From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:52857) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YLdyH-0003ql-8Y for qemu-devel@nongnu.org; Wed, 11 Feb 2015 15:33:18 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YLdyE-00019p-2h for qemu-devel@nongnu.org; Wed, 11 Feb 2015 15:33:17 -0500 Received: from e9.ny.us.ibm.com ([32.97.182.139]:56226) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YLdyD-00019k-Te for qemu-devel@nongnu.org; Wed, 11 Feb 2015 15:33:13 -0500 Received: from /spool/local by e9.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 11 Feb 2015 15:33:12 -0500 Received: from b01cxnp22034.gho.pok.ibm.com (b01cxnp22034.gho.pok.ibm.com [9.57.198.24]) by d01dlp02.pok.ibm.com (Postfix) with ESMTP id E1A5D6E8047 for ; Wed, 11 Feb 2015 15:24:58 -0500 (EST) Received: from d01av01.pok.ibm.com (d01av01.pok.ibm.com [9.56.224.215]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id t1BKX6Mc24379642 for ; Wed, 11 Feb 2015 20:33:06 GMT Received: from d01av01.pok.ibm.com (localhost [127.0.0.1]) by d01av01.pok.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id t1BKX6od026346 for ; Wed, 11 Feb 2015 15:33:06 -0500 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable From: Michael Roth References: <1423674872-10676-1-git-send-email-pbonzini@redhat.com> <1423674872-10676-4-git-send-email-pbonzini@redhat.com> In-Reply-To: <1423674872-10676-4-git-send-email-pbonzini@redhat.com> Message-ID: <20150211203300.3809.937@loki> Date: Wed, 11 Feb 2015 14:33:00 -0600 Subject: Re: [Qemu-devel] [PATCH 3/3] memory: keep the owner of the AddressSpace alive until do_address_space_destroy List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Paolo Bonzini , qemu-devel@nongnu.org Quoting Paolo Bonzini (2015-02-11 11:14:32) > This fixes a use-after-free if do_address_space_destroy is executed > too late. > = > Signed-off-by: Paolo Bonzini Looks like this did the trick for me. Haven't been able to reproduce for a couple hours. Thanks! Reviewed-by: Michael Roth Tested-by: Michael Roth > --- > memory.c | 5 +++++ > 1 file changed, 5 insertions(+) > = > diff --git a/memory.c b/memory.c > index 130152c..20f6d9e 100644 > --- a/memory.c > +++ b/memory.c > @@ -1943,6 +1943,7 @@ void memory_listener_unregister(MemoryListener *lis= tener) > = > void address_space_init(AddressSpace *as, MemoryRegion *root, const char= *name) > { > + memory_region_ref(root); > memory_region_transaction_begin(); > as->root =3D root; > as->current_map =3D g_new(FlatView, 1); > @@ -1969,10 +1970,13 @@ static void do_address_space_destroy(AddressSpace= *as) > flatview_unref(as->current_map); > g_free(as->name); > g_free(as->ioeventfds); > + memory_region_unref(as->root); > } > = > void address_space_destroy(AddressSpace *as) > { > + MemoryRegion *root =3D as->root; > + > /* Flush out anything from MemoryListeners listening in on this */ > memory_region_transaction_begin(); > as->root =3D NULL; > @@ -1984,6 +1988,7 @@ void address_space_destroy(AddressSpace *as) > * entries that the guest should never use. Wait for the old > * values to expire before freeing the data. > */ > + as->root =3D root; > call_rcu(as, do_address_space_destroy, rcu); > } > = > -- = > 1.8.3.1