From nobody Tue Nov 4 21:21:18 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1531409691530623.9546205995224; Thu, 12 Jul 2018 08:34:51 -0700 (PDT) Received: from localhost ([::1]:60782 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fddcI-0007M4-Ec for importer@patchew.org; Thu, 12 Jul 2018 11:34:50 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:37597) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fddYq-0005Kr-4k for qemu-devel@nongnu.org; Thu, 12 Jul 2018 11:31:22 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fddYl-0007st-Uz for qemu-devel@nongnu.org; Thu, 12 Jul 2018 11:31:16 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:38062 helo=mx1.redhat.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fddYi-0007n5-LE; Thu, 12 Jul 2018 11:31:08 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4231EC32E; Thu, 12 Jul 2018 15:31:08 +0000 (UTC) Received: from thh440s.redhat.com (ovpn-116-19.ams2.redhat.com [10.36.116.19]) by smtp.corp.redhat.com (Postfix) with ESMTP id 956A31C66C; Thu, 12 Jul 2018 15:31:06 +0000 (UTC) From: Thomas Huth To: qemu-devel@nongnu.org, Peter Maydell , Paolo Bonzini Date: Thu, 12 Jul 2018 17:30:59 +0200 Message-Id: <1531409463-3843-2-git-send-email-thuth@redhat.com> In-Reply-To: <1531409463-3843-1-git-send-email-thuth@redhat.com> References: <1531409463-3843-1-git-send-email-thuth@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Thu, 12 Jul 2018 15:31:08 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Thu, 12 Jul 2018 15:31:08 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'thuth@redhat.com' RCPT:'' X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 66.187.233.73 Subject: [Qemu-devel] [PATCH 1/5] qom/object: Add a new function object_initialize_as_child() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-arm@nongnu.org, Markus Armbruster , Eduardo Habkost Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" A lot of code is using the object_initialize() function followed by a call = to object_property_add_child() to add the newly initialized object as a child = of the current object. Both functions increase the reference counter of the new object, but many spots that call these two functions then forget to drop one of the superfluous references. So the newly created object is often not cle= aned up correctly when the parent is destroyed. In the worst case, this can cause crashes, e.g. because device objects are not correctly removed from their parent_bus. Since this is a common pattern between many code spots, let's introdcue a new function that takes care of calling all three required initialization functions, first object_initialize(), then object_property_add_child() and finally object_unref(). Signed-off-by: Thomas Huth --- include/qom/object.h | 19 +++++++++++++++++++ qom/object.c | 14 ++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/include/qom/object.h b/include/qom/object.h index f3d2308..c1b254c 100644 --- a/include/qom/object.h +++ b/include/qom/object.h @@ -749,6 +749,25 @@ int object_set_propv(Object *obj, void object_initialize(void *obj, size_t size, const char *typename); =20 /** + * object_initialize_as_child: + * @parentobj: The parent object to add a property to + * @propname: The name of the property + * @childobj: A pointer to the memory to be used for the object. + * @size: The maximum size available at @obj for the object. + * @type: The name of the type of the object to instantiate. + * @errp: If an error occurs, a pointer to an area to store the area + * + * This function will initialize an object. The memory for the object shou= ld + * have already been allocated. The object will then be added as child pro= perty + * to a parent with object_property_add_child() function. The returned obj= ect + * has a reference count of 1, and will be finalized when the last referen= ce is + * dropped. + */ +void object_initialize_as_child(Object *parentobj, const char *propname, + void *childobj, size_t size, const char *t= ype, + Error **errp); + +/** * object_dynamic_cast: * @obj: The object to cast. * @typename: The @typename to cast to. diff --git a/qom/object.c b/qom/object.c index 4609e34..de2ded0 100644 --- a/qom/object.c +++ b/qom/object.c @@ -392,6 +392,20 @@ void object_initialize(void *data, size_t size, const = char *typename) object_initialize_with_type(data, size, type); } =20 +void object_initialize_as_child(Object *parentobj, const char *propname, + void *childobj, size_t size, const char *t= ype, + Error **errp) +{ + object_initialize(childobj, size, type); + object_property_add_child(parentobj, propname, OBJECT(childobj), errp); + /* + * Since object_property_add_child added a reference to the child obje= ct, + * we can drop the initial reference from object_initialize now. + */ + object_unref(OBJECT(childobj)); +} + + static inline bool object_property_is_child(ObjectProperty *prop) { return strstart(prop->type, "child<", NULL); --=20 1.8.3.1 From nobody Tue Nov 4 21:21:18 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1531409637339173.0773039644946; Thu, 12 Jul 2018 08:33:57 -0700 (PDT) Received: from localhost ([::1]:60779 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fddbM-0006f5-1o for importer@patchew.org; Thu, 12 Jul 2018 11:33:52 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:37577) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fddYp-0005IN-Ag for qemu-devel@nongnu.org; Thu, 12 Jul 2018 11:31:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fddYo-0007vt-Dw for qemu-devel@nongnu.org; Thu, 12 Jul 2018 11:31:15 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:57478 helo=mx1.redhat.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fddYk-0007qS-Lc; Thu, 12 Jul 2018 11:31:10 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4E50E40073B7; Thu, 12 Jul 2018 15:31:10 +0000 (UTC) Received: from thh440s.redhat.com (ovpn-116-19.ams2.redhat.com [10.36.116.19]) by smtp.corp.redhat.com (Postfix) with ESMTP id A08B21C66C; Thu, 12 Jul 2018 15:31:08 +0000 (UTC) From: Thomas Huth To: qemu-devel@nongnu.org, Peter Maydell , Paolo Bonzini Date: Thu, 12 Jul 2018 17:31:00 +0200 Message-Id: <1531409463-3843-3-git-send-email-thuth@redhat.com> In-Reply-To: <1531409463-3843-1-git-send-email-thuth@redhat.com> References: <1531409463-3843-1-git-send-email-thuth@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Thu, 12 Jul 2018 15:31:10 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Thu, 12 Jul 2018 15:31:10 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'thuth@redhat.com' RCPT:'' X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 66.187.233.73 Subject: [Qemu-devel] [PATCH 2/5] hw/core/sysbus: Add a function for creating and attaching an object X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-arm@nongnu.org, Markus Armbruster , Eduardo Habkost Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" A lot of functions are initializing an object and attach it immediately afterwards to the system bus. Provide a common function for this, which also uses object_initialize_as_child() to make sure that the reference counter is correctly initialized to 1 afterwards. Signed-off-by: Thomas Huth --- hw/core/sysbus.c | 8 ++++++++ include/hw/sysbus.h | 3 +++ 2 files changed, 11 insertions(+) diff --git a/hw/core/sysbus.c b/hw/core/sysbus.c index ecfb0cf..c164318 100644 --- a/hw/core/sysbus.c +++ b/hw/core/sysbus.c @@ -376,6 +376,14 @@ BusState *sysbus_get_default(void) return main_system_bus; } =20 +void sysbus_init_child_obj(Object *parent, const char *childname, void *ch= ild, + size_t childsize, const char *childtype) +{ + object_initialize_as_child(parent, childname, child, childsize, childt= ype, + &error_abort); + qdev_set_parent_bus(DEVICE(child), sysbus_get_default()); +} + static void sysbus_register_types(void) { type_register_static(&system_bus_info); diff --git a/include/hw/sysbus.h b/include/hw/sysbus.h index e88bb6d..e405232 100644 --- a/include/hw/sysbus.h +++ b/include/hw/sysbus.h @@ -96,6 +96,9 @@ void sysbus_add_io(SysBusDevice *dev, hwaddr addr, MemoryRegion *mem); MemoryRegion *sysbus_address_space(SysBusDevice *dev); =20 +void sysbus_init_child_obj(Object *parent, const char *childname, void *ch= ild, + size_t childsize, const char *childtype); + /* Call func for every dynamically created sysbus device in the system */ void foreach_dynamic_sysbus_device(FindSysbusDeviceFunc *func, void *opaqu= e); =20 --=20 1.8.3.1 From nobody Tue Nov 4 21:21:18 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1531409649779616.4069168309007; Thu, 12 Jul 2018 08:34:09 -0700 (PDT) Received: from localhost ([::1]:60780 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fddbY-0006rE-Hj for importer@patchew.org; Thu, 12 Jul 2018 11:34:04 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:37601) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fddYq-0005L6-9u for qemu-devel@nongnu.org; Thu, 12 Jul 2018 11:31:21 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fddYp-0007xC-B8 for qemu-devel@nongnu.org; Thu, 12 Jul 2018 11:31:16 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:38066 helo=mx1.redhat.