[Qemu-devel] [PATCH 0/2] monitor: increase the refcount of the current CPU

[Qemu-devel] [PATCH 0/2] monitor: increase the refcount of the current CPU

[Greg Kurz]

If a CPU selected with the "cpu" command is hot-unplugged then "info cpus"
causes QEMU to exit:
    
(qemu) device_del cpu1
(qemu) info cpus
qemu:qemu_cpu_kick_thread: No such process

I could verify that this happens with x86 and ppc, but I guess s390x is
also impacted.

This series tries to fix the issue by using object_ref() and object_unref()
in the monitor code. For this to work on ppc, some preliminary work is
needed to let QOM handle the CPU object lifecycle.

Please comment.

--
Greg

---

Greg Kurz (2):
      spapr_cpu_core: instantiate CPUs separately
      monitor: add proper reference counting of the current CPU


 hw/ppc/spapr.c                  |   10 +++-------
 hw/ppc/spapr_cpu_core.c         |   29 +++++++++--------------------
 include/hw/ppc/spapr_cpu_core.h |    2 +-
 monitor.c                       |   12 ++++++++++++
 4 files changed, 25 insertions(+), 28 deletions(-)

[Qemu-devel] [PATCH 1/2] spapr_cpu_core: instantiate CPUs separately

[Greg Kurz]

The current code assumes that only the CPU core object holds a
reference on each individual CPU object, and happily frees their
allocated memory when the core is unrealized. This is dangerous
as some other code can legitimely keep a pointer to a CPU if it
calls object_ref(), but it would end up with a dangling pointer.

Let's allocate all CPUs with object_new() and let QOM frees them
when their reference count reaches zero.

Signed-off-by: Greg Kurz <groug@kaod.org>
---
 hw/ppc/spapr.c                  |   10 +++-------
 hw/ppc/spapr_cpu_core.c         |   29 +++++++++--------------------
 include/hw/ppc/spapr_cpu_core.h |    2 +-
 3 files changed, 13 insertions(+), 28 deletions(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index fd9813bde82f..ba391c6ed5de 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -3153,12 +3153,10 @@ void spapr_core_release(DeviceState *dev)
 
     if (smc->pre_2_10_has_unused_icps) {
         sPAPRCPUCore *sc = SPAPR_CPU_CORE(OBJECT(dev));
-        sPAPRCPUCoreClass *scc = SPAPR_CPU_CORE_GET_CLASS(OBJECT(cc));
-        size_t size = object_type_get_instance_size(scc->cpu_type);
         int i;
 
         for (i = 0; i < cc->nr_threads; i++) {
-            CPUState *cs = CPU(sc->threads + i * size);
+            CPUState *cs = CPU(sc->threads[i]);
 
             pre_2_10_vmstate_register_dummy_icp(cs->cpu_index);
         }
@@ -3204,7 +3202,7 @@ static void spapr_core_plug(HotplugHandler *hotplug_dev, DeviceState *dev,
     sPAPRMachineClass *smc = SPAPR_MACHINE_CLASS(mc);
     sPAPRCPUCore *core = SPAPR_CPU_CORE(OBJECT(dev));
     CPUCore *cc = CPU_CORE(dev);
-    CPUState *cs = CPU(core->threads);
+    CPUState *cs = CPU(core->threads[0]);
     sPAPRDRConnector *drc;
     Error *local_err = NULL;
     int smt = kvmppc_smt_threads();
@@ -3249,13 +3247,11 @@ static void spapr_core_plug(HotplugHandler *hotplug_dev, DeviceState *dev,
     core_slot->cpu = OBJECT(dev);
 
     if (smc->pre_2_10_has_unused_icps) {
-        sPAPRCPUCoreClass *scc = SPAPR_CPU_CORE_GET_CLASS(OBJECT(cc));
-        size_t size = object_type_get_instance_size(scc->cpu_type);
         int i;
 
         for (i = 0; i < cc->nr_threads; i++) {
             sPAPRCPUCore *sc = SPAPR_CPU_CORE(dev);
-            void *obj = sc->threads + i * size;
+            void *obj = sc->threads[i];
 
             cs = CPU(obj);
             pre_2_10_vmstate_unregister_dummy_icp(cs->cpu_index);
diff --git a/hw/ppc/spapr_cpu_core.c b/hw/ppc/spapr_cpu_core.c
index 3a4c17401226..47c408b52ca1 100644
--- a/hw/ppc/spapr_cpu_core.c
+++ b/hw/ppc/spapr_cpu_core.c
@@ -79,21 +79,18 @@ const char *spapr_get_cpu_core_type(const char *cpu_type)
 static void spapr_cpu_core_unrealizefn(DeviceState *dev, Error **errp)
 {
     sPAPRCPUCore *sc = SPAPR_CPU_CORE(OBJECT(dev));
-    sPAPRCPUCoreClass *scc = SPAPR_CPU_CORE_GET_CLASS(OBJECT(dev));
-    size_t size = object_type_get_instance_size(scc->cpu_type);
     CPUCore *cc = CPU_CORE(dev);
     int i;
 
     for (i = 0; i < cc->nr_threads; i++) {
-        void *obj = sc->threads + i * size;
-        DeviceState *dev = DEVICE(obj);
+        DeviceState *dev = DEVICE(sc->threads[i]);
         CPUState *cs = CPU(dev);
         PowerPCCPU *cpu = POWERPC_CPU(cs);
 
         spapr_cpu_destroy(cpu);
         object_unparent(cpu->intc);
         cpu_remove_sync(cs);
-        object_unparent(obj);
+        object_unparent(sc->threads[i]);
     }
     g_free(sc->threads);
 }
@@ -146,9 +143,7 @@ static void spapr_cpu_core_realize(DeviceState *dev, Error **errp)
     sPAPRCPUCore *sc = SPAPR_CPU_CORE(OBJECT(dev));
     sPAPRCPUCoreClass *scc = SPAPR_CPU_CORE_GET_CLASS(OBJECT(dev));
     CPUCore *cc = CPU_CORE(OBJECT(dev));
-    size_t size;
     Error *local_err = NULL;
-    void *obj;
     int i, j;
 
     if (!spapr) {
@@ -156,17 +151,14 @@ static void spapr_cpu_core_realize(DeviceState *dev, Error **errp)
         return;
     }
 
