From: Matthew Rosato <mjrosato@linux.vnet.ibm.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
Christian Borntraeger <borntraeger@de.ibm.com>,
Fam Zheng <famz@redhat.com>, qemu-devel <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] [PATCH] memory: Fix double unref of flatview
Date: Thu, 12 Feb 2015 22:29:50 -0500 [thread overview]
Message-ID: <54DD6FAE.2070500@linux.vnet.ibm.com> (raw)
In-Reply-To: <54DD1085.4030503@redhat.com>
On 02/12/2015 03:43 PM, Paolo Bonzini wrote:
>
>
> On 12/02/2015 20:32, Matthew Rosato wrote:
>> Could it be that the order in which flatview_unref (and therefore
>> memory_region_unref) vs object_unparent(mr) matters (ie, object_unparent
>> should always happen last)? Prior to RCUification, seems like the
>> old_view was always unreferenced prior to return from
>> memory_region_del_subregion (so, memory_region_unref always occurred
>> before the object_unparent(mr)). Now, the two could happen in either
>> order -- and looking at memory_region_unref, it is specifically looking
>> at the existence of obj->parent.
>
> I think you're right.
FYI, then this probably also affects the places you hit in d8d9581460
"memory: convert memory_region_destroy to object_unparent", as that's
what I modeled this approach on -- but I haven't tested any of them.
>
> To test your theory, you could try using call_rcu to unparent the memory
> region. The complete fix would be to wrap the MemoryRegion within a
Yep, this test worked.
> container device, and do object_unparent on the container device. Then
> the following happens:
>
> 1) the container object's unparent method calls memory_region_del_subregion
>
> 2) when the old flatview is destroyed, it calls memory_region_unref but
> the parent is still in place
>
> 3) the container object is destroyed
>
> 4) the container object destroys the container device.
OK great! I noticed this problem while re-structuring this area of code
anyway, so I'll roll this in.
>
> Note that these rules apply only to actual memory regions (I/O or RAM),
> not aliases or containers. I hope to post a doc patch next week, since
> I'm completing the patches that fix the only other problematic case
> (PCIe MMCONFIG). I was not expecting this to trigger so early, which is
> why I had left this for part 3.
Looking forward to it -- Thanks for the help Paolo.
Matt
>
> Paolo
>
next prev parent reply other threads:[~2015-02-13 3:30 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-12 16:21 [Qemu-devel] [PATCH] memory: Fix double unref of flatview Matthew Rosato
2015-02-12 17:09 ` Paolo Bonzini
2015-02-12 17:34 ` Paolo Bonzini
2015-02-12 19:32 ` Matthew Rosato
2015-02-12 20:43 ` Paolo Bonzini
2015-02-13 3:29 ` Matthew Rosato [this message]
2015-02-13 9:29 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54DD6FAE.2070500@linux.vnet.ibm.com \
--to=mjrosato@linux.vnet.ibm.com \
--cc=borntraeger@de.ibm.com \
--cc=famz@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.