Xen project Mailing List

[Xen-devel] [BUGFIX][PATCH v2 1/4] exec: Do not use MemoryRegion after free

To: qemu-devel@xxxxxxxxxx, xen-devel@xxxxxxxxxxxxx

Date: Mon, 8 Jun 2015 17:18:49 -0400

Cc: Paul Durrant <paul.durrant@xxxxxxxxxx>, Don Slutz <don.slutz@xxxxxxxxx>, Don Slutz <dslutz@xxxxxxxxxxx>, Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>, "Michael S. Tsirkin" <mst@xxxxxxxxxx>

Delivery-date: Mon, 08 Jun 2015 21:19:05 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

Here is gdb output that shows this happening: Breakpoint 3, object_finalize (data=0x7fdf32a14010) at qom/object.c:417 417 obj->free(obj); (gdb) bt #0 object_finalize (data=0x7fdf32a14010) at qom/object.c:417 #1 0x00000000007329d4 in object_unref (obj=0x7fdf32a14010) at qom/object.c:720 #2 0x0000000000468a65 in memory_region_unref (mr=0x7fdf32a168b0) at xen/tools/qemu-xen-dir/memory.c:1359 #3 0x000000000040eb52 in phys_section_destroy (mr=0x7fdf32a168b0) at xen/tools/qemu-xen-dir/exec.c:960 #4 0x000000000040ec0a in phys_sections_free (map=0x3e51fc8) at xen/tools/qemu-xen-dir/exec.c:973 #5 0x0000000000411cc9 in address_space_dispatch_free (d=0x3e51fb0) at xen/tools/qemu-xen-dir/exec.c:2133 #6 0x0000000000840ae2 in call_rcu_thread (opaque=0x0) at util/rcu.c:256 #7 0x00000032fdc07d14 in start_thread (arg=0x7fdf34866700) at pthread_create.c:309 #8 0x00000032fd4f168d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115 (gdb) p obj $5 = (Object *) 0x7fdf32a14010 (gdb) p *obj $6 = {class = 0x302f380, free = 0x40a1e0 <g_free@plt>, properties = {tqh_first = 0x0, tqh_last = 0x7fdf32a14020}, ref = 0, parent = 0x0} (gdb) up #1 0x00000000007329d4 in object_unref (obj=0x7fdf32a14010) at qom/object.c:720 720 object_finalize(obj); (gdb) up #2 0x0000000000468a65 in memory_region_unref (mr=0x7fdf32a168b0) at xen/tools/qemu-xen-dir/memory.c:1359 1359 object_unref(obj->parent); (gdb) up #3 0x000000000040eb52 in phys_section_destroy (mr=0x7fdf32a168b0) at xen/tools/qemu-xen-dir/exec.c:960 960 memory_region_unref(mr); (gdb) l 955 return map->sections_nb++; 956 } 957 958 static void phys_section_destroy(MemoryRegion *mr) 959 { 960 memory_region_unref(mr); 961 962 if (mr->subpage) { 963 subpage_t *subpage = container_of(mr, subpage_t, iomem); 964 object_unref(OBJECT(&subpage->iomem)); (gdb) p mr $7 = (MemoryRegion *) 0x7fdf32a168b0 (gdb) p mr->subpage $9 = false (gdb) n 419 } (gdb) n object_unref (obj=0x7fdf32a14010) at qom/object.c:722 722 } (gdb) n memory_region_unref (mr=0x7fdf32a168b0) at xen/tools/qemu-xen-dir/memory.c:1363 1363 } (gdb) n phys_section_destroy (mr=0x7fdf32a168b0) at xen/tools/qemu-xen-dir/exec.c:962 962 if (mr->subpage) { (gdb) p mr $10 = (MemoryRegion *) 0x7fdf32a168b0 (gdb) p *mr Cannot access memory at address 0x7fdf32a168b0 Signed-off-by: Don Slutz <dslutz@xxxxxxxxxxx> CC: Don Slutz <don.slutz@xxxxxxxxx> --- exec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/exec.c b/exec.c index 487583b..2f44a80 100644 --- a/exec.c +++ b/exec.c @@ -957,10 +957,14 @@ static uint16_t phys_section_add(PhysPageMap *map, static void phys_section_destroy(MemoryRegion *mr) { - memory_region_unref(mr); + subpage_t *subpage = NULL; if (mr->subpage) { - subpage_t *subpage = container_of(mr, subpage_t, iomem); + subpage = container_of(mr, subpage_t, iomem); + } + memory_region_unref(mr); + + if (subpage) { object_unref(OBJECT(&subpage->iomem)); g_free(subpage); } -- 1.8.4 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.