-    size = object_type_get_instance_size(scc->cpu_type);
-    sc->threads = g_malloc0(size * cc->nr_threads);
+    sc->threads = g_new(void *, cc->nr_threads);
     for (i = 0; i < cc->nr_threads; i++) {
         char id[32];
         CPUState *cs;
         PowerPCCPU *cpu;
 
-        obj = sc->threads + i * size;
-
-        object_initialize(obj, size, scc->cpu_type);
-        cs = CPU(obj);
+        sc->threads[i] = object_new(scc->cpu_type);
+        cs = CPU(sc->threads[i]);
         cpu = POWERPC_CPU(cs);
         cs->cpu_index = cc->core_id + i;
         cpu->vcpu_id = (cc->core_id * spapr->vsmt / smp_threads) + i;
@@ -184,17 +176,15 @@ static void spapr_cpu_core_realize(DeviceState *dev, Error **errp)
         cpu->node_id = sc->node_id;
 
         snprintf(id, sizeof(id), "thread[%d]", i);
-        object_property_add_child(OBJECT(sc), id, obj, &local_err);
+        object_property_add_child(OBJECT(sc), id, sc->threads[i], &local_err);
         if (local_err) {
             goto err;
         }
-        object_unref(obj);
+        object_unref(sc->threads[i]);
     }
 
     for (j = 0; j < cc->nr_threads; j++) {
-        obj = sc->threads + j * size;
-
-        spapr_cpu_core_realize_child(obj, spapr, &local_err);
+        spapr_cpu_core_realize_child(sc->threads[j], spapr, &local_err);
         if (local_err) {
             goto err;
         }
@@ -203,8 +193,7 @@ static void spapr_cpu_core_realize(DeviceState *dev, Error **errp)
 
 err:
     while (--i >= 0) {
-        obj = sc->threads + i * size;
-        object_unparent(obj);
+        object_unparent(sc->threads[i]);
     }
     g_free(sc->threads);
     error_propagate(errp, local_err);
diff --git a/include/hw/ppc/spapr_cpu_core.h b/include/hw/ppc/spapr_cpu_core.h
index f2d48d6a6786..f5b943a6682c 100644
--- a/include/hw/ppc/spapr_cpu_core.h
+++ b/include/hw/ppc/spapr_cpu_core.h
@@ -28,7 +28,7 @@ typedef struct sPAPRCPUCore {
     CPUCore parent_obj;
 
     /*< public >*/
-    void *threads;
+    void **threads;
     int node_id;
 } sPAPRCPUCore;
 

Re: [Qemu-devel] [PATCH 1/2] spapr_cpu_core: instantiate CPUs separately

[Igor Mammedov]

On Fri, 13 Oct 2017 10:35:19 +0200
Greg Kurz <groug@kaod.org> wrote:

> The current code assumes that only the CPU core object holds a
> reference on each individual CPU object, and happily frees their
> allocated memory when the core is unrealized. This is dangerous
> as some other code can legitimely keep a pointer to a CPU if it
> calls object_ref(), but it would end up with a dangling pointer.
> 
> Let's allocate all CPUs with object_new() and let QOM frees them
> when their reference count reaches zero.
I agree with patch as it simplifies code and one doesn't have to
fiddle wit size anymore.
See some comments below.

