From: "Philippe Mathieu-Daudé" <philmd@linaro.org>
To: Peter Maydell <peter.maydell@linaro.org>, qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Eduardo Habkost <eduardo@habkost.net>,
Marcel Apfelbaum <marcel.apfelbaum@gmail.com>,
Yanan Wang <wangyanan55@huawei.com>,
Zhao Liu <zhao1.liu@intel.com>,
Paolo Bonzini <pbonzini@redhat.com>, Peter Xu <peterx@redhat.com>,
David Hildenbrand <david@redhat.com>
Subject: Re: [PATCH 3/3] physmem: Destroy all CPU AddressSpaces on unrealize
Date: Mon, 29 Sep 2025 17:04:12 +0200 [thread overview]
Message-ID: <80d350a1-a926-41b9-9cd8-93652680484c@linaro.org> (raw)
In-Reply-To: <20250929144228.1994037-4-peter.maydell@linaro.org>
On 29/9/25 16:42, Peter Maydell wrote:
> When we unrealize a CPU object (which happens on vCPU hot-unplug), we
> should destroy all the AddressSpace objects we created via calls to
> cpu_address_space_init() when the CPU was realized.
>
> Commit 24bec42f3d6eae added a function to do this for a specific
> AddressSpace, but did not add any places where the function was
> called.
>
> Since we always want to destroy all the AddressSpaces on unrealize,
> regardless of the target architecture, we don't need to try to keep
> track of how many are still undestroyed, or make the target
> architecture code manually call a destroy function for each AS it
> created. Instead we can adjust the function to always completely
> destroy the whole cpu->ases array, and arrange for it to be called
> during CPU unrealize as part of the common code.
>
> Without this fix, AddressSanitizer will report a leak like this
> from a run where we hot-plugged and then hot-unplugged an x86 KVM
> vCPU:
>
> Direct leak of 416 byte(s) in 1 object(s) allocated from:
> #0 0x5b638565053d in calloc (/data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/qemu-system-x86_64+0x1ee153d) (BuildId: c1cd6022b195142106e1bffeca23498c2b752bca)
> #1 0x7c28083f77b1 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x637b1) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75)
> #2 0x5b6386999c7c in cpu_address_space_init /data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../system/physmem.c:797:25
> #3 0x5b638727f049 in kvm_cpu_realizefn /data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../target/i386/kvm/kvm-cpu.c:102:5
> #4 0x5b6385745f40 in accel_cpu_common_realize /data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../accel/accel-common.c:101:13
> #5 0x5b638568fe3c in cpu_exec_realizefn /data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../hw/core/cpu-common.c:232:10
> #6 0x5b63874a2cd5 in x86_cpu_realizefn /data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../target/i386/cpu.c:9321:5
> #7 0x5b6387a0469a in device_set_realized /data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../hw/core/qdev.c:494:13
> #8 0x5b6387a27d9e in property_set_bool /data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../qom/object.c:2375:5
> #9 0x5b6387a2090b in object_property_set /data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../qom/object.c:1450:5
> #10 0x5b6387a35b05 in object_property_set_qobject /data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../qom/qom-qobject.c:28:10
> #11 0x5b6387a21739 in object_property_set_bool /data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../qom/object.c:1520:15
> #12 0x5b63879fe510 in qdev_realize /data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../hw/core/qdev.c:276:12
>
>
> Cc: qemu-stable@nongnu.org
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2517
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
> include/exec/cpu-common.h | 10 ++++-----
> include/hw/core/cpu.h | 1 -
> hw/core/cpu-common.c | 1 +
> stubs/cpu-destroy-address-spaces.c | 15 +++++++++++++
> system/physmem.c | 34 ++++++++++++++----------------
> stubs/meson.build | 1 +
> 6 files changed, 38 insertions(+), 24 deletions(-)
> create mode 100644 stubs/cpu-destroy-address-spaces.c
> -void cpu_address_space_destroy(CPUState *cpu, int asidx)
> +void cpu_destroy_address_spaces(CPUState *cpu)
> {
> CPUAddressSpace *cpuas;
> + int asidx;
>
> assert(cpu->cpu_ases);
> - assert(asidx >= 0 && asidx < cpu->num_ases);
>
> - cpuas = &cpu->cpu_ases[asidx];
> - if (tcg_enabled()) {
> - memory_listener_unregister(&cpuas->tcg_as_listener);
> + /* convenience alias just points to some cpu_ases[n] */
> + cpu->as = NULL;
> +
> + for (asidx = 0; asidx < cpu->num_ases; asidx++) {
> + cpuas = &cpu->cpu_ases[asidx];
> + if (!cpuas->as) {
> + /* This index was never initialized; no deinit needed */
> + continue;
> + }
> + if (tcg_enabled()) {
> + memory_listener_unregister(&cpuas->tcg_as_listener);
> + }
> + g_clear_pointer(&cpuas->as, address_space_destroy_free);
> }
>
> - address_space_destroy(cpuas->as);
> - g_free_rcu(cpuas->as, rcu);
> -
> - if (asidx == 0) {
> - /* reset the convenience alias for address space 0 */
> - cpu->as = NULL;
> - }
> -
> - if (--cpu->cpu_ases_count == 0) {
> - g_free(cpu->cpu_ases);
> - cpu->cpu_ases = NULL;
> - }
> + g_clear_pointer(&cpu->cpu_ases, g_free);
> }
Good, this API respects Richard's suggestion on previous attempt:
https://lore.kernel.org/qemu-devel/594b2550-9a73-684f-6e54-29401dc6cd7a@linaro.org/
next prev parent reply other threads:[~2025-09-29 15:04 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-29 14:42 [PATCH 0/3] system: Don't leak CPU AddressSpaces Peter Maydell
2025-09-29 14:42 ` [PATCH 1/3] include/system/memory.h: Clarify address_space_destroy() behaviour Peter Maydell
2025-09-29 16:14 ` David Hildenbrand
2025-09-29 14:42 ` [PATCH 2/3] memory: New AS helper to serialize destroy+free Peter Maydell
2025-09-29 16:15 ` David Hildenbrand
2025-09-29 14:42 ` [PATCH 3/3] physmem: Destroy all CPU AddressSpaces on unrealize Peter Maydell
2025-09-29 15:04 ` Philippe Mathieu-Daudé [this message]
2025-09-29 16:17 ` David Hildenbrand
2025-09-29 15:02 ` [PATCH 0/3] system: Don't leak CPU AddressSpaces Philippe Mathieu-Daudé
2025-09-29 19:03 ` Peter Xu
2025-10-01 20:36 ` Richard Henderson
2025-10-01 21:37 ` Peter Xu
2025-10-01 21:59 ` Richard Henderson
2025-10-02 8:30 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=80d350a1-a926-41b9-9cd8-93652680484c@linaro.org \
--to=philmd@linaro.org \
--cc=david@redhat.com \
--cc=eduardo@habkost.net \
--cc=marcel.apfelbaum@gmail.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=peterx@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=wangyanan55@huawei.com \
--cc=zhao1.liu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).