From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] [PULL 6/8] memory: fix refcount leak in memory_region_present
Date: Thu, 16 Jul 2015 20:02:56 +0200 [thread overview]
Message-ID: <1437069778-8954-7-git-send-email-pbonzini@redhat.com> (raw)
In-Reply-To: <1437069778-8954-1-git-send-email-pbonzini@redhat.com>
memory_region_present() leaks a reference to a MemoryRegion in the
case "mr == container". While fixing it, avoid reference counting
altogether for memory_region_present(), by using RCU only.
The return value could in principle be already invalid immediately
after memory_region_present returns, but presumably the caller knows
that and it's using memory_region_present to probe for devices that
are unpluggable, or something like that. The RCU critical section
is needed anyway, because it protects as->current_map.
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
memory.c | 44 ++++++++++++++++++++++++++++----------------
1 file changed, 28 insertions(+), 16 deletions(-)
diff --git a/memory.c b/memory.c
index 5a0cc66..0acebb1 100644
--- a/memory.c
+++ b/memory.c
@@ -1887,23 +1887,16 @@ static FlatRange *flatview_lookup(FlatView *view, AddrRange addr)
sizeof(FlatRange), cmp_flatrange_addr);
}
-bool memory_region_present(MemoryRegion *container, hwaddr addr)
-{
- MemoryRegion *mr = memory_region_find(container, addr, 1).mr;
- if (!mr || (mr == container)) {
- return false;
- }
- memory_region_unref(mr);
- return true;
-}
-
bool memory_region_is_mapped(MemoryRegion *mr)
{
return mr->container ? true : false;
}
-MemoryRegionSection memory_region_find(MemoryRegion *mr,
- hwaddr addr, uint64_t size)
+/* Same as memory_region_find, but it does not add a reference to the
+ * returned region. It must be called from an RCU critical section.
+ */
+static MemoryRegionSection memory_region_find_rcu(MemoryRegion *mr,
+ hwaddr addr, uint64_t size)
{
MemoryRegionSection ret = { .mr = NULL };
MemoryRegion *root;
@@ -1924,11 +1917,10 @@ MemoryRegionSection memory_region_find(MemoryRegion *mr,
}
range = addrrange_make(int128_make64(addr), int128_make64(size));
- rcu_read_lock();
view = atomic_rcu_read(&as->current_map);
fr = flatview_lookup(view, range);
if (!fr) {
- goto out;
+ return ret;
}
while (fr > view->ranges && addrrange_intersects(fr[-1].addr, range)) {
@@ -1944,12 +1936,32 @@ MemoryRegionSection memory_region_find(MemoryRegion *mr,
ret.size = range.size;
ret.offset_within_address_space = int128_get64(range.start);
ret.readonly = fr->readonly;
- memory_region_ref(ret.mr);
-out:
+ return ret;
+}
+
+MemoryRegionSection memory_region_find(MemoryRegion *mr,
+ hwaddr addr, uint64_t size)
+{
+ MemoryRegionSection ret;
+ rcu_read_lock();
+ ret = memory_region_find_rcu(mr, addr, size);
+ if (ret.mr) {
+ memory_region_ref(ret.mr);
+ }
rcu_read_unlock();
return ret;
}
+bool memory_region_present(MemoryRegion *container, hwaddr addr)
+{
+ MemoryRegion *mr;
+
+ rcu_read_lock();
+ mr = memory_region_find_rcu(container, addr, 1).mr;
+ rcu_read_unlock();
+ return mr && mr != container;
+}
+
void address_space_sync_dirty_bitmap(AddressSpace *as)
{
FlatView *view;
--
2.4.3
next prev parent reply other threads:[~2015-07-16 18:03 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-16 18:02 [Qemu-devel] [PULL v2 0/8] KVM, memory API, crypto, Coverity fixes for 2.4.0-rc1 Paolo Bonzini
2015-07-16 18:02 ` [Qemu-devel] [PULL 1/8] mips/kvm: Fix Big endian 32-bit register access Paolo Bonzini
2015-07-16 18:02 ` [Qemu-devel] [PULL 2/8] mips/kvm: Sign extend registers written to KVM Paolo Bonzini
2015-07-16 18:02 ` [Qemu-devel] [PULL 3/8] ppc/spapr_drc: fix memory leak Paolo Bonzini
2015-07-16 18:02 ` [Qemu-devel] [PULL 4/8] arm/xlnx-zynqmp: " Paolo Bonzini
2015-07-16 18:02 ` [Qemu-devel] [PULL 5/8] RDMA: Fix error exits Paolo Bonzini
2015-07-16 18:02 ` Paolo Bonzini [this message]
2015-07-16 18:02 ` [Qemu-devel] [PULL 7/8] crypto: fix build with nettle >= 3.0.0 Paolo Bonzini
2015-07-16 18:02 ` [Qemu-devel] [PULL 8/8] crypto: avoid undefined behavior in nettle calls Paolo Bonzini
2015-07-16 19:30 ` [Qemu-devel] [PULL v2 0/8] KVM, memory API, crypto, Coverity fixes for 2.4.0-rc1 Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1437069778-8954-7-git-send-email-pbonzini@redhat.com \
--to=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).