> 
> Signed-off-by: Greg Kurz <groug@kaod.org>
> ---
>  hw/ppc/spapr.c                  |   10 +++-------
>  hw/ppc/spapr_cpu_core.c         |   29 +++++++++--------------------
>  include/hw/ppc/spapr_cpu_core.h |    2 +-
>  3 files changed, 13 insertions(+), 28 deletions(-)
> 
> diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
> index fd9813bde82f..ba391c6ed5de 100644
> --- a/hw/ppc/spapr.c
> +++ b/hw/ppc/spapr.c
> @@ -3153,12 +3153,10 @@ void spapr_core_release(DeviceState *dev)
>  
>      if (smc->pre_2_10_has_unused_icps) {
>          sPAPRCPUCore *sc = SPAPR_CPU_CORE(OBJECT(dev));
> -        sPAPRCPUCoreClass *scc = SPAPR_CPU_CORE_GET_CLASS(OBJECT(cc));
> -        size_t size = object_type_get_instance_size(scc->cpu_type);
>          int i;
>  
>          for (i = 0; i < cc->nr_threads; i++) {
> -            CPUState *cs = CPU(sc->threads + i * size);
> +            CPUState *cs = CPU(sc->threads[i]);
>  
>              pre_2_10_vmstate_register_dummy_icp(cs->cpu_index);
>          }
> @@ -3204,7 +3202,7 @@ static void spapr_core_plug(HotplugHandler *hotplug_dev, DeviceState *dev,
>      sPAPRMachineClass *smc = SPAPR_MACHINE_CLASS(mc);
>      sPAPRCPUCore *core = SPAPR_CPU_CORE(OBJECT(dev));
>      CPUCore *cc = CPU_CORE(dev);
> -    CPUState *cs = CPU(core->threads);
> +    CPUState *cs = CPU(core->threads[0]);
>      sPAPRDRConnector *drc;
>      Error *local_err = NULL;
>      int smt = kvmppc_smt_threads();
> @@ -3249,13 +3247,11 @@ static void spapr_core_plug(HotplugHandler *hotplug_dev, DeviceState *dev,
>      core_slot->cpu = OBJECT(dev);
>  
>      if (smc->pre_2_10_has_unused_icps) {
> -        sPAPRCPUCoreClass *scc = SPAPR_CPU_CORE_GET_CLASS(OBJECT(cc));
> -        size_t size = object_type_get_instance_size(scc->cpu_type);
>          int i;
>  
>          for (i = 0; i < cc->nr_threads; i++) {
>              sPAPRCPUCore *sc = SPAPR_CPU_CORE(dev);
> -            void *obj = sc->threads + i * size;
> +            void *obj = sc->threads[i];
>  
>              cs = CPU(obj);
>              pre_2_10_vmstate_unregister_dummy_icp(cs->cpu_index);
> diff --git a/hw/ppc/spapr_cpu_core.c b/hw/ppc/spapr_cpu_core.c
> index 3a4c17401226..47c408b52ca1 100644
> --- a/hw/ppc/spapr_cpu_core.c
> +++ b/hw/ppc/spapr_cpu_core.c
> @@ -79,21 +79,18 @@ const char *spapr_get_cpu_core_type(const char *cpu_type)
>  static void spapr_cpu_core_unrealizefn(DeviceState *dev, Error **errp)
>  {
>      sPAPRCPUCore *sc = SPAPR_CPU_CORE(OBJECT(dev));
> -    sPAPRCPUCoreClass *scc = SPAPR_CPU_CORE_GET_CLASS(OBJECT(dev));
> -    size_t size = object_type_get_instance_size(scc->cpu_type);
>      CPUCore *cc = CPU_CORE(dev);
>      int i;
>  
>      for (i = 0; i < cc->nr_threads; i++) {
> -        void *obj = sc->threads + i * size;
> -        DeviceState *dev = DEVICE(obj);
> +        DeviceState *dev = DEVICE(sc->threads[i]);
>          CPUState *cs = CPU(dev);
>          PowerPCCPU *cpu = POWERPC_CPU(cs);
>  
>          spapr_cpu_destroy(cpu);
>          object_unparent(cpu->intc);
>          cpu_remove_sync(cs);
> -        object_unparent(obj);
> +        object_unparent(sc->threads[i]);
>      }
>      g_free(sc->threads);
>  }
> @@ -146,9 +143,7 @@ static void spapr_cpu_core_realize(DeviceState *dev, Error **errp)
>      sPAPRCPUCore *sc = SPAPR_CPU_CORE(OBJECT(dev));
>      sPAPRCPUCoreClass *scc = SPAPR_CPU_CORE_GET_CLASS(OBJECT(dev));
>      CPUCore *cc = CPU_CORE(OBJECT(dev));
> -    size_t size;
>      Error *local_err = NULL;
> -    void *obj;
>      int i, j;
>  
>      if (!spapr) {
> @@ -156,17 +151,14 @@ static void spapr_cpu_core_realize(DeviceState *dev, Error **errp)
>          return;
>      }
>  
> -    size = object_type_get_instance_size(scc->cpu_type);
> -    sc->threads = g_malloc0(size * cc->nr_threads);
> +    sc->threads = g_new(void *, cc->nr_threads);

                           ^^^ PowerPCCPU*

and maybe g_new0() if incomplete cores are possible.

>      for (i = 0; i < cc->nr_threads; i++) {
>          char id[32];
>          CPUState *cs;
>          PowerPCCPU *cpu;
>  
> -        obj = sc->threads + i * size;
> -
> -        object_initialize(obj, size, scc->cpu_type);
> -        cs = CPU(obj);
> +        sc->threads[i] = object_new(scc->cpu_type);
> +        cs = CPU(sc->threads[i]);
>          cpu = POWERPC_CPU(cs);
>          cs->cpu_index = cc->core_id + i;
>          cpu->vcpu_id = (cc->core_id * spapr->vsmt / smp_threads) + i;
> @@ -184,17 +176,15 @@ static void spapr_cpu_core_realize(DeviceState *dev, Error **errp)
>          cpu->node_id = sc->node_id;
>  
>          snprintf(id, sizeof(id), "thread[%d]", i);
> -        object_property_add_child(OBJECT(sc), id, obj, &local_err);
> +        object_property_add_child(OBJECT(sc), id, sc->threads[i], &local_err);
>          if (local_err) {
>              goto err;
>          }
> -        object_unref(obj);
> +        object_unref(sc->threads[i]);
>      }
>  
>      for (j = 0; j < cc->nr_threads; j++) {
> -        obj = sc->threads + j * size;
> -
> -        spapr_cpu_core_realize_child(obj, spapr, &local_err);
> +        spapr_cpu_core_realize_child(sc->threads[j], spapr, &local_err);
>          if (local_err) {
>              goto err;
>          }
> @@ -203,8 +193,7 @@ static void spapr_cpu_core_realize(DeviceState *dev, Error **errp)
>  
>  err:
>      while (--i >= 0) {
> -        obj = sc->threads + i * size;
> -        object_unparent(obj);
> +        object_unparent(sc->threads[i]);
>      }
>      g_free(sc->threads);
>      error_propagate(errp, local_err);
> diff --git a/include/hw/ppc/spapr_cpu_core.h b/include/hw/ppc/spapr_cpu_core.h
> index f2d48d6a6786..f5b943a6682c 100644
> --- a/include/hw/ppc/spapr_cpu_core.h
> +++ b/include/hw/ppc/spapr_cpu_core.h
> @@ -28,7 +28,7 @@ typedef struct sPAPRCPUCore {
>      CPUCore parent_obj;
>  
>      /*< public >*/
> -    void *threads;
> +    void **threads;
ditto, should be PowerPCCPU

>      int node_id;
>  } sPAPRCPUCore;
>  
> 
> 

Re: [Qemu-devel] [PATCH 1/2] spapr_cpu_core: instantiate CPUs separately

[Greg Kurz]

On Fri, 13 Oct 2017 11:21:20 +0200
Igor Mammedov <imammedo@redhat.com> wrote:

> On Fri, 13 Oct 2017 10:35:19 +0200
> Greg Kurz <groug@kaod.org> wrote:
> 
> > The current code assumes that only the CPU core object holds a
> > reference on each individual CPU object, and happily frees their
> > allocated memory when the core is unrealized. This is dangerous
> > as some other code can legitimely keep a pointer to a CPU if it
> > calls object_ref(), but it would end up with a dangling pointer.
> > 
> > Let's allocate all CPUs with object_new() and let QOM frees them
> > when their reference count reaches zero.  
> I agree with patch as it simplifies code and one doesn't have to
> fiddle wit size anymore.

