayer, Pierre-Eric" <Pierre-eric.Pelloux-prayer@xxxxxxx>, "Huang, Honglei1" <Honglei1.Huang@xxxxxxx>, "Zhang, Julia" <Julia.Zhang@xxxxxxx>, "Chen, Jiqian" <Jiqian.Chen@xxxxxxx>

Delivery-date: Tue, 05 Sep 2023 13:30:42 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Tue, Sep 05, 2023 at 05:17:32PM +0800, Akihiko Odaki wrote: > On 2023/09/05 18:07, Huang Rui wrote: > > On Thu, Aug 31, 2023 at 06:10:08PM +0800, Akihiko Odaki wrote: > >> On 2023/08/31 18:32, Huang Rui wrote: > >>> From: Xenia Ragiadakou <xenia.ragiadakou@xxxxxxx> > >>> > >>> When the memory region has a different life-cycle from that of her parent, > >>> could be automatically released, once has been unparent and once all of > >>> her > >>> references have gone away, via the object's free callback. > >>> > >>> However, currently, references to the memory region are held by its owner > >>> without first incrementing the memory region object's reference count. > >>> As a result, the automatic deallocation of the object, not taking into > >>> account those references, results in use-after-free memory corruption. > >>> > >>> This patch increases the reference count of the memory region object on > >>> each memory_region_ref() and decreases it on each memory_region_unref(). > >>> > >>> Signed-off-by: Xenia Ragiadakou <xenia.ragiadakou@xxxxxxx> > >>> Signed-off-by: Huang Rui <ray.huang@xxxxxxx> > >>> --- > >>> > >>> New patch > >>> > >>> softmmu/memory.c | 19 +++++++++++++++++-- > >>> 1 file changed, 17 insertions(+), 2 deletions(-) > >>> > >>> diff --git a/softmmu/memory.c b/softmmu/memory.c > >>> index 7d9494ce70..0fdd5eebf9 100644 > >>> --- a/softmmu/memory.c > >>> +++ b/softmmu/memory.c > >>> @@ -1797,6 +1797,15 @@ Object *memory_region_owner(MemoryRegion *mr) > >>> > >>> void memory_region_ref(MemoryRegion *mr) > >>> { > >>> + if (!mr) { > >>> + return; > >>> + } > >>> + > >>> + /* Obtain a reference to prevent the memory region object > >>> + * from being released under our feet. > >>> + */ > >>> + object_ref(OBJECT(mr)); > >>> + > >>> /* MMIO callbacks most likely will access data that belongs > >>> * to the owner, hence the need to ref/unref the owner whenever > >>> * the memory region is in use. > >>> @@ -1807,16 +1816,22 @@ void memory_region_ref(MemoryRegion *mr) > >>> * Memory regions without an owner are supposed to never go away; > >>> * we do not ref/unref them because it slows down DMA sensibly. > >>> */ > >> > >> The collapsed comment says: > >> > The memory region is a child of its owner. As long as the > >> > owner doesn't call unparent itself on the memory region, > >> > ref-ing the owner will also keep the memory region alive. > >> > Memory regions without an owner are supposed to never go away; > >> > we do not ref/unref them because it slows down DMA sensibly. > >> > >> It contradicts with this patch. > > > > The reason that we modify it is because we would like to address the memory > > leak issue in the original codes. Please see below, we find the memory > > region will be crashed once we free(unref) the simple resource, because the > > region will be freed in object_finalize() after unparent and the ref count > > is to 0. Then the VM will be crashed with this. > > > > In virgl_cmd_resource_map_blob(): > > memory_region_init_ram_device_ptr(res->region, OBJECT(g), NULL, size, > > data); > > OBJECT(res->region)->free = g_free; > > memory_region_add_subregion(&b->hostmem, mblob.offset, res->region); > > memory_region_set_enabled(res->region, true); > > > > In virtio_gpu_virgl_resource_unmap(): > > memory_region_set_enabled(res->region, false); > > memory_region_del_subregion(&b->hostmem, res->region); > > object_unparent(OBJECT(res->region)); > > res->region = NULL; > > > > I spent a bit more time to understand your point, do you want me to update > > corresponding comments or you have some concern about this change? > > As the comment says ref-ing memory regions without an owner will slow > down DMA, you should avoid that. More concretely, you should check > mr->owner before doing object_ref(OBJECT(mr)). > I get it, thanks to point this exactly. Will update it in V5. Thanks, Ray

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.