From: Peter Xu <peterx@redhat.com>
To: Richard Henderson <richard.henderson@linaro.org>
Cc: qemu-devel@nongnu.org, "Peter Maydell" <peter.maydell@linaro.org>,
"Eduardo Habkost" <ehabkost@redhat.com>,
"Marcel Apfelbaum" <marcel.apfelbaum@gmail.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Zhao Liu" <zhao1.liu@intel.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"David Hildenbrand" <david@redhat.com>
Subject: Re: [PATCH 0/3] system: Don't leak CPU AddressSpaces
Date: Wed, 1 Oct 2025 17:37:46 -0400 [thread overview]
Message-ID: <aN2fKu6wfPSQx05S@x1.local> (raw)
In-Reply-To: <1c567b4a-4966-4374-8851-81c9b1393d8a@linaro.org>
On Wed, Oct 01, 2025 at 01:36:16PM -0700, Richard Henderson wrote:
> On 9/29/25 07:42, Peter Maydell wrote:
> > When a vCPU is created, it typically calls cpu_address_space_init()
> > one or more times to set up its address spaces. We don't currently
> > do anything to destroy these address spaces, which means that we
> > will leak them on a vcpu hot-plug -> hot-unplug cycle.
> >
> > This patchset fixes the leak by replacing the current
> > cpu_address_space_destroy() (which has an awkward API, includes
> > a bug, and is never called from anywhere) with a new
> > cpu_destroy_address_spaces() which cleans up all the ASes a CPU
> > has and is called from generic unrealize code.
> >
> > Patch 1 is just a comment improvement to clarify that
> > address_space_destroy() defers most of its work to RCU and you
> > can't free the memory for the AS struct itself until it's done.
> >
> > Patch 2 is from Peter Xu; we need to be able to do "destroy and
> > free an AS" via RCU, and at the moment you can't do that.
> >
> > Patch 3 is the bugfix proper.
>
> So... I wonder this is really the right direction.
>
> To be specific:
>
> Over in split-accel-land we recently had a bit of a kerfuffle over TCG
> registering its MemoryListener with all of the per-cpu address spaces and
> HVF not doing so. Things get even more complicated when one finds out that
> some MemoryListener callbacks are only used with "global" address spaces and
> some are only used with the per-cpu address spaces.
I only have a very preliminary understanding on this, so please bare with
me if I'll make silly mistakes...
I was expecting QEMU provides both the global view (address_space_memory),
and the per-vcpu view. Then we can register to any of them on demand.
Then the global views can be the so-called "board model" mentioned below.
Is it not the case?
The root MR is also shared in this case, making sure the address space
operations internally will share the same flatview.
>
> On reflection, it seems to me that no address spaces should be owned by the
> cpus. All address spaces should be owned by the board model, and it should
> be the board model that configures the address spaces used by each cpu.
>
> If we do this then address spaces, and even the array of address spaces, may
> be created once by the board, shared between all (relevant) cpus, and not
> destroyed by cpu unplug.
>
> Moreover, in the context of virtualization, there's now exactly one address
> space (since Arm Secure and Tag memory spaces are not required or supported
> except by emulation; I assume the same is true for x86 smm), and the
> aforementioned kerfuffle goes away. There's no difference between global
> and per-cpu address spaces.
>
> Anyway, it seems like this provides the same flexibility in the complex
> heterogeneous case and simplifies things for the homogeneous virtualization
> case.
We have another question to ask besides this design discussion: Peter's
series here solidly fixes a memory leak that can easily reproduce with
x86_64 + KVM on cpu hotplugs.
Should we still merge it first considering it didn't change how we manage
per-vcpu address spaces, but only fixing it? Then anything like a big
overhaul can happen on top too.
Thanks,
--
Peter Xu
next prev parent reply other threads:[~2025-10-01 21:40 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-29 14:42 [PATCH 0/3] system: Don't leak CPU AddressSpaces Peter Maydell
2025-09-29 14:42 ` [PATCH 1/3] include/system/memory.h: Clarify address_space_destroy() behaviour Peter Maydell
2025-09-29 16:14 ` David Hildenbrand
2025-09-29 14:42 ` [PATCH 2/3] memory: New AS helper to serialize destroy+free Peter Maydell
2025-09-29 16:15 ` David Hildenbrand
2025-09-29 14:42 ` [PATCH 3/3] physmem: Destroy all CPU AddressSpaces on unrealize Peter Maydell
2025-09-29 15:04 ` Philippe Mathieu-Daudé
2025-09-29 16:17 ` David Hildenbrand
2025-09-29 15:02 ` [PATCH 0/3] system: Don't leak CPU AddressSpaces Philippe Mathieu-Daudé
2025-09-29 19:03 ` Peter Xu
2025-10-01 20:36 ` Richard Henderson
2025-10-01 21:37 ` Peter Xu [this message]
2025-10-01 21:59 ` Richard Henderson
2025-10-02 8:30 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aN2fKu6wfPSQx05S@x1.local \
--to=peterx@redhat.com \
--cc=david@redhat.com \
--cc=ehabkost@redhat.com \
--cc=marcel.apfelbaum@gmail.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=zhao1.liu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).