Yes, I'll mention that in the changelog as well.

> See some comments below.
> 
> > 
> > Signed-off-by: Greg Kurz <groug@kaod.org>
> > ---
> >  hw/ppc/spapr.c                  |   10 +++-------
> >  hw/ppc/spapr_cpu_core.c         |   29 +++++++++--------------------
> >  include/hw/ppc/spapr_cpu_core.h |    2 +-
> >  3 files changed, 13 insertions(+), 28 deletions(-)
> > 
> > diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
> > index fd9813bde82f..ba391c6ed5de 100644
> > --- a/hw/ppc/spapr.c
> > +++ b/hw/ppc/spapr.c
> > @@ -3153,12 +3153,10 @@ void spapr_core_release(DeviceState *dev)
> >  
> >      if (smc->pre_2_10_has_unused_icps) {
> >          sPAPRCPUCore *sc = SPAPR_CPU_CORE(OBJECT(dev));
> > -        sPAPRCPUCoreClass *scc = SPAPR_CPU_CORE_GET_CLASS(OBJECT(cc));
> > -        size_t size = object_type_get_instance_size(scc->cpu_type);
> >          int i;
> >  
> >          for (i = 0; i < cc->nr_threads; i++) {
> > -            CPUState *cs = CPU(sc->threads + i * size);
> > +            CPUState *cs = CPU(sc->threads[i]);
> >  
> >              pre_2_10_vmstate_register_dummy_icp(cs->cpu_index);
> >          }
> > @@ -3204,7 +3202,7 @@ static void spapr_core_plug(HotplugHandler *hotplug_dev, DeviceState *dev,
> >      sPAPRMachineClass *smc = SPAPR_MACHINE_CLASS(mc);
> >      sPAPRCPUCore *core = SPAPR_CPU_CORE(OBJECT(dev));
> >      CPUCore *cc = CPU_CORE(dev);
> > -    CPUState *cs = CPU(core->threads);
> > +    CPUState *cs = CPU(core->threads[0]);
> >      sPAPRDRConnector *drc;
> >      Error *local_err = NULL;
> >      int smt = kvmppc_smt_threads();
> > @@ -3249,13 +3247,11 @@ static void spapr_core_plug(HotplugHandler *hotplug_dev, DeviceState *dev,
> >      core_slot->cpu = OBJECT(dev);
> >  
> >      if (smc->pre_2_10_has_unused_icps) {
> > -        sPAPRCPUCoreClass *scc = SPAPR_CPU_CORE_GET_CLASS(OBJECT(cc));
> > -        size_t size = object_type_get_instance_size(scc->cpu_type);
> >          int i;
> >  
> >          for (i = 0; i < cc->nr_threads; i++) {
> >              sPAPRCPUCore *sc = SPAPR_CPU_CORE(dev);
> > -            void *obj = sc->threads + i * size;
> > +            void *obj = sc->threads[i];
> >  
> >              cs = CPU(obj);
> >              pre_2_10_vmstate_unregister_dummy_icp(cs->cpu_index);
> > diff --git a/hw/ppc/spapr_cpu_core.c b/hw/ppc/spapr_cpu_core.c
> > index 3a4c17401226..47c408b52ca1 100644
> > --- a/hw/ppc/spapr_cpu_core.c
> > +++ b/hw/ppc/spapr_cpu_core.c
> > @@ -79,21 +79,18 @@ const char *spapr_get_cpu_core_type(const char *cpu_type)
> >  static void spapr_cpu_core_unrealizefn(DeviceState *dev, Error **errp)
> >  {
> >      sPAPRCPUCore *sc = SPAPR_CPU_CORE(OBJECT(dev));
> > -    sPAPRCPUCoreClass *scc = SPAPR_CPU_CORE_GET_CLASS(OBJECT(dev));
> > -    size_t size = object_type_get_instance_size(scc->cpu_type);
> >      CPUCore *cc = CPU_CORE(dev);
> >      int i;
> >  
> >      for (i = 0; i < cc->nr_threads; i++) {
> > -        void *obj = sc->threads + i * size;
> > -        DeviceState *dev = DEVICE(obj);
> > +        DeviceState *dev = DEVICE(sc->threads[i]);
> >          CPUState *cs = CPU(dev);
> >          PowerPCCPU *cpu = POWERPC_CPU(cs);
> >  
> >          spapr_cpu_destroy(cpu);
> >          object_unparent(cpu->intc);
> >          cpu_remove_sync(cs);
> > -        object_unparent(obj);
> > +        object_unparent(sc->threads[i]);
> >      }
> >      g_free(sc->threads);
> >  }
> > @@ -146,9 +143,7 @@ static void spapr_cpu_core_realize(DeviceState *dev, Error **errp)
> >      sPAPRCPUCore *sc = SPAPR_CPU_CORE(OBJECT(dev));
> >      sPAPRCPUCoreClass *scc = SPAPR_CPU_CORE_GET_CLASS(OBJECT(dev));
> >      CPUCore *cc = CPU_CORE(OBJECT(dev));
> > -    size_t size;
> >      Error *local_err = NULL;
> > -    void *obj;
> >      int i, j;
> >  
> >      if (!spapr) {
> > @@ -156,17 +151,14 @@ static void spapr_cpu_core_realize(DeviceState *dev, Error **errp)
> >          return;
> >      }
> >  
> > -    size = object_type_get_instance_size(scc->cpu_type);
> > -    sc->threads = g_malloc0(size * cc->nr_threads);
> > +    sc->threads = g_new(void *, cc->nr_threads);  
> 
>                            ^^^ PowerPCCPU*
> 

Right, I guess void * was appropriate to do the pointer arithmetics but we don't
need that anymore.

