[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 0/7] Do not unparent in instance_finalize()

To: Akihiko Odaki <odaki@xxxxxxxxxxxxxxxxxxxxxx>
From: Daniel P. Berrangé <berrange@xxxxxxxxxx>
Date: Wed, 17 Sep 2025 14:17:35 +0100
Cc: qemu-devel@xxxxxxxxxx, Alex Williamson <alex.williamson@xxxxxxxxxx>, Cédric Le Goater <clg@xxxxxxxxxx>, Paolo Bonzini <pbonzini@xxxxxxxxxx>, Eduardo Habkost <eduardo@xxxxxxxxxxx>, Peter Xu <peterx@xxxxxxxxxx>, David Hildenbrand <david@xxxxxxxxxx>, Philippe Mathieu-Daudé <philmd@xxxxxxxxxx>, Richard Henderson <richard.henderson@xxxxxxxxxx>, Helge Deller <deller@xxxxxx>, Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>, "Michael S. Tsirkin" <mst@xxxxxxxxxx>, Gerd Hoffmann <kraxel@xxxxxxxxxx>, John Snow <jsnow@xxxxxxxxxx>, qemu-block@xxxxxxxxxx, Keith Busch <kbusch@xxxxxxxxxx>, Klaus Jensen <its@xxxxxxxxxxxxx>, Jesper Devantier <foss@xxxxxxxxxxx>, Marcel Apfelbaum <marcel.apfelbaum@xxxxxxxxx>, Nicholas Piggin <npiggin@xxxxxxxxx>, qemu-ppc@xxxxxxxxxx, John Levon <john.levon@xxxxxxxxxxx>, Thanos Makatos <thanos.makatos@xxxxxxxxxxx>, Yanan Wang <wangyanan55@xxxxxxxxxx>, BALATON Zoltan <balaton@xxxxxxxxxx>, Jiaxun Yang <jiaxun.yang@xxxxxxxxxxx>, Daniel Henrique Barboza <danielhb413@xxxxxxxxx>, David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>, Harsh Prateek Bora <harshpb@xxxxxxxxxxxxx>, Alexey Kardashevskiy <aik@xxxxxxxxx>, Alex Bennée <alex.bennee@xxxxxxxxxx>, Fabiano Rosas <farosas@xxxxxxx>, Thomas Huth <thuth@xxxxxxxxxx>, Laurent Vivier <lvivier@xxxxxxxxxx>, Peter Maydell <peter.maydell@xxxxxxxxxx>, Aurelien Jarno <aurelien@xxxxxxxxxxx>, Aleksandar Rikalo <arikalo@xxxxxxxxx>, Max Filippov <jcmvbkbc@xxxxxxxxx>, Hervé Poussineau <hpoussin@xxxxxxxxxxx>, Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>, Artyom Tarasenko <atar4qemu@xxxxxxxxx>, Alistair Francis <alistair@xxxxxxxxxxxxx>, "Maciej S. Szmigiero" <maciej.szmigiero@xxxxxxxxxx>, Bin Meng <bmeng.cn@xxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Anthony PERARD <anthony@xxxxxxxxxxxxxx>, Paul Durrant <paul@xxxxxxx>, "Edgar E. Iglesias" <edgar.iglesias@xxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 17 Sep 2025 13:18:34 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Wed, Sep 17, 2025 at 09:24:04PM +0900, Akihiko Odaki wrote:
> On 2025/09/17 20:57, Daniel P. Berrangé wrote:
> > On Wed, Sep 17, 2025 at 07:13:25PM +0900, Akihiko Odaki wrote:
> > > Based-on: <cover.1751493467.git.balaton@xxxxxxxxxx>
> > > ("[PATCH v2 00/14] hw/pci-host/raven clean ups")
> > > 
> > > Supersedes: <20240829-memory-v1-1-ac07af2f4fa5@xxxxxxxxxx>
> > > ("[PATCH] docs/devel: Prohibit calling object_unparent() for memory 
> > > region")
> > > 
> > > Children are automatically unparented so manually unparenting is
> > > unnecessary.
> > 
> > Where is automatic unparenting you're referring to being done ?
> > 
> > > Worse, automatic unparenting happens before the instance_finalize()
> > > callback of the parent gets called, so object_unparent() calls in
> > > the callback will refer to objects that are already unparented, which
> > > is semantically incorrect.
> > 
> > IIUC, object_property_add_child will acquire a reference on
> > the child, and object_property_del_child (and thus
> > object_unparent) will release that reference.
> > 
> > The 'object_finalize' method, and thus 'instance_finalize'
> > callback, won't be invoked until the last reference is
> > dropped on the object in question.
> > 
> > IOW, it should be impossible for 'object_finalize' to ever
> > run, as long as the child has a parent set.
> > 
> > So if we're in the 'finalize' then 'object_unparent' must
> > be a no-op as the child must already have no references
> > held and thus no parent.
> > 
> > IOW, the reason to remove 'object_unparent' calls from
> > finalize is surely because they do nothing at all,
> > rather than this talk about callbacks being run at the
> > wrong time ?
> 
> This patch series deals with the situation where the parent calls
> object_unparent() in its instance_finalize() callback. The process of
> finalization looks like as follows:
> 
> 1. The parent's reference count reaches to zero. Please note that there can
> be remaining children that are referenced by the parent at this point.
> 
> 2. object_finalize() is called.
> 
> 2a. object_property_del_all() is called and the parent releases references
> to its children. This is what I referred as "automatic unparenting". The
> children without any other references will be finalized here.
> 
> 2b. instance_finalize() is called. Past children may be already finalized,
> and calling object_unparent() here will cause dereferencing finalized
> objects in that case, which should be avoided.

Oh, so these object_unparent calls run by the parent, against the child
in fact use-after-free flaws.

This is driven by the parent keeping hold of explicit pointers to the
child (MemoryRegion), without also holding its own reference, and these
pointers are invalidated when the parent<->child property is deleted.


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Follow-Ups:
- Re: [PATCH v3 0/7] Do not unparent in instance_finalize()
  - From: Daniel P. Berrangé

References:
- [PATCH v3 0/7] Do not unparent in instance_finalize()
  - From: Akihiko Odaki
- Re: [PATCH v3 0/7] Do not unparent in instance_finalize()
  - From: Daniel P. Berrangé
- Re: [PATCH v3 0/7] Do not unparent in instance_finalize()
  - From: Akihiko Odaki

Prev by Date: Re: [PATCH v3 0/7] Do not unparent in instance_finalize()
Next by Date: Re: [PATCH v3 0/7] Do not unparent in instance_finalize()
Previous by thread: Re: [PATCH v3 0/7] Do not unparent in instance_finalize()
Next by thread: Re: [PATCH v3 0/7] Do not unparent in instance_finalize()
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.