From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:33571) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1a4FWF-0002d8-1f for qemu-devel@nongnu.org; Wed, 02 Dec 2015 17:04:59 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1a4FWB-0003yA-11 for qemu-devel@nongnu.org; Wed, 02 Dec 2015 17:04:58 -0500 Received: from mail-qk0-x22e.google.com ([2607:f8b0:400d:c09::22e]:36583) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1a4FWA-0003y6-Sz for qemu-devel@nongnu.org; Wed, 02 Dec 2015 17:04:54 -0500 Received: by qkda6 with SMTP id a6so22625860qkd.3 for ; Wed, 02 Dec 2015 14:04:54 -0800 (PST) From: Don Slutz References: <1448921464-21845-1-git-send-email-Don.Slutz@Gmail.com> <565D6DCE.5010707@redhat.com> Message-ID: <565F6B04.7000407@Gmail.com> Date: Wed, 2 Dec 2015 17:04:52 -0500 MIME-Version: 1.0 In-Reply-To: <565D6DCE.5010707@redhat.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH] exec: Stop using memory after free List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Paolo Bonzini , qemu-devel@nongnu.org Cc: Richard Henderson , Gonglei , Peter Crosthwaite On 12/01/15 04:52, Paolo Bonzini wrote: > > > On 30/11/2015 23:11, Don Slutz wrote: >> memory_region_unref(mr) can free memory. >> >> For example I got: >> >> Program received signal SIGSEGV, Segmentation fault. >> [Switching to Thread 0x7f43280d4700 (LWP 4462)] >> 0x00007f43323283c0 in phys_section_destroy (mr=0x7f43259468b0) >> at /home/don/xen/tools/qemu-xen-dir/exec.c:1023 >> 1023 if (mr->subpage) { >> (gdb) bt >> at /home/don/xen/tools/qemu-xen-dir/exec.c:1023 >> at /home/don/xen/tools/qemu-xen-dir/exec.c:1034 >> at /home/don/xen/tools/qemu-xen-dir/exec.c:2205 >> (gdb) p mr >> $1 = (MemoryRegion *) 0x7f43259468b0 >> >> And this change prevents this. > > Great, thanks! I think this fixes also the problem that Gonglei was > seeing a few months ago. I'll queue it for 2.5. > Thanks. > BTW, since I have your attention, have you noticed my refresh/rewrite of > your SAS1068 patches? A review would be welcome. > It has been on the list of things to do. Since I no longer work for Verizon, it is now a non-work time event. I also not longer have access to the testing machines that I had used. -Don Slutz > Paolo > >> Signed-off-by: Don Slutz >> --- >> exec.c | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/exec.c b/exec.c >> index de1cf19..0bf0a6e 100644 >> --- a/exec.c >> +++ b/exec.c >> @@ -1064,9 +1064,11 @@ static uint16_t phys_section_add(PhysPageMap *map, >> >> static void phys_section_destroy(MemoryRegion *mr) >> { >> + bool have_sub_page = mr->subpage; >> + >> memory_region_unref(mr); >> >> - if (mr->subpage) { >> + if (have_sub_page) { >> subpage_t *subpage = container_of(mr, subpage_t, iomem); >> object_unref(OBJECT(&subpage->iomem)); >> g_free(subpage); >>