> and maybe g_new0() if incomplete cores are possible.
> 

Yes, older machine types (ie, that don't support CPU hotplug) can have
incomplete cores, but cc->nr_threads is set to the actual number of
threads in this case. See spapr_init_cpus() in hw/ppc/spapr.c.

> >      for (i = 0; i < cc->nr_threads; i++) {
> >          char id[32];
> >          CPUState *cs;
> >          PowerPCCPU *cpu;
> >  
> > -        obj = sc->threads + i * size;
> > -
> > -        object_initialize(obj, size, scc->cpu_type);
> > -        cs = CPU(obj);
> > +        sc->threads[i] = object_new(scc->cpu_type);
> > +        cs = CPU(sc->threads[i]);
> >          cpu = POWERPC_CPU(cs);
> >          cs->cpu_index = cc->core_id + i;
> >          cpu->vcpu_id = (cc->core_id * spapr->vsmt / smp_threads) + i;
> > @@ -184,17 +176,15 @@ static void spapr_cpu_core_realize(DeviceState *dev, Error **errp)
> >          cpu->node_id = sc->node_id;
> >  
> >          snprintf(id, sizeof(id), "thread[%d]", i);
> > -        object_property_add_child(OBJECT(sc), id, obj, &local_err);
> > +        object_property_add_child(OBJECT(sc), id, sc->threads[i], &local_err);
> >          if (local_err) {
> >              goto err;
> >          }
> > -        object_unref(obj);
> > +        object_unref(sc->threads[i]);
> >      }
> >  
> >      for (j = 0; j < cc->nr_threads; j++) {
> > -        obj = sc->threads + j * size;
> > -
> > -        spapr_cpu_core_realize_child(obj, spapr, &local_err);
> > +        spapr_cpu_core_realize_child(sc->threads[j], spapr, &local_err);
> >          if (local_err) {
> >              goto err;
> >          }
> > @@ -203,8 +193,7 @@ static void spapr_cpu_core_realize(DeviceState *dev, Error **errp)
> >  
> >  err:
> >      while (--i >= 0) {
> > -        obj = sc->threads + i * size;
> > -        object_unparent(obj);
> > +        object_unparent(sc->threads[i]);
> >      }
> >      g_free(sc->threads);
> >      error_propagate(errp, local_err);
> > diff --git a/include/hw/ppc/spapr_cpu_core.h b/include/hw/ppc/spapr_cpu_core.h
> > index f2d48d6a6786..f5b943a6682c 100644
> > --- a/include/hw/ppc/spapr_cpu_core.h
> > +++ b/include/hw/ppc/spapr_cpu_core.h
> > @@ -28,7 +28,7 @@ typedef struct sPAPRCPUCore {
> >      CPUCore parent_obj;
> >  
> >      /*< public >*/
> > -    void *threads;
> > +    void **threads;  
> ditto, should be PowerPCCPU
> 

Ok.

Thanks for the feedback!

> >      int node_id;
> >  } sPAPRCPUCore;
> >  
> > 
> >   
> 

[Qemu-devel] [PATCH 2/2] monitor: add proper reference counting of the current CPU

[Greg Kurz]

If a CPU selected with the "cpu" command is hot-unplugged then "info cpus"
causes QEMU to exit:

(qemu) device_del cpu1
(qemu) info cpus
qemu:qemu_cpu_kick_thread: No such process

This happens because "cpu" stores the pointer to the selected CPU into
the monitor structure. When the CPU is hot-unplugged, we end up with a
dangling pointer. The "info cpus" command then does:

hmp_info_cpus()
 monitor_get_cpu_index()
  mon_get_cpu()
   cpu_synchronize_state() <--- called with dangling pointer

This could cause a QEMU crash as well.

This patch switches the monitor to use object_ref() to ensure the
CPU object doesn't vanish unexpectedly. The reference is dropped
either when "cpu" is used to switch to another CPU, or when the
selected CPU is unrealized and cpu_list_remove() sets its cpu_index
back to UNASSIGNED_CPU_INDEX.

Signed-off-by: Greg Kurz <groug@kaod.org>
---
 monitor.c |   12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/monitor.c b/monitor.c
index fe0d1bdbb461..1c0b9a2c3ad3 100644
--- a/monitor.c
+++ b/monitor.c
@@ -579,6 +579,9 @@ static void monitor_data_init(Monitor *mon)
 
 static void monitor_data_destroy(Monitor *mon)
 {
+    if (mon->mon_cpu) {
+        object_unref((Object *) mon->mon_cpu);
+    }
     qemu_chr_fe_deinit(&mon->chr, false);
     if (monitor_is_qmp(mon)) {
         json_message_parser_destroy(&mon->qmp.parser);
@@ -1047,12 +1050,21 @@ int monitor_set_cpu(int cpu_index)
     if (cpu == NULL) {
         return -1;
     }
+    if (cur_mon->mon_cpu) {
+        object_unref((Object *) cur_mon->mon_cpu);
+    }
     cur_mon->mon_cpu = cpu;
+    object_ref((Object *) cpu);
     return 0;
 }
 
 CPUState *mon_get_cpu(void)
 {
+    if (cur_mon->mon_cpu &&
+        cur_mon->mon_cpu->cpu_index == UNASSIGNED_CPU_INDEX) {
+        object_unref((Object *) cur_mon->mon_cpu);
+        cur_mon->mon_cpu = NULL;
+    }
     if (!cur_mon->mon_cpu) {
         if (!first_cpu) {
             return NULL;

Re: [Qemu-devel] [PATCH 2/2] monitor: add proper reference counting of the current CPU

[Igor Mammedov]

On Fri, 13 Oct 2017 10:35:31 +0200
Greg Kurz <groug@kaod.org> wrote:

