[Qemu-devel] [PATCH v2] xen: use qdev_unplug() instead of g_free() in xen_pv_find_xendev()

[Qemu-devel] [PATCH v2] xen: use qdev_unplug() instead of g_free() in xen_pv_find_xendev()

[Juergen Gross]

The error exits of xen_pv_find_xendev() free the new xen-device via
g_free() which is wrong.

As the xen-device has been initialized as qdev it must be removed
via qdev_unplug().

This bug has been introduced with commit 3a6c9172ac5951e6dac2b3f6
("xen: create qdev for each backend device").

Reported-by: Roger Pau Monné <roger.pau@citrix.com>
Tested-by: Roger Pau Monné <roger.pau@citrix.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
---
V2: set free method to avoid memory leak (Peter Maydell)
    use DEVICE(xendev) instead of &xendev->qdev (Peter Maydell)
---
 hw/xen/xen_backend.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/hw/xen/xen_backend.c b/hw/xen/xen_backend.c
index d119004..6c21c37 100644
--- a/hw/xen/xen_backend.c
+++ b/hw/xen/xen_backend.c
@@ -124,10 +124,11 @@ static struct XenDevice *xen_be_get_xendev(const char *type, int dom, int dev,
     /* init new xendev */
     xendev = g_malloc0(ops->size);
     object_initialize(&xendev->qdev, ops->size, TYPE_XENBACKEND);
-    qdev_set_parent_bus(&xendev->qdev, xen_sysbus);
-    qdev_set_id(&xendev->qdev, g_strdup_printf("xen-%s-%d", type, dev));
-    qdev_init_nofail(&xendev->qdev);
-    object_unref(OBJECT(&xendev->qdev));
+    OBJECT(xendev)->free = g_free;
+    qdev_set_parent_bus(DEVICE(xendev), xen_sysbus);
+    qdev_set_id(DEVICE(xendev), g_strdup_printf("xen-%s-%d", type, dev));
+    qdev_init_nofail(DEVICE(xendev));
+    object_unref(OBJECT(xendev));
 
     xendev->type  = type;
     xendev->dom   = dom;
@@ -145,7 +146,7 @@ static struct XenDevice *xen_be_get_xendev(const char *type, int dom, int dev,
     xendev->evtchndev = xenevtchn_open(NULL, 0);
     if (xendev->evtchndev == NULL) {
         xen_pv_printf(NULL, 0, "can't open evtchn device\n");
-        g_free(xendev);
+        qdev_unplug(DEVICE(xendev), NULL);
         return NULL;
     }
     fcntl(xenevtchn_fd(xendev->evtchndev), F_SETFD, FD_CLOEXEC);
@@ -155,7 +156,7 @@ static struct XenDevice *xen_be_get_xendev(const char *type, int dom, int dev,
         if (xendev->gnttabdev == NULL) {
             xen_pv_printf(NULL, 0, "can't open gnttab device\n");
             xenevtchn_close(xendev->evtchndev);
-            g_free(xendev);
+            qdev_unplug(DEVICE(xendev), NULL);
             return NULL;
         }
     } else {
-- 
2.10.2

Re: [Qemu-devel] [PATCH v2] xen: use qdev_unplug() instead of g_free() in xen_pv_find_xendev()

[Stefano Stabellini]

Hi Peter,

do you think this is acceptable?

