From nobody Wed Nov 5 16:54:41 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1536065331624394.223614731848; Tue, 4 Sep 2018 05:48:51 -0700 (PDT) Received: from localhost ([::1]:50793 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fxAlD-0007Dq-6D for importer@patchew.org; Tue, 04 Sep 2018 08:48:47 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48072) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fxAkE-0006Co-7I for qemu-devel@nongnu.org; Tue, 04 Sep 2018 08:47:47 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fxAk9-0005Xh-65 for qemu-devel@nongnu.org; Tue, 04 Sep 2018 08:47:46 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:48618 helo=mx1.redhat.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fxAk8-0005Wz-St for qemu-devel@nongnu.org; Tue, 04 Sep 2018 08:47:41 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 515A25A266 for ; Tue, 4 Sep 2018 12:47:40 +0000 (UTC) Received: from dell-r430-03.lab.eng.brq.redhat.com (dell-r430-03.lab.eng.brq.redhat.com [10.37.153.18]) by smtp.corp.redhat.com (Postfix) with ESMTP id A40E8112D171; Tue, 4 Sep 2018 12:47:39 +0000 (UTC) From: Igor Mammedov To: qemu-devel@nongnu.org Date: Tue, 4 Sep 2018 14:39:37 +0200 Message-Id: <1536064777-42312-1-git-send-email-imammedo@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Tue, 04 Sep 2018 12:47:40 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Tue, 04 Sep 2018 12:47:40 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'imammedo@redhat.com' RCPT:'' X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 66.187.233.73 Subject: [Qemu-devel] [PATCH] memory: cleanup side effects of memory_region_init_foo() on failure X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: pbonzini@redhat.com, ehabkost@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RDMRC_1 RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" if MemoryRegion intialization fails it's left in semi-initialized state, where it's size is not 0 and attached as child to owner object. And this leds to crash in following use-case: (monitor) object_add memory-backend-file,id=3Dmem1,size=3D99999G,mem-pa= th=3D/tmp/foo,discard-data=3Dyes memory.c:2083: memory_region_get_ram_ptr: Assertion `mr->ram_block' fai= led Aborted (core dumped) it happens due to assumption that memory region is intialized when memory_region_size() !=3D 0 and therefore it's ok to access it in file_backend_unparent() if (memory_region_size() !=3D 0) memory_region_get_ram_ptr() which happens when object_add fails and unparents failed backend making file_backend_unparent() access invalid memory region. Fix it by making sure that memory_region_init_foo() APIs cleanup externally visible side effects on failure (like set size to 0 and unparenting object) Signed-off-by: Igor Mammedov --- memory.c | 48 ++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 42 insertions(+), 6 deletions(-) diff --git a/memory.c b/memory.c index 9b73892..4c2dfd3 100644 --- a/memory.c +++ b/memory.c @@ -1518,12 +1518,18 @@ void memory_region_init_ram_shared_nomigrate(Memory= Region *mr, bool share, Error **errp) { + Error *err =3D NULL; memory_region_init(mr, owner, name, size); mr->ram =3D true; mr->terminates =3D true; mr->destructor =3D memory_region_destructor_ram; - mr->ram_block =3D qemu_ram_alloc(size, share, mr, errp); + mr->ram_block =3D qemu_ram_alloc(size, share, mr, &err); mr->dirty_log_mask =3D tcg_enabled() ? (1 << DIRTY_MEMORY_CODE) : 0; + if (err) { + mr->size =3D 0; + object_unparent(OBJECT(mr)); + error_propagate(errp, err); + } } =20 void memory_region_init_resizeable_ram(MemoryRegion *mr, @@ -1536,13 +1542,19 @@ void memory_region_init_resizeable_ram(MemoryRegion= *mr, void *host), Error **errp) { + Error *err =3D NULL; memory_region_init(mr, owner, name, size); mr->ram =3D true; mr->terminates =3D true; mr->destructor =3D memory_region_destructor_ram; mr->ram_block =3D qemu_ram_alloc_resizeable(size, max_size, resized, - mr, errp); + mr, &err); mr->dirty_log_mask =3D tcg_enabled() ? (1 << DIRTY_MEMORY_CODE) : 0; + if (err) { + mr->size =3D 0; + object_unparent(OBJECT(mr)); + error_propagate(errp, err); + } } =20 #ifdef __linux__ @@ -1555,13 +1567,19 @@ void memory_region_init_ram_from_file(MemoryRegion = *mr, const char *path, Error **errp) { + Error *err =3D NULL; memory_region_init(mr, owner, name, size); mr->ram =3D true; mr->terminates =3D true; mr->destructor =3D memory_region_destructor_ram; mr->align =3D align; - mr->ram_block =3D qemu_ram_alloc_from_file(size, mr, ram_flags, path, = errp); + mr->ram_block =3D qemu_ram_alloc_from_file(size, mr, ram_flags, path, = &err); mr->dirty_log_mask =3D tcg_enabled() ? (1 << DIRTY_MEMORY_CODE) : 0; + if (err) { + mr->size =3D 0; + object_unparent(OBJECT(mr)); + error_propagate(errp, err); + } } =20 void memory_region_init_ram_from_fd(MemoryRegion *mr, @@ -1572,14 +1590,20 @@ void memory_region_init_ram_from_fd(MemoryRegion *m= r, int fd, Error **errp) { + Error *err =3D NULL; memory_region_init(mr, owner, name, size); mr->ram =3D true; mr->terminates =3D true; mr->destructor =3D memory_region_destructor_ram; mr->ram_block =3D qemu_ram_alloc_from_fd(size, mr, share ? RAM_SHARED : 0, - fd, errp); + fd, &err); mr->dirty_log_mask =3D tcg_enabled() ? (1 << DIRTY_MEMORY_CODE) : 0; + if (err) { + mr->size =3D 0; + object_unparent(OBJECT(mr)); + error_propagate(errp, err); + } } #endif =20 @@ -1630,13 +1654,19 @@ void memory_region_init_rom_nomigrate(MemoryRegion = *mr, uint64_t size, Error **errp) { + Error *err =3D NULL; memory_region_init(mr, owner, name, size); mr->ram =3D true; mr->readonly =3D true; mr->terminates =3D true; mr->destructor =3D memory_region_destructor_ram; - mr->ram_block =3D qemu_ram_alloc(size, false, mr, errp); + mr->ram_block =3D qemu_ram_alloc(size, false, mr, &err); mr->dirty_log_mask =3D tcg_enabled() ? (1 << DIRTY_MEMORY_CODE) : 0; + if (err) { + mr->size =3D 0; + object_unparent(OBJECT(mr)); + error_propagate(errp, err); + } } =20 void memory_region_init_rom_device_nomigrate(MemoryRegion *mr, @@ -1647,6 +1677,7 @@ void memory_region_init_rom_device_nomigrate(MemoryRe= gion *mr, uint64_t size, Error **errp) { + Error *err =3D NULL; assert(ops); memory_region_init(mr, owner, name, size); mr->ops =3D ops; @@ -1654,7 +1685,12 @@ void memory_region_init_rom_device_nomigrate(MemoryR= egion *mr, mr->terminates =3D true; mr->rom_device =3D true; mr->destructor =3D memory_region_destructor_ram; - mr->ram_block =3D qemu_ram_alloc(size, false, mr, errp); + mr->ram_block =3D qemu_ram_alloc(size, false, mr, &err); + if (err) { + mr->size =3D 0; + object_unparent(OBJECT(mr)); + error_propagate(errp, err); + } } =20 void memory_region_init_iommu(void *_iommu_mr, --=20 2.7.4