> If a CPU selected with the "cpu" command is hot-unplugged then "info cpus"
> causes QEMU to exit:
> 
> (qemu) device_del cpu1
> (qemu) info cpus
> qemu:qemu_cpu_kick_thread: No such process
> 
> This happens because "cpu" stores the pointer to the selected CPU into
> the monitor structure. When the CPU is hot-unplugged, we end up with a
> dangling pointer. The "info cpus" command then does:
> 
> hmp_info_cpus()
>  monitor_get_cpu_index()
>   mon_get_cpu()
>    cpu_synchronize_state() <--- called with dangling pointer
> 
> This could cause a QEMU crash as well.
> 
> This patch switches the monitor to use object_ref() to ensure the
> CPU object doesn't vanish unexpectedly. The reference is dropped
> either when "cpu" is used to switch to another CPU, or when the
> selected CPU is unrealized and cpu_list_remove() sets its cpu_index
> back to UNASSIGNED_CPU_INDEX.
I don't really like an idea of leaving dangling cpu around.
Is it possible to store QOM path on set_cpu in monitor and
resolving it each to instance each time it's needed?


> Signed-off-by: Greg Kurz <groug@kaod.org>
> ---
>  monitor.c |   12 ++++++++++++
>  1 file changed, 12 insertions(+)
> 
> diff --git a/monitor.c b/monitor.c
> index fe0d1bdbb461..1c0b9a2c3ad3 100644
> --- a/monitor.c
> +++ b/monitor.c
> @@ -579,6 +579,9 @@ static void monitor_data_init(Monitor *mon)
>  
>  static void monitor_data_destroy(Monitor *mon)
>  {
> +    if (mon->mon_cpu) {
> +        object_unref((Object *) mon->mon_cpu);
> +    }
>      qemu_chr_fe_deinit(&mon->chr, false);
>      if (monitor_is_qmp(mon)) {
>          json_message_parser_destroy(&mon->qmp.parser);
> @@ -1047,12 +1050,21 @@ int monitor_set_cpu(int cpu_index)
>      if (cpu == NULL) {
>          return -1;
>      }
> +    if (cur_mon->mon_cpu) {
> +        object_unref((Object *) cur_mon->mon_cpu);
> +    }
>      cur_mon->mon_cpu = cpu;
> +    object_ref((Object *) cpu);
>      return 0;
>  }
>  
>  CPUState *mon_get_cpu(void)
>  {
> +    if (cur_mon->mon_cpu &&
> +        cur_mon->mon_cpu->cpu_index == UNASSIGNED_CPU_INDEX) {
> +        object_unref((Object *) cur_mon->mon_cpu);
> +        cur_mon->mon_cpu = NULL;
> +    }
>      if (!cur_mon->mon_cpu) {
>          if (!first_cpu) {
>              return NULL;
> 
> 

Re: [Qemu-devel] [PATCH 2/2] monitor: add proper reference counting of the current CPU

[Greg Kurz]

On Fri, 13 Oct 2017 11:24:59 +0200
Igor Mammedov <imammedo@redhat.com> wrote:

> On Fri, 13 Oct 2017 10:35:31 +0200
> Greg Kurz <groug@kaod.org> wrote:
> 
> > If a CPU selected with the "cpu" command is hot-unplugged then "info cpus"
> > causes QEMU to exit:
> > 
> > (qemu) device_del cpu1
> > (qemu) info cpus
> > qemu:qemu_cpu_kick_thread: No such process
> > 
> > This happens because "cpu" stores the pointer to the selected CPU into
> > the monitor structure. When the CPU is hot-unplugged, we end up with a
> > dangling pointer. The "info cpus" command then does:
> > 
> > hmp_info_cpus()
> >  monitor_get_cpu_index()
> >   mon_get_cpu()
> >    cpu_synchronize_state() <--- called with dangling pointer
> > 
> > This could cause a QEMU crash as well.
> > 
> > This patch switches the monitor to use object_ref() to ensure the
> > CPU object doesn't vanish unexpectedly. The reference is dropped
> > either when "cpu" is used to switch to another CPU, or when the
> > selected CPU is unrealized and cpu_list_remove() sets its cpu_index
> > back to UNASSIGNED_CPU_INDEX.  
> I don't really like an idea of leaving dangling cpu around.
> Is it possible to store QOM path on set_cpu in monitor and
> resolving it each to instance each time it's needed?
> 

It sounds workable. Also it would allow the fix to not depend on patch 1
for ppc.

Thanks for the suggestion!

> 
> > Signed-off-by: Greg Kurz <groug@kaod.org>
> > ---
> >  monitor.c |   12 ++++++++++++
> >  1 file changed, 12 insertions(+)
> > 
> > diff --git a/monitor.c b/monitor.c
> > index fe0d1bdbb461..1c0b9a2c3ad3 100644
> > --- a/monitor.c
> > +++ b/monitor.c
> > @@ -579,6 +579,9 @@ static void monitor_data_init(Monitor *mon)
> >  
> >  static void monitor_data_destroy(Monitor *mon)
> >  {
> > +    if (mon->mon_cpu) {
> > +        object_unref((Object *) mon->mon_cpu);
> > +    }
> >      qemu_chr_fe_deinit(&mon->chr, false);
> >      if (monitor_is_qmp(mon)) {
> >          json_message_parser_destroy(&mon->qmp.parser);
> > @@ -1047,12 +1050,21 @@ int monitor_set_cpu(int cpu_index)
> >      if (cpu == NULL) {
> >          return -1;
> >      }
> > +    if (cur_mon->mon_cpu) {
> > +        object_unref((Object *) cur_mon->mon_cpu);
> > +    }
> >      cur_mon->mon_cpu = cpu;
> > +    object_ref((Object *) cpu);
> >      return 0;
> >  }
> >  
> >  CPUState *mon_get_cpu(void)
> >  {
> > +    if (cur_mon->mon_cpu &&
> > +        cur_mon->mon_cpu->cpu_index == UNASSIGNED_CPU_INDEX) {
> > +        object_unref((Object *) cur_mon->mon_cpu);
> > +        cur_mon->mon_cpu = NULL;
> > +    }
> >      if (!cur_mon->mon_cpu) {
> >          if (!first_cpu) {
> >              return NULL;
> > 
> >   
> 