Thanks,

Stefano

On Wed, 1 Feb 2017, Juergen Gross wrote:
> The error exits of xen_pv_find_xendev() free the new xen-device via
> g_free() which is wrong.
> 
> As the xen-device has been initialized as qdev it must be removed
> via qdev_unplug().
> 
> This bug has been introduced with commit 3a6c9172ac5951e6dac2b3f6
> ("xen: create qdev for each backend device").
> 
> Reported-by: Roger Pau Monné <roger.pau@citrix.com>
> Tested-by: Roger Pau Monné <roger.pau@citrix.com>
> Signed-off-by: Juergen Gross <jgross@suse.com>
> ---
> V2: set free method to avoid memory leak (Peter Maydell)
>     use DEVICE(xendev) instead of &xendev->qdev (Peter Maydell)
> ---
>  hw/xen/xen_backend.c | 13 +++++++------
>  1 file changed, 7 insertions(+), 6 deletions(-)
> 
> diff --git a/hw/xen/xen_backend.c b/hw/xen/xen_backend.c
> index d119004..6c21c37 100644
> --- a/hw/xen/xen_backend.c
> +++ b/hw/xen/xen_backend.c
> @@ -124,10 +124,11 @@ static struct XenDevice *xen_be_get_xendev(const char *type, int dom, int dev,
>      /* init new xendev */
>      xendev = g_malloc0(ops->size);
>      object_initialize(&xendev->qdev, ops->size, TYPE_XENBACKEND);
> -    qdev_set_parent_bus(&xendev->qdev, xen_sysbus);
> -    qdev_set_id(&xendev->qdev, g_strdup_printf("xen-%s-%d", type, dev));
> -    qdev_init_nofail(&xendev->qdev);
> -    object_unref(OBJECT(&xendev->qdev));
> +    OBJECT(xendev)->free = g_free;
> +    qdev_set_parent_bus(DEVICE(xendev), xen_sysbus);
> +    qdev_set_id(DEVICE(xendev), g_strdup_printf("xen-%s-%d", type, dev));
> +    qdev_init_nofail(DEVICE(xendev));
> +    object_unref(OBJECT(xendev));
>  
>      xendev->type  = type;
>      xendev->dom   = dom;
> @@ -145,7 +146,7 @@ static struct XenDevice *xen_be_get_xendev(const char *type, int dom, int dev,
>      xendev->evtchndev = xenevtchn_open(NULL, 0);
>      if (xendev->evtchndev == NULL) {
>          xen_pv_printf(NULL, 0, "can't open evtchn device\n");
> -        g_free(xendev);
> +        qdev_unplug(DEVICE(xendev), NULL);
>          return NULL;
>      }
>      fcntl(xenevtchn_fd(xendev->evtchndev), F_SETFD, FD_CLOEXEC);
> @@ -155,7 +156,7 @@ static struct XenDevice *xen_be_get_xendev(const char *type, int dom, int dev,
>          if (xendev->gnttabdev == NULL) {
>              xen_pv_printf(NULL, 0, "can't open gnttab device\n");
>              xenevtchn_close(xendev->evtchndev);
> -            g_free(xendev);
> +            qdev_unplug(DEVICE(xendev), NULL);
>              return NULL;
>          }
>      } else {
> -- 
> 2.10.2
> 

Re: [PATCH v2] xen: use qdev_unplug() instead of g_free() in xen_pv_find_xendev()

[Stefano Stabellini]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 2571 bytes --]

Hi Peter,

do you think this is acceptable?

