On 5/4/26 13:35, Marc-André Lureau wrote:
The OPBus instance_init initializes an AddressSpace, registering it in the global address_spaces list. When a bare OPBus object is created and destroyed (e.g. by qom-tests), there is no finalize to remove the stale entry, leading to a heap-use-after-free when a subsequent flatviews_reset iterates the list.Move address_space_init to the bus realize callback and add the corresponding address_space_destroy in unrealize, following the NubusBus pattern. Also fix the memory_region_init owner from NULL to the OPBus object, so the MR is properly parented instead of dangling under the "unattached" container. Fixes: eb04c35da2c0 ("hw/fsi: Aspeed APB2OPB & On-chip peripheral bus") Signed-off-by: Marc-André Lureau <[email protected]> --- hw/fsi/aspeed_apb2opb.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/hw/fsi/aspeed_apb2opb.c b/hw/fsi/aspeed_apb2opb.c index b9d72f3ecf6..36092468391 100644 --- a/hw/fsi/aspeed_apb2opb.c +++ b/hw/fsi/aspeed_apb2opb.c @@ -348,15 +348,37 @@ static void fsi_opb_init(Object *o) { OPBus *opb = OP_BUS(o);- memory_region_init(&opb->mr, 0, TYPE_FSI_OPB, UINT32_MAX);+ memory_region_init(&opb->mr, o, TYPE_FSI_OPB, UINT32_MAX); +} + +static void fsi_opb_realize(BusState *bus, Error **errp) +{ + OPBus *opb = OP_BUS(bus); + address_space_init(&opb->as, &opb->mr, TYPE_FSI_OPB); }+static void fsi_opb_unrealize(BusState *bus)+{ + OPBus *opb = OP_BUS(bus); + + address_space_destroy(&opb->as); +} + +static void fsi_opb_class_init(ObjectClass *klass, const void *data) +{ + BusClass *bc = BUS_CLASS(klass); + + bc->realize = fsi_opb_realize; + bc->unrealize = fsi_opb_unrealize; +} + static const TypeInfo opb_info = { .name = TYPE_OP_BUS, .parent = TYPE_BUS, .instance_init = fsi_opb_init, .instance_size = sizeof(OPBus), + .class_init = fsi_opb_class_init, };static void fsi_opb_register_types(void)
Reviewed-by: Cédric Le Goater <[email protected]> Thanks, C.