Re: [Qemu-devel] [PATCH 2/2] monitor: add proper reference counting of the current CPU

[Igor Mammedov]

On Fri, 13 Oct 2017 12:05:46 +0200
Greg Kurz <groug@kaod.org> wrote:

> On Fri, 13 Oct 2017 11:24:59 +0200
> Igor Mammedov <imammedo@redhat.com> wrote:
> 
> > On Fri, 13 Oct 2017 10:35:31 +0200
> > Greg Kurz <groug@kaod.org> wrote:
> >   
> > > If a CPU selected with the "cpu" command is hot-unplugged then "info cpus"
> > > causes QEMU to exit:
> > > 
> > > (qemu) device_del cpu1
> > > (qemu) info cpus
> > > qemu:qemu_cpu_kick_thread: No such process
> > > 
> > > This happens because "cpu" stores the pointer to the selected CPU into
> > > the monitor structure. When the CPU is hot-unplugged, we end up with a
> > > dangling pointer. The "info cpus" command then does:
> > > 
> > > hmp_info_cpus()
> > >  monitor_get_cpu_index()
> > >   mon_get_cpu()
> > >    cpu_synchronize_state() <--- called with dangling pointer
> > > 
> > > This could cause a QEMU crash as well.
> > > 
> > > This patch switches the monitor to use object_ref() to ensure the
> > > CPU object doesn't vanish unexpectedly. The reference is dropped
> > > either when "cpu" is used to switch to another CPU, or when the
> > > selected CPU is unrealized and cpu_list_remove() sets its cpu_index
> > > back to UNASSIGNED_CPU_INDEX.    
> > I don't really like an idea of leaving dangling cpu around.
> > Is it possible to store QOM path on set_cpu in monitor and
> > resolving it each to instance each time it's needed?
> >   
> 
> It sounds workable. Also it would allow the fix to not depend on patch 1
> for ppc.
yep,
also if you'd touch these cpu_index based monitor commands,
it might make sense to convert them to use qmo path directly
instead if cpu_index (with command completion it would be
easy to use)


> 
> Thanks for the suggestion!
> 
> >   
> > > Signed-off-by: Greg Kurz <groug@kaod.org>
> > > ---
> > >  monitor.c |   12 ++++++++++++
> > >  1 file changed, 12 insertions(+)
> > > 
> > > diff --git a/monitor.c b/monitor.c
> > > index fe0d1bdbb461..1c0b9a2c3ad3 100644
> > > --- a/monitor.c
> > > +++ b/monitor.c
> > > @@ -579,6 +579,9 @@ static void monitor_data_init(Monitor *mon)
> > >  
> > >  static void monitor_data_destroy(Monitor *mon)
> > >  {
> > > +    if (mon->mon_cpu) {
> > > +        object_unref((Object *) mon->mon_cpu);
> > > +    }
> > >      qemu_chr_fe_deinit(&mon->chr, false);
> > >      if (monitor_is_qmp(mon)) {
> > >          json_message_parser_destroy(&mon->qmp.parser);
> > > @@ -1047,12 +1050,21 @@ int monitor_set_cpu(int cpu_index)
> > >      if (cpu == NULL) {
> > >          return -1;
> > >      }
> > > +    if (cur_mon->mon_cpu) {
> > > +        object_unref((Object *) cur_mon->mon_cpu);
> > > +    }
> > >      cur_mon->mon_cpu = cpu;
> > > +    object_ref((Object *) cpu);
> > >      return 0;
> > >  }
> > >  
> > >  CPUState *mon_get_cpu(void)
> > >  {
> > > +    if (cur_mon->mon_cpu &&
> > > +        cur_mon->mon_cpu->cpu_index == UNASSIGNED_CPU_INDEX) {
> > > +        object_unref((Object *) cur_mon->mon_cpu);
> > > +        cur_mon->mon_cpu = NULL;
> > > +    }
> > >      if (!cur_mon->mon_cpu) {
> > >          if (!first_cpu) {
> > >              return NULL;
> > > 
> > >     
> >   
> 

Re: [Qemu-devel] [PATCH 2/2] monitor: add proper reference counting of the current CPU

[Greg Kurz]

On Mon, 16 Oct 2017 10:07:18 +0200
Igor Mammedov <imammedo@redhat.com> wrote:

> On Fri, 13 Oct 2017 12:05:46 +0200
> Greg Kurz <groug@kaod.org> wrote:
> 
> > On Fri, 13 Oct 2017 11:24:59 +0200
> > Igor Mammedov <imammedo@redhat.com> wrote:
> >   
> > > On Fri, 13 Oct 2017 10:35:31 +0200
> > > Greg Kurz <groug@kaod.org> wrote:
> > >     
> > > > If a CPU selected with the "cpu" command is hot-unplugged then "info cpus"
> > > > causes QEMU to exit:
> > > > 
> > > > (qemu) device_del cpu1
> > > > (qemu) info cpus
> > > > qemu:qemu_cpu_kick_thread: No such process
> > > > 
> > > > This happens because "cpu" stores the pointer to the selected CPU into
> > > > the monitor structure. When the CPU is hot-unplugged, we end up with a
> > > > dangling pointer. The "info cpus" command then does:
> > > > 
> > > > hmp_info_cpus()
> > > >  monitor_get_cpu_index()
> > > >   mon_get_cpu()
> > > >    cpu_synchronize_state() <--- called with dangling pointer
> > > > 
> > > > This could cause a QEMU crash as well.
> > > > 
> > > > This patch switches the monitor to use object_ref() to ensure the
> > > > CPU object doesn't vanish unexpectedly. The reference is dropped
> > > > either when "cpu" is used to switch to another CPU, or when the
> > > > selected CPU is unrealized and cpu_list_remove() sets its cpu_index
> > > > back to UNASSIGNED_CPU_INDEX.      
> > > I don't really like an idea of leaving dangling cpu around.
> > > Is it possible to store QOM path on set_cpu in monitor and
> > > resolving it each to instance each time it's needed?
> > >     
> > 
> > It sounds workable. Also it would allow the fix to not depend on patch 1
> > for ppc.  
> yep,
> also if you'd touch these cpu_index based monitor commands,
> it might make sense to convert them to use qmo path directly
> instead if cpu_index (with command completion it would be
> easy to use)
> 

Ok, I'll look into that but I'm not sure I can work something out
before soft freeze (2017-10-31 AFAIK).