Thanks,

Stefano

On Wed, 1 Feb 2017, Juergen Gross wrote:
> The error exits of xen_pv_find_xendev() free the new xen-device via
> g_free() which is wrong.
> 
> As the xen-device has been initialized as qdev it must be removed
> via qdev_unplug().
> 
> This bug has been introduced with commit 3a6c9172ac5951e6dac2b3f6
> ("xen: create qdev for each backend device").
> 
> Reported-by: Roger Pau Monné <roger.pau@citrix.com>
> Tested-by: Roger Pau Monné <roger.pau@citrix.com>
> Signed-off-by: Juergen Gross <jgross@suse.com>
> ---
> V2: set free method to avoid memory leak (Peter Maydell)
>     use DEVICE(xendev) instead of &xendev->qdev (Peter Maydell)
> ---
>  hw/xen/xen_backend.c | 13 +++++++------
>  1 file changed, 7 insertions(+), 6 deletions(-)
> 
> diff --git a/hw/xen/xen_backend.c b/hw/xen/xen_backend.c
> index d119004..6c21c37 100644
> --- a/hw/xen/xen_backend.c
> +++ b/hw/xen/xen_backend.c
> @@ -124,10 +124,11 @@ static struct XenDevice *xen_be_get_xendev(const char *type, int dom, int dev,
>      /* init new xendev */
>      xendev = g_malloc0(ops->size);
>      object_initialize(&xendev->qdev, ops->size, TYPE_XENBACKEND);
> -    qdev_set_parent_bus(&xendev->qdev, xen_sysbus);
> -    qdev_set_id(&xendev->qdev, g_strdup_printf("xen-%s-%d", type, dev));
> -    qdev_init_nofail(&xendev->qdev);
> -    object_unref(OBJECT(&xendev->qdev));
> +    OBJECT(xendev)->free = g_free;
> +    qdev_set_parent_bus(DEVICE(xendev), xen_sysbus);
> +    qdev_set_id(DEVICE(xendev), g_strdup_printf("xen-%s-%d", type, dev));
> +    qdev_init_nofail(DEVICE(xendev));
> +    object_unref(OBJECT(xendev));
>  
>      xendev->type  = type;
>      xendev->dom   = dom;
> @@ -145,7 +146,7 @@ static struct XenDevice *xen_be_get_xendev(const char *type, int dom, int dev,
>      xendev->evtchndev = xenevtchn_open(NULL, 0);
>      if (xendev->evtchndev == NULL) {
>          xen_pv_printf(NULL, 0, "can't open evtchn device\n");
> -        g_free(xendev);
> +        qdev_unplug(DEVICE(xendev), NULL);
>          return NULL;
>      }
>      fcntl(xenevtchn_fd(xendev->evtchndev), F_SETFD, FD_CLOEXEC);
> @@ -155,7 +156,7 @@ static struct XenDevice *xen_be_get_xendev(const char *type, int dom, int dev,
>          if (xendev->gnttabdev == NULL) {
>              xen_pv_printf(NULL, 0, "can't open gnttab device\n");
>              xenevtchn_close(xendev->evtchndev);
> -            g_free(xendev);
> +            qdev_unplug(DEVICE(xendev), NULL);
>              return NULL;
>          }
>      } else {
> -- 
> 2.10.2
> 

[-- Attachment #2: Type: text/plain, Size: 127 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Qemu-devel] [PATCH v2] xen: use qdev_unplug() instead of g_free() in xen_pv_find_xendev()

[Peter Maydell]

On 1 February 2017 at 19:37, Stefano Stabellini <sstabellini@kernel.org> wrote:
> Hi Peter,
>
> do you think this is acceptable?

The set of operations here is basically what I suggested
in review of v1, so I think it is the right thing.
OTOH this is a bit of an odd corner of the QOM model
so it might be worth doing some testing to make sure
the reference counts are doing what you (I) expect and
that the object does get correctly freed both in the
error-handling path here and when the device is
unplugged via xen_pv_del_xendev().

thanks
-- PMM

Re: [PATCH v2] xen: use qdev_unplug() instead of g_free() in xen_pv_find_xendev()

[Peter Maydell]

On 1 February 2017 at 19:37, Stefano Stabellini <sstabellini@kernel.org> wrote:
> Hi Peter,
>
> do you think this is acceptable?

