Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2195039/?format=api
{ "id": 2195039, "url": "http://patchwork.ozlabs.org/api/patches/2195039/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260210121438.67781-15-mjt@tls.msk.ru/", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260210121438.67781-15-mjt@tls.msk.ru>", "list_archive_url": null, "date": "2026-02-10T12:14:24", "name": "[Stable-10.2.1,71/78] virtio-gpu-virgl: correct parent for blob memory region", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "1fea3986bca9194c7262207973b5af69428f774b", "submitter": { "id": 183, "url": "http://patchwork.ozlabs.org/api/people/183/?format=api", "name": "Michael Tokarev", "email": "mjt@tls.msk.ru" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260210121438.67781-15-mjt@tls.msk.ru/mbox/", "series": [ { "id": 491661, "url": "http://patchwork.ozlabs.org/api/series/491661/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=491661", "date": "2026-02-10T12:14:13", "name": "Patch Round-up for stable 10.2.1, freeze on 2026-02-10 (frozen)", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/491661/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2195039/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2195039/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)", "Received": [ "from lists.gnu.org (lists.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4f9LD91mn1z1xvb\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 10 Feb 2026 23:17:29 +1100 (AEDT)", "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1vpmf6-0001gh-S9; Tue, 10 Feb 2026 07:16:16 -0500", "from eggs.gnu.org ([2001:470:142:3::10])\n by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)\n id 1vpmeX-000161-On; Tue, 10 Feb 2026 07:15:38 -0500", "from isrv.corpit.ru ([212.248.84.144])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)\n id 1vpmeV-0000I3-W1; Tue, 10 Feb 2026 07:15:37 -0500", "from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])\n by isrv.corpit.ru (Postfix) with ESMTP id 95003187DA9;\n Tue, 10 Feb 2026 15:13:52 +0300 (MSK)", "from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])\n by tsrv.corpit.ru (Postfix) with ESMTP id 30DAE360CCB;\n Tue, 10 Feb 2026 15:14:48 +0300 (MSK)" ], "From": "Michael Tokarev <mjt@tls.msk.ru>", "To": "qemu-devel@nongnu.org", "Cc": "qemu-stable@nongnu.org, Joelle van Dyne <j@getutm.app>,\n Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>,\n \"Michael S. Tsirkin\" <mst@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>", "Subject": "[Stable-10.2.1 71/78] virtio-gpu-virgl: correct parent for blob\n memory region", "Date": "Tue, 10 Feb 2026 15:14:24 +0300", "Message-ID": "<20260210121438.67781-15-mjt@tls.msk.ru>", "X-Mailer": "git-send-email 2.47.3", "In-Reply-To": "<qemu-stable-10.2.1-20260210151332@cover.tls.msk.ru>", "References": "<qemu-stable-10.2.1-20260210151332@cover.tls.msk.ru>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "Received-SPF": "pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;\n helo=isrv.corpit.ru", "X-Spam_score_int": "-18", "X-Spam_score": "-1.9", "X-Spam_bar": "-", "X-Spam_report": "(-1.9 / 5.0 requ) BAYES_00=-1.9,\n RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,\n SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no", "X-Spam_action": "no action", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "qemu development <qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org" }, "content": "From: Joelle van Dyne <j@getutm.app>\n\nWhen `owner` == `mr`, `object_unparent` will crash:\n\nobject_unparent(mr) ->\nobject_property_del_child(mr, mr) ->\nobject_finalize_child_property(mr, name, mr) ->\nobject_unref(mr) ->\nobject_finalize(mr) ->\nobject_property_del_all(mr) ->\nobject_finalize_child_property(mr, name, mr) ->\nobject_unref(mr) ->\nfail on g_assert(obj->ref > 0)\n\nHowever, passing a different `owner` to `memory_region_init` does not\nwork. `memory_region_ref` has an optimization where it takes a ref\nonly on the owner. That means when flatviews are created, it does not\ntake a ref on the region and you can get a UAF from `flatview_destroy`\ncalled from RCU.\n\nThe correct fix therefore is to use `NULL` as the name which will set\nthe `owner` but not the `parent` (which is still NULL). This allows us\nto use `memory_region_ref` on itself while not having to rely on unparent\nfor cleanup.\n\nSigned-off-by: Joelle van Dyne <j@getutm.app>\nReviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>\nReviewed-by: Michael S. Tsirkin <mst@redhat.com>\nSigned-off-by: Michael S. Tsirkin <mst@redhat.com>\nMessage-Id: <20260103214400.71694-1-j@getutm.app>\n(cherry picked from commit e27194e087aede62dbe3d2805c6f1aa30d3465df)\nSigned-off-by: Michael Tokarev <mjt@tls.msk.ru>", "diff": "diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c\nindex 07f6355ad6..6a83fb63c8 100644\n--- a/hw/display/virtio-gpu-virgl.c\n+++ b/hw/display/virtio-gpu-virgl.c\n@@ -120,7 +120,7 @@ virtio_gpu_virgl_map_resource_blob(VirtIOGPU *g,\n vmr->g = g;\n \n mr = &vmr->mr;\n- memory_region_init_ram_ptr(mr, OBJECT(mr), \"blob\", size, data);\n+ memory_region_init_ram_ptr(mr, OBJECT(mr), NULL, size, data);\n memory_region_add_subregion(&b->hostmem, offset, mr);\n memory_region_set_enabled(mr, true);\n \n@@ -186,7 +186,7 @@ virtio_gpu_virgl_unmap_resource_blob(VirtIOGPU *g,\n /* memory region owns self res->mr object and frees it by itself */\n memory_region_set_enabled(mr, false);\n memory_region_del_subregion(&b->hostmem, mr);\n- object_unparent(OBJECT(mr));\n+ object_unref(OBJECT(mr));\n }\n \n return 0;\n", "prefixes": [ "Stable-10.2.1", "71/78" ] }