> 
> > 
> > Thanks for the suggestion!
> >   
> > >     
> > > > Signed-off-by: Greg Kurz <groug@kaod.org>
> > > > ---
> > > >  monitor.c |   12 ++++++++++++
> > > >  1 file changed, 12 insertions(+)
> > > > 
> > > > diff --git a/monitor.c b/monitor.c
> > > > index fe0d1bdbb461..1c0b9a2c3ad3 100644
> > > > --- a/monitor.c
> > > > +++ b/monitor.c
> > > > @@ -579,6 +579,9 @@ static void monitor_data_init(Monitor *mon)
> > > >  
> > > >  static void monitor_data_destroy(Monitor *mon)
> > > >  {
> > > > +    if (mon->mon_cpu) {
> > > > +        object_unref((Object *) mon->mon_cpu);
> > > > +    }
> > > >      qemu_chr_fe_deinit(&mon->chr, false);
> > > >      if (monitor_is_qmp(mon)) {
> > > >          json_message_parser_destroy(&mon->qmp.parser);
> > > > @@ -1047,12 +1050,21 @@ int monitor_set_cpu(int cpu_index)
> > > >      if (cpu == NULL) {
> > > >          return -1;
> > > >      }
> > > > +    if (cur_mon->mon_cpu) {
> > > > +        object_unref((Object *) cur_mon->mon_cpu);
> > > > +    }
> > > >      cur_mon->mon_cpu = cpu;
> > > > +    object_ref((Object *) cpu);
> > > >      return 0;
> > > >  }
> > > >  
> > > >  CPUState *mon_get_cpu(void)
> > > >  {
> > > > +    if (cur_mon->mon_cpu &&
> > > > +        cur_mon->mon_cpu->cpu_index == UNASSIGNED_CPU_INDEX) {
> > > > +        object_unref((Object *) cur_mon->mon_cpu);
> > > > +        cur_mon->mon_cpu = NULL;
> > > > +    }
> > > >      if (!cur_mon->mon_cpu) {
> > > >          if (!first_cpu) {
> > > >              return NULL;
> > > > 
> > > >       
> > >     
> >   
> 

Re: [Qemu-devel] [PATCH 0/2] monitor: increase the refcount of the current CPU

[Cornelia Huck]

On Fri, 13 Oct 2017 10:35:06 +0200
Greg Kurz <groug@kaod.org> wrote:

> If a CPU selected with the "cpu" command is hot-unplugged then "info cpus"
> causes QEMU to exit:
>     
> (qemu) device_del cpu1
> (qemu) info cpus
> qemu:qemu_cpu_kick_thread: No such process
> 
> I could verify that this happens with x86 and ppc, but I guess s390x is
> also impacted.

Not really, as s390x does not support cpu unplug.

> 
> This series tries to fix the issue by using object_ref() and object_unref()
> in the monitor code. For this to work on ppc, some preliminary work is
> needed to let QOM handle the CPU object lifecycle.
> 
> Please comment.
> 
> --
> Greg
> 
> ---
> 
> Greg Kurz (2):
>       spapr_cpu_core: instantiate CPUs separately
>       monitor: add proper reference counting of the current CPU
> 
> 
>  hw/ppc/spapr.c                  |   10 +++-------
>  hw/ppc/spapr_cpu_core.c         |   29 +++++++++--------------------
>  include/hw/ppc/spapr_cpu_core.h |    2 +-
>  monitor.c                       |   12 ++++++++++++
>  4 files changed, 25 insertions(+), 28 deletions(-)
> 

Re: [Qemu-devel] [PATCH 0/2] monitor: increase the refcount of the current CPU

[Greg Kurz]

On Fri, 13 Oct 2017 10:46:22 +0200
Cornelia Huck <cohuck@redhat.com> wrote:

> On Fri, 13 Oct 2017 10:35:06 +0200
> Greg Kurz <groug@kaod.org> wrote:
> 
> > If a CPU selected with the "cpu" command is hot-unplugged then "info cpus"
> > causes QEMU to exit:
> >     
> > (qemu) device_del cpu1
> > (qemu) info cpus
> > qemu:qemu_cpu_kick_thread: No such process
> > 
> > I could verify that this happens with x86 and ppc, but I guess s390x is
> > also impacted.  
> 
> Not really, as s390x does not support cpu unplug.
> 

I must admit I didn't check. Thanks for telling me. :)

> > 
> > This series tries to fix the issue by using object_ref() and object_unref()
> > in the monitor code. For this to work on ppc, some preliminary work is
> > needed to let QOM handle the CPU object lifecycle.
> > 
> > Please comment.
> > 
> > --
> > Greg
> > 
> > ---
> > 
> > Greg Kurz (2):
> >       spapr_cpu_core: instantiate CPUs separately
> >       monitor: add proper reference counting of the current CPU
> > 
> > 
> >  hw/ppc/spapr.c                  |   10 +++-------
> >  hw/ppc/spapr_cpu_core.c         |   29 +++++++++--------------------
> >  include/hw/ppc/spapr_cpu_core.h |    2 +-
> >  monitor.c                       |   12 ++++++++++++
> >  4 files changed, 25 insertions(+), 28 deletions(-)
> >   
>