The set of operations here is basically what I suggested
in review of v1, so I think it is the right thing.
OTOH this is a bit of an odd corner of the QOM model
so it might be worth doing some testing to make sure
the reference counts are doing what you (I) expect and
that the object does get correctly freed both in the
error-handling path here and when the device is
unplugged via xen_pv_del_xendev().

thanks
-- PMM

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Qemu-devel] [PATCH v2] xen: use qdev_unplug() instead of g_free() in xen_pv_find_xendev()

[Juergen Gross]

On 01/02/17 21:20, Peter Maydell wrote:
> On 1 February 2017 at 19:37, Stefano Stabellini <sstabellini@kernel.org> wrote:
>> Hi Peter,
>>
>> do you think this is acceptable?
> 
> The set of operations here is basically what I suggested
> in review of v1, so I think it is the right thing.
> OTOH this is a bit of an odd corner of the QOM model
> so it might be worth doing some testing to make sure
> the reference counts are doing what you (I) expect and
> that the object does get correctly freed both in the
> error-handling path here and when the device is
> unplugged via xen_pv_del_xendev().

I've used my_g_free() printing a log message when called instead of
g_free() in a test. I could verify it has been called when the
device was unplugged. This test covered xen_pv_del_xendev() and
an error handling path.


Juergen

Re: [PATCH v2] xen: use qdev_unplug() instead of g_free() in xen_pv_find_xendev()

[Juergen Gross]

On 01/02/17 21:20, Peter Maydell wrote:
> On 1 February 2017 at 19:37, Stefano Stabellini <sstabellini@kernel.org> wrote:
>> Hi Peter,
>>
>> do you think this is acceptable?
> 
> The set of operations here is basically what I suggested
> in review of v1, so I think it is the right thing.
> OTOH this is a bit of an odd corner of the QOM model
> so it might be worth doing some testing to make sure
> the reference counts are doing what you (I) expect and
> that the object does get correctly freed both in the
> error-handling path here and when the device is
> unplugged via xen_pv_del_xendev().

I've used my_g_free() printing a log message when called instead of
g_free() in a test. I could verify it has been called when the
device was unplugged. This test covered xen_pv_del_xendev() and
an error handling path.


Juergen

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Qemu-devel] [PATCH v2] xen: use qdev_unplug() instead of g_free() in xen_pv_find_xendev()

[Stefano Stabellini]

On Thu, 2 Feb 2017, Juergen Gross wrote:
> On 01/02/17 21:20, Peter Maydell wrote:
> > On 1 February 2017 at 19:37, Stefano Stabellini <sstabellini@kernel.org> wrote:
> >> Hi Peter,
> >>
> >> do you think this is acceptable?
> > 
> > The set of operations here is basically what I suggested
> > in review of v1, so I think it is the right thing.
> > OTOH this is a bit of an odd corner of the QOM model
> > so it might be worth doing some testing to make sure
> > the reference counts are doing what you (I) expect and
> > that the object does get correctly freed both in the
> > error-handling path here and when the device is
> > unplugged via xen_pv_del_xendev().
> 
> I've used my_g_free() printing a log message when called instead of
> g_free() in a test. I could verify it has been called when the
> device was unplugged. This test covered xen_pv_del_xendev() and
> an error handling path.

Thanks Juergen for testing. I'll commit shortly.

Re: [PATCH v2] xen: use qdev_unplug() instead of g_free() in xen_pv_find_xendev()

[Stefano Stabellini]

On Thu, 2 Feb 2017, Juergen Gross wrote:
> On 01/02/17 21:20, Peter Maydell wrote:
> > On 1 February 2017 at 19:37, Stefano Stabellini <sstabellini@kernel.org> wrote:
> >> Hi Peter,
> >>
> >> do you think this is acceptable?
> > 
> > The set of operations here is basically what I suggested
> > in review of v1, so I think it is the right thing.
> > OTOH this is a bit of an odd corner of the QOM model
> > so it might be worth doing some testing to make sure
> > the reference counts are doing what you (I) expect and
> > that the object does get correctly freed both in the
> > error-handling path here and when the device is
> > unplugged via xen_pv_del_xendev().
> 
> I've used my_g_free() printing a log message when called instead of
> g_free() in a test. I could verify it has been called when the
> device was unplugged. This test covered xen_pv_del_xendev() and
> an error handling path.

Thanks Juergen for testing. I'll commit shortly.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel