From nobody Mon May 25 13:48:45 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass(p=reject dis=none)  header.from=google.com
ARC-Seal: i=1; a=rsa-sha256; t=1777395437; cv=none;
	d=zohomail.com; s=zohoarc;
	b=PwlePGWEqOKh7rjhbyKCNub5KndkTW85amJCKpp02zVSha/puwXX024ytOLKpOEoT3WcWPAUGpW0WNDaubYB4p43z68nUZUZzKl2/uPBK3o3HlXq6AgtVfT03Q4De8Ryy6FvDkVeDQo8ftB8Pkhzx7HBgIr+zXH4W/HTE7P1ves=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1777395437;
 h=Content-Type:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=TL1L51oQCGIW4br1aTdVOo6QOP2GeP5tlFhllIDhyrE=;
	b=GVT87Jz4nJ8Ua+Rpwj1zEn519LGIAootqaNVZv7nHWs0E03udTM/wRqh9HOPJcYoR56aBC3OOnJv8Rl4zjD8x22o2rgguVzav6pDj4QppFKy5gM4HEXqW1i5TQx/JcKQdPhGJpb3+c+4WFYqUc9WPHGUrTP959Un8t78RMTagmk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass header.from=<rkir@google.com> (p=reject dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1777395437090542.4024807176813;
 Tue, 28 Apr 2026 09:57:17 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wHlk3-0007Qo-5F; Tue, 28 Apr 2026 12:56:59 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from
 <3QuTwaQQKCiUSLJSHPPHMF.DPNRFNV-EFWFMOPOHOV.PSH@flex--rkir.bounces.google.com>)
 id 1wHlk1-0007Q1-62
 for qemu-devel@nongnu.org; Tue, 28 Apr 2026 12:56:57 -0400
Received: from mail-qt1-x849.google.com ([2607:f8b0:4864:20::849])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from
 <3QuTwaQQKCiUSLJSHPPHMF.DPNRFNV-EFWFMOPOHOV.PSH@flex--rkir.bounces.google.com>)
 id 1wHljz-0005qi-Sf
 for qemu-devel@nongnu.org; Tue, 28 Apr 2026 12:56:56 -0400
Received: by mail-qt1-x849.google.com with SMTP id
 d75a77b69052e-50d84b5f73bso109175961cf.0
 for <qemu-devel@nongnu.org>; Tue, 28 Apr 2026 09:56:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=google.com; s=20251104; t=1777395414; x=1778000214; darn=nongnu.org;
 h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
 :date:from:to:cc:subject:date:message-id:reply-to;
 bh=TL1L51oQCGIW4br1aTdVOo6QOP2GeP5tlFhllIDhyrE=;
 b=PsZHb7gQBHD8+JG9PkgblEAz+KRI+gFmxiOUW2Rvj1R0w2XSY4DKPZTGZ6bslJRVTO
 8ClrCbv2O7CjOq9/BiR7vtv8iD26KnzBKXOv8fwWCk+MYMslh4TRUFkYPfBGGre871vO
 /aBJHg4pclpYhsH/fnA1aKaGo4kvpOusnuZgKvw7ok29WPnUlPiAzjWSGGbiNAm4iGJJ
 E8n3Rx2v064wwT89JCGdwjroA+LqaISo365BhHSQDqcfT7X7c9R8AH/7BClV5oU/43Yq
 zsEP9OCq/zkD9hZCjF/3lJ5G83fBswQh3oZyx2vKwigsx54guYCPa1HGNJRBfJXCMg/D
 9E2A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20251104; t=1777395414; x=1778000214;
 h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
 :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=TL1L51oQCGIW4br1aTdVOo6QOP2GeP5tlFhllIDhyrE=;
 b=DV2z+9QEBQI5nCnnyh0Db0Kel/OzMWMMwFvAGfUYITQsAgcbrVfLHF8ZlgdOv+dIdR
 7+4lWghUBPTGT0kU1PtWCMDxr6V5+kYlE9omHO9bRFlhJEPxDL1qybuMIxUsJKXUNoqC
 iXA3Lfb29+4QZ/TrAyWd5nKA9ZcWVB/gk8ZglqGBSHDOxO1fTaxD3PSV5Pe67ta+SOWd
 QvCxSfVpHpXENO6Ttv3QBhDMFHjos5nyYpu+C5J/w9KT58RbE/s1nc/xPSaP8je+ahrW
 SQgNf8o6xT/H8kXA1u/S0uiewip56X2tjVAmRww44Q89bAtlxGVtiAnfhMYtpPveX4TZ
 4Qnw==
X-Gm-Message-State: AOJu0YwQoPj+AxPxp8qDHgGz5QTMLEBWyuHC2/krQYYUwuZaDdOTfJPv
 WH4o1QSnd0PHfxOOZaIzQK/BrgceKKipgBeBmbMYjU8qudkwJaKCT6LA0dbWWbvJ/O0FKSj79w=
 =
X-Received: from pgar18.prod.google.com
 ([2002:a05:6a02:2e92:b0:c6d:c043:2cb4])
 (user=rkir job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90b:1344:b0:35b:90e7:c44f
 with SMTP id 98e67ed59e1d1-36491f8775cmr4174357a91.7.1777394754032; Tue, 28
 Apr 2026 09:45:54 -0700 (PDT)
Date: Tue, 28 Apr 2026 16:45:44 +0000
In-Reply-To: <20260428164545.2782523-1-rkir@google.com>
Mime-Version: 1.0
References: <20260427154441.1918536-1-rkir@google.com>
 <20260428164545.2782523-1-rkir@google.com>
X-Mailer: git-send-email 2.54.0.545.g6539524ca2-goog
Message-ID: <20260428164545.2782523-2-rkir@google.com>
Subject: [PATCH v2 1/2] qom: improve use-after-free debugging
From: Roman Kiryanov <rkir@google.com>
To: pbonzini@redhat.com, alex.bennee@linaro.org, marcandre.lureau@gmail.com
Cc: qemu-devel@nongnu.org, Roman Kiryanov <rkir@google.com>
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=2607:f8b0:4864:20::849;
 envelope-from=3QuTwaQQKCiUSLJSHPPHMF.DPNRFNV-EFWFMOPOHOV.PSH@flex--rkir.bounces.google.com;
 helo=mail-qt1-x849.google.com
X-Spam_score_int: -95
X-Spam_score: -9.6
X-Spam_bar: ---------
X-Spam_report: (-9.6 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_MED=-0.001,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 USER_IN_DEF_DKIM_WL=-7.5 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @google.com)
X-ZM-MESSAGEID: 1777395440067158500
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

This patch invalidates dead objects so their usage will
lead to more predictable results (crashes or asserts).

Signed-off-by: Roman Kiryanov <rkir@google.com>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
---
Changes in v2:
- Updated clearing of obj->properties using g_clear_pointer.
- Moved clearing of obj->class into object_deinit.
- obj->class is checked to be NULL before obj->free(obj).

