qemu/softmmu
Mark Cave-Ayland 690705ca0b softmmu/ioport.c: make MemoryRegionPortioList owner of portio_list MemoryRegions
Currently when portio_list MemoryRegions are freed using portio_list_destroy() the RCU
thread segfaults generating a backtrace similar to that below:

    #0 0x5555599a34b6 in phys_section_destroy ../softmmu/physmem.c:996
    #1 0x5555599a37a3 in phys_sections_free ../softmmu/physmem.c:1011
    #2 0x5555599b24aa in address_space_dispatch_free ../softmmu/physmem.c:2430
    #3 0x55555996a283 in flatview_destroy ../softmmu/memory.c:292
    #4 0x55555a2cb9fb in call_rcu_thread ../util/rcu.c:284
    #5 0x55555a29b71d in qemu_thread_start ../util/qemu-thread-posix.c:541
    #6 0x7ffff4a0cea6 in start_thread nptl/pthread_create.c:477
    #7 0x7ffff492ca2e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfca2e)

The problem here is that portio_list_destroy() unparents the portio_list
MemoryRegions causing them to be freed immediately, however the flatview
still has a reference to the MemoryRegion and so causes a use-after-free
segfault when the RCU thread next updates the flatview.

Solve the lifetime issue by making MemoryRegionPortioList the owner of the
portio_list MemoryRegions, and then reparenting them to the portio_list
owner. This ensures that they can be accessed as QOM children via the
portio_list owner, yet the MemoryRegionPortioList owns the refcount.

Update portio_list_destroy() to unparent the MemoryRegion from the
portio_list owner (while keeping mrpio->mr live until finalization of the
MemoryRegionPortioList), so that the portio_list MemoryRegions remain
allocated until flatview_destroy() removes the final refcount upon the
next flatview update.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20230419151652.362717-4-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2023-05-25 10:18:33 +02:00
..
arch_init.c
balloon.c
bootdevice.c
cpu-throttle.c
cpu-timers.c
cpus.c include/block: Untangle inclusion loops 2023-01-20 07:24:28 +01:00
datadir.c
device_tree.c device-tree: add re-randomization helper function 2022-10-27 11:34:31 +01:00
dirtylimit.c Use new created qemu_target_pages_to_MiB() 2023-05-15 10:33:04 +02:00
dma-helpers.c dma-helpers: prevent dma_blk_cb() vs dma_aio_cancel() race 2023-02-23 19:49:35 +01:00
globals.c accel/tcg: Use one_insn_per_tb global instead of old singlestep global 2023-05-02 15:47:40 +01:00
icount.c
ioport.c softmmu/ioport.c: make MemoryRegionPortioList owner of portio_list MemoryRegions 2023-05-25 10:18:33 +02:00
main.c
memory_mapping.c bulk: Rename TARGET_FMT_plx -> HWADDR_FMT_plx 2023-01-18 11:14:34 +01:00
memory.c memory: stricter checks prior to unsetting engaged_in_io 2023-05-22 10:35:28 +02:00
meson.build softmmu: Move dirtylimit.c into the target independent source set 2023-04-20 11:25:32 +02:00
physmem.c softmmu: Create qemu_target_pages_to_MiB() 2023-05-15 10:33:03 +02:00
qdev-monitor.c qdev: Move HMP command completion from monitor to softmmu/ 2023-02-04 07:56:54 +01:00
qemu-seccomp.c seccomp: Get actual errno value from failed seccomp functions 2022-10-26 13:32:58 +01:00
qtest.c softmmu: Make qtest.c target independent 2023-04-20 11:25:32 +02:00
rtc.c replay: Simplify setting replay blockers 2023-02-23 14:10:17 +01:00
runstate-action.c
runstate-hmp-cmds.c hmp: Add 'one-insn-per-tb' command equivalent to 'singlestep' 2023-05-02 15:47:40 +01:00
runstate.c softmmu: Don't use 'singlestep' global in QMP and HMP commands 2023-05-02 15:47:40 +01:00
timers-state.h
tpm-hmp-cmds.c tpm: Move HMP commands from monitor/ to softmmu/ 2023-02-04 07:56:54 +01:00
tpm.c
trace-events
trace.h
vl.c softmmu/vl.c: Disable default NIC if it has not been compiled into the binary 2023-05-22 09:39:15 +02:00
watchpoint.c softmmu: Restore use of CPU watchpoint for all accelerators 2023-03-28 15:24:06 -07:00