[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[QEMU PATCH v5 07/13] softmmu/memory: enable automatic deallocation of memory regions
- To: Gerd Hoffmann <kraxel@xxxxxxxxxx>, "Michael S . Tsirkin" <mst@xxxxxxxxxx>, Akihiko Odaki <akihiko.odaki@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, "Antonio Caggiano" <quic_acaggian@xxxxxxxxxxx>, "Dr . David Alan Gilbert" <dgilbert@xxxxxxxxxx>, Robert Beckett <bob.beckett@xxxxxxxxxxxxx>, "Dmitry Osipenko" <dmitry.osipenko@xxxxxxxxxxxxx>, Alex Bennée <alex.bennee@xxxxxxxxxx>, <qemu-devel@xxxxxxxxxx>
- From: Huang Rui <ray.huang@xxxxxxx>
- Date: Fri, 15 Sep 2023 19:11:24 +0800
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=redhat.com smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=SviVy3p1SaMQZ+DeOFS4BSuC7/Crlp0rXdVO1dxpWdg=; b=iPkBuMlnpYP+N0MFs0N9ieBOv02xnX3mCL+/hno1W0DoCv7OkA81ARudFQA5e9vdT5GusaZTXZahvsiRxkOxGzS1bKptx6C8xD+BAIpYm1v1yT4p/uy6BLI4hLxt14ImhdulYpuGLUaDeGrXi92eoh93XNEIcGTD14iFc3Q15IZSHs28bDT1+PHIL6TCQbCoh91qJB2V2n7lNwaQ4BONU88YtyXTXEc3TAor8z6qKv6dMjeRv2fQQ0LvpQV6aiycU5L9FcAM4txaBDdet3eaQ0TEOSswmEwQhzXmLrIuFRHU9NFpTd29FkfDJC25wJmHTfCg99GlscylblFlpBa6fA==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ebOp4RsRYYAAUO7G+HFbWeWCGucPSse4Cqf94i8ejKxCZ73shBC26pcnSVYWzoyyZKwaQ7dbAHH1RgN9iJj2BG27V7IWC0dDr3g/U8l/01gd9H67j9w43qpdOylc23DRngb+V9l3VEkaj3mhtPqhVPnBt+hTQmeYyvy617K8DxXoH/E9zahlStGVJkPBsAhrNXU3hA+qrgXJn8aj5S97kIKMa8HnUcIymyVDQmjH7DqSQuW4ALU23KQUAfuFD99yjP8hbGQJdDYfarvTcxLA37er+3ycQSifb2QIA6JOeikeI4lNLZNisqcBv7bDZBOsset8Gv3dayaH/BuJLSAucw==
- Cc: <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Gurchetan Singh <gurchetansingh@xxxxxxxxxxxx>, Albert Esteve <aesteve@xxxxxxxxxx>, <ernunes@xxxxxxxxxx>, Philippe Mathieu-Daudé <philmd@xxxxxxxxxx>, Alyssa Ross <hi@xxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Alex Deucher <alexander.deucher@xxxxxxx>, Christian König <christian.koenig@xxxxxxx>, Xenia Ragiadakou <xenia.ragiadakou@xxxxxxx>, Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@xxxxxxx>, "Honglei Huang" <honglei1.huang@xxxxxxx>, Julia Zhang <julia.zhang@xxxxxxx>, "Chen Jiqian" <Jiqian.Chen@xxxxxxx>, Huang Rui <ray.huang@xxxxxxx>
- Delivery-date: Fri, 15 Sep 2023 11:13:13 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
From: Xenia Ragiadakou <xenia.ragiadakou@xxxxxxx>
When the memory region has a different life-cycle from that of her parent,
could be automatically released, once has been unparent and once all of her
references have gone away, via the object's free callback.
However, currently, references to the memory region are held by its owner
without first incrementing the memory region object's reference count.
As a result, the automatic deallocation of the object, not taking into
account those references, results in use-after-free memory corruption.
This patch increases the reference count of an owned memory region object
on each memory_region_ref() and decreases it on each memory_region_unref().
Signed-off-by: Xenia Ragiadakou <xenia.ragiadakou@xxxxxxx>
Signed-off-by: Huang Rui <ray.huang@xxxxxxx>
---
V4 -> V5:
- ref/unref only owned memory regions (Akihiko)
softmmu/memory.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/softmmu/memory.c b/softmmu/memory.c
index 7d9494ce70..15e1699750 100644
--- a/softmmu/memory.c
+++ b/softmmu/memory.c
@@ -1800,6 +1800,9 @@ void memory_region_ref(MemoryRegion *mr)
/* MMIO callbacks most likely will access data that belongs
* to the owner, hence the need to ref/unref the owner whenever
* the memory region is in use.
+ * Likewise, the owner keeps references to the memory region,
+ * hence the need to ref/unref the memory region object to prevent
+ * its automatic deallocation while still referenced by its owner.
*
* The memory region is a child of its owner. As long as the
* owner doesn't call unparent itself on the memory region,
@@ -1808,6 +1811,7 @@ void memory_region_ref(MemoryRegion *mr)
* we do not ref/unref them because it slows down DMA sensibly.
*/
if (mr && mr->owner) {
+ object_ref(OBJECT(mr));
object_ref(mr->owner);
}
}
@@ -1816,6 +1820,7 @@ void memory_region_unref(MemoryRegion *mr)
{
if (mr && mr->owner) {
object_unref(mr->owner);
+ object_unref(OBJECT(mr));
}
}
--
2.34.1
|
