From: Paolo Bonzini <pbonzini@redhat.com>
To: Matthew Rosato <mjrosato@linux.vnet.ibm.com>,
Christian Borntraeger <borntraeger@de.ibm.com>,
Fam Zheng <famz@redhat.com>, qemu-devel <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] [PATCH] memory: Fix double unref of flatview
Date: Thu, 12 Feb 2015 18:34:56 +0100 [thread overview]
Message-ID: <54DCE440.6000609@redhat.com> (raw)
In-Reply-To: <1423758091-26462-1-git-send-email-mjrosato@linux.vnet.ibm.com>
On 12/02/2015 17:21, Matthew Rosato wrote:
> Since 374f2981d1 "memory: protect current_map by RCU",
> address_space_update_topology unrefs the old_flatview twice,
> once by call_rcu and once by direct call. This patch removes
> the direct call in favor of the call_rcu. Fixes at least one
> assertion failure seen in s390, where a ref count for a memory
> region attempts to go negative during hot-unplug of guest memory.
This is buggy:
MemoryRegion *standby_ram = g_new(MemoryRegion, 1);
memory_region_init_ram(standby_ram, NULL, id, this_subregion_size, &error_abort);
...
object_unparent(OBJECT(mr));
g_free(mr);
Memory might not be released after object_unparent (and will not be
released if the RCU callbacks haven't run yet).
Your patch worked around it because it never freed the FlatView, and
thus the RCU callbacks never did anything on the memory regions.
Instead, you have to do this:
MemoryRegion *standby_ram = g_new(MemoryRegion, 1);
Object *obj = OBJECT(standby_ram);
memory_region_init_ram(standby_ram, NULL, id, this_subregion_size, &error_abort);
OBJECT(mr)->free = g_free;
...
object_unparent(OBJECT(mr));
and the freeing will happen once the reference count goes to zero.
Paolo
>
> Signed-off-by: Matthew Rosato <mjrosato@linux.vnet.ibm.com>
> ---
> memory.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/memory.c b/memory.c
> index 130152c..d08abe5 100644
> --- a/memory.c
> +++ b/memory.c
> @@ -755,7 +755,6 @@ static void address_space_update_topology(AddressSpace *as)
>
> /* Writes are protected by the BQL. */
> atomic_rcu_set(&as->current_map, new_view);
> - call_rcu(old_view, flatview_unref, rcu);
>
> /* Note that all the old MemoryRegions are still alive up to this
> * point. This relieves most MemoryListeners from the need to
> @@ -763,7 +762,7 @@ static void address_space_update_topology(AddressSpace *as)
> * outside the iothread mutex, in which case precise reference
> * counting is necessary.
> */
> - flatview_unref(old_view);
> + call_rcu(old_view, flatview_unref, rcu);
>
> address_space_update_ioeventfds(as);
> }
>
next prev parent reply other threads:[~2015-02-12 17:35 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-12 16:21 [Qemu-devel] [PATCH] memory: Fix double unref of flatview Matthew Rosato
2015-02-12 17:09 ` Paolo Bonzini
2015-02-12 17:34 ` Paolo Bonzini [this message]
2015-02-12 19:32 ` Matthew Rosato
2015-02-12 20:43 ` Paolo Bonzini
2015-02-13 3:29 ` Matthew Rosato
2015-02-13 9:29 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54DCE440.6000609@redhat.com \
--to=pbonzini@redhat.com \
--cc=borntraeger@de.ibm.com \
--cc=famz@redhat.com \
--cc=mjrosato@linux.vnet.ibm.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.