 qom/object.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/qom/object.c b/qom/object.c
index f981e27044..b8ffb00976 100644
--- a/qom/object.c
+++ b/qom/object.c
@@ -612,7 +612,7 @@ static void object_property_del_all(Object *obj)
         }
     } while (released);
=20
-    g_hash_table_unref(obj->properties);
+    g_clear_pointer(&obj->properties, g_hash_table_unref);
 }
=20
 static void object_property_del_child(Object *obj, Object *child)
@@ -658,6 +658,9 @@ static void object_deinit(Object *obj, TypeImpl *type)
     if (type_has_parent(type)) {
         object_deinit(obj, type_get_parent(type));
     }
+
+    g_assert(obj->properties =3D=3D NULL);
+    obj->class =3D NULL;
 }
=20
 static void object_finalize(void *data)
@@ -670,6 +673,7 @@ static void object_finalize(void *data)
=20
     g_assert(obj->ref =3D=3D 0);
     g_assert(obj->parent =3D=3D NULL);
+    g_assert(obj->class =3D=3D NULL);
     if (obj->free) {
         obj->free(obj);
     }
--=20
2.54.0.545.g6539524ca2-goog
From nobody Mon May 25 13:48:45 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass(p=reject dis=none)  header.from=google.com
ARC-Seal: i=1; a=rsa-sha256; t=1777395436; cv=none;
	d=zohomail.com; s=zohoarc;
	b=EL8AS6scS0Ws4wQPVCPqtvxO1mdSM9wDvYAcrAqnHp+a5jK7WvWirRsH/d5FUYFrMSN4VBotFsoPH2oZdCkmJIcOyjbUPUbKbPMvBdfJ9JAtbHymo3v/6TCQdPDz4quxPsB61851iNXqOglCU19SpFMMQOgXt1E44LFNPjI8RUA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1777395436;
 h=Content-Type:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=Hqt0Ox6fqkRNuBsRY+/ccPu3FJOmcv/lsoKtLnDVcfs=;
	b=YvlaDFhwGHF1y0zCRg1vx+Pjtt7DXviQoKIjGvXmKYCKvEqLIc3elXvtITH1fgyTFfX7Afrmoma2+ewJWl9iPaq0xJHAPPuQwLUPM0GHsy4WJr5dbZoM7N2pDuvZZ0P47Iu5wJsyfzOHG+8TJOE0oUhBvDLhoiXHadztjcbI3OM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass header.from=<rkir@google.com> (p=reject dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1777395436824128.160500389194;
 Tue, 28 Apr 2026 09:57:16 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wHljo-0007MA-I4; Tue, 28 Apr 2026 12:56:44 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from
 <3ReTwaQQKCigVOMVKSSKPI.GSQUIQY-HIZIPRSRKRY.SVK@flex--rkir.bounces.google.com>)
 id 1wHljm-0007Lq-P3
 for qemu-devel@nongnu.org; Tue, 28 Apr 2026 12:56:42 -0400
Received: from mail-qt1-x849.google.com ([2607:f8b0:4864:20::849])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from
 <3ReTwaQQKCigVOMVKSSKPI.GSQUIQY-HIZIPRSRKRY.SVK@flex--rkir.bounces.google.com>)
 id 1wHljl-0005ZO-Bb
 for qemu-devel@nongnu.org; Tue, 28 Apr 2026 12:56:42 -0400
Received: by mail-qt1-x849.google.com with SMTP id
 d75a77b69052e-50d890580e1so164819801cf.3
 for <qemu-devel@nongnu.org>; Tue, 28 Apr 2026 09:56:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=google.com; s=20251104; t=1777395400; x=1778000200; darn=nongnu.org;
 h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
 :date:from:to:cc:subject:date:message-id:reply-to;
 bh=Hqt0Ox6fqkRNuBsRY+/ccPu3FJOmcv/lsoKtLnDVcfs=;
 b=D02qVOQHqqxhpj6MWRULJuf6qylzuWCQxkKiI/q3Bkx4RK1Sd3AJc+bdnrftWDh5af
 xTu8xkmnUcdpHMHiV4cBViNYZq7VsmG53IdpaFcUz/Vw3gfF9z1JclXUT2e9cr5aMur5
 dPS2FNdL5Uc0x7MLjhv1p+enm6Pp9tk5u6oOhj8DRFfSgeU7811zEywm9nCyyvK+2FWU
 6Dyk/LigtNZ3BWCoH1/nM5tF2h82mzEVxGlOVkSs/x1GzkSQdPgQDPajZxWv9EG38oEd
 UalWF4eowBhbYUgp5dMCZlKj4wd8bBt8mjFltNnbxZ8jl44cWMoXVlz7WCEcxBhm3RRl
 uBog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20251104; t=1777395400; x=1778000200;
 h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
 :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=Hqt0Ox6fqkRNuBsRY+/ccPu3FJOmcv/lsoKtLnDVcfs=;
 b=BLgJiNxb/i51oUENy9Ann+r0PJuqh7INlIO+qXD2uNs0ek4qMD+9bde0kLoYwg5py7
 yc2FH2kt4voVM8Lzza2rU/ltZiBr9ki2N9pqvkYACqjhaEVAaAbYGcxlBkiUsJDs+p8C
 JG2ed61Wfc0vHDErrTqR/rvXPDp0Q5TzRQJu7BoKxmkr7OijYLFUGPRmKXoNsoDX4Q9T
 /rV+cnFeuNPz4YO+WWwTzJDuoL7ecHwmZOkVYEPpfVdrasIwnA0aku3d3TELwUf5dh3h
 B/b+6Xl6xxGT7/M2SExp914xqWdKcMDJKQ9my8sdRgH1hUTAbhvllkjwEyxdjeukJlQp
 pFzQ==
X-Gm-Message-State: AOJu0YzsYhXJKLwKHqDG1U2eiB4o15g+i+AQDHGhREmzNW4V0AsPaNd2
 SEN3WYW4x+OPMGi1ZJGoeKEeKvocCSsm2cVXOeNSQynSVi3Jx/B+TzKWKU6Ij73cGjWrv88K3Q=
 =
X-Received: from pfnz21.prod.google.com ([2002:aa7:85d5:0:b0:82f:aed1:37c5])
 (user=rkir job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a00:aa09:b0:829:7e6d:cf22
 with SMTP id d2e1a72fcca58-834ddc8800cmr3569793b3a.43.1777394757155; Tue, 28
 Apr 2026 09:45:57 -0700 (PDT)
Date: Tue, 28 Apr 2026 16:45:45 +0000
In-Reply-To: <20260428164545.2782523-1-rkir@google.com>
Mime-Version: 1.0
References: <20260427154441.1918536-1-rkir@google.com>
 <20260428164545.2782523-1-rkir@google.com>
X-Mailer: git-send-email 2.54.0.545.g6539524ca2-goog
Message-ID: <20260428164545.2782523-3-rkir@google.com>
Subject: [PATCH v2 2/2] display: rutabaga: unparent MemoryRegions in unmap
From: Roman Kiryanov <rkir@google.com>
To: pbonzini@redhat.com, alex.bennee@linaro.org, marcandre.lureau@gmail.com
Cc: qemu-devel@nongnu.org, Roman Kiryanov <rkir@google.com>
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=2607:f8b0:4864:20::849;
 envelope-from=3ReTwaQQKCigVOMVKSSKPI.GSQUIQY-HIZIPRSRKRY.SVK@flex--rkir.bounces.google.com;
 helo=mail-qt1-x849.google.com
X-Spam_score_int: -95
X-Spam_score: -9.6
X-Spam_bar: ---------
X-Spam_report: (-9.6 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_MED=-0.001,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 USER_IN_DEF_DKIM_WL=-7.5 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @google.com)
X-ZM-MESSAGEID: 1777395438743154100
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The virtio-gpu-rutabaga-device instance holds a
hash table of child objects (`Object::properties`)
and a memory region is added there every time
`memory_region_init_ram_ptr` is called.

The `unmap_blob` call invalidates a `MemoryRegion`
but does not remove it from the device, which makes
pointers to the region dangling and eventually causes
a crash when those pointers are dereferenced.

Signed-off-by: Roman Kiryanov <rkir@google.com>
---
 hw/display/virtio-gpu-rutabaga.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/display/virtio-gpu-rutabaga.c b/hw/display/virtio-gpu-rutab=
aga.c
index ebb6c783fb..5cd9b19336 100644
--- a/hw/display/virtio-gpu-rutabaga.c
+++ b/hw/display/virtio-gpu-rutabaga.c
@@ -737,6 +737,7 @@ rutabaga_cmd_resource_unmap_blob(VirtIOGPU *g,
=20
         MemoryRegion *mr =3D &(vr->memory_regions[slot].mr);
         memory_region_del_subregion(&vb->hostmem, mr);
+        object_unparent(OBJECT(mr));
=20
         vr->memory_regions[slot].resource_id =3D 0;
         vr->memory_regions[slot].used =3D 0;
--=20
2.54.0.545.g6539524ca2-goog