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fddYm-0007tW-Sr; Thu, 12 Jul 2018 11:31:12 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 72CF9C32E; Thu, 12 Jul 2018 15:31:12 +0000 (UTC) Received: from thh440s.redhat.com (ovpn-116-19.ams2.redhat.com [10.36.116.19]) by smtp.corp.redhat.com (Postfix) with ESMTP id AC7D71C66C; Thu, 12 Jul 2018 15:31:10 +0000 (UTC) From: Thomas Huth To: qemu-devel@nongnu.org, Peter Maydell , Paolo Bonzini Date: Thu, 12 Jul 2018 17:31:01 +0200 Message-Id: <1531409463-3843-4-git-send-email-thuth@redhat.com> In-Reply-To: <1531409463-3843-1-git-send-email-thuth@redhat.com> References: <1531409463-3843-1-git-send-email-thuth@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Thu, 12 Jul 2018 15:31:12 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Thu, 12 Jul 2018 15:31:12 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'thuth@redhat.com' RCPT:'' X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 66.187.233.73 Subject: [Qemu-devel] [PATCH 3/5] hw/arm/bcm2836: Fix crash with device_add bcm2837 on unsupported machines X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-arm@nongnu.org, Markus Armbruster , Eduardo Habkost Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" When trying to "device_add bcm2837" on a machine that is not suitable for this device, you can quickly crash QEMU afterwards, e.g. with "info qtree": echo "{'execute':'qmp_capabilities'} {'execute':'device_add', " \ "'arguments':{'driver':'bcm2837'}} {'execute': 'human-monitor-command', " \ "'arguments': {'command-line': 'info qtree'}}" | \ aarch64-softmmu/qemu-system-aarch64 -M integratorcp,accel=3Dqtest -S -qmp = stdio {"QMP": {"version": {"qemu": {"micro": 50, "minor": 12, "major": 2}, "package": "build-all"}, "capabilities": []}} {"return": {}} {"error": {"class": "GenericError", "desc": "Device 'bcm2837' can not be hotplugged on this machine"}} Segmentation fault (core dumped) The qdev_set_parent_bus() from instance_init adds a link to the child devic= es which is not valid anymore after the bcm2837 instance has been destroyed. Unfortunately, the child devices do not get destroyed / unlinked correctly because both object_initialize() and object_property_add_child() increase the reference count of the child objects by one, but only one reference is dropped when the parent gets removed. So let's use the new functions object_initialize_as_child() and sysbus_init_child_obj() instead to create the objects, which will take care of creating the child objects with the correct reference count of one. Signed-off-by: Thomas Huth --- hw/arm/bcm2836.c | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/hw/arm/bcm2836.c b/hw/arm/bcm2836.c index 6805a7d..b62adeb 100644 --- a/hw/arm/bcm2836.c +++ b/hw/arm/bcm2836.c @@ -51,25 +51,20 @@ static void bcm2836_init(Object *obj) int n; =20 for (n =3D 0; n < BCM283X_NCPUS; n++) { - object_initialize(&s->cpus[n], sizeof(s->cpus[n]), - info->cpu_type); - object_property_add_child(obj, "cpu[*]", OBJECT(&s->cpus[n]), - &error_abort); + object_initialize_as_child(obj, "cpu[*]", &s->cpus[n], + sizeof(s->cpus[n]), info->cpu_type, + &error_abort); } =20 - object_initialize(&s->control, sizeof(s->control), TYPE_BCM2836_CONTRO= L); - object_property_add_child(obj, "control", OBJECT(&s->control), NULL); - qdev_set_parent_bus(DEVICE(&s->control), sysbus_get_default()); + sysbus_init_child_obj(obj, "control", &s->control, sizeof(s->control), + TYPE_BCM2836_CONTROL); =20 - object_initialize(&s->peripherals, sizeof(s->peripherals), - TYPE_BCM2835_PERIPHERALS); - object_property_add_child(obj, "peripherals", OBJECT(&s->peripherals), - &error_abort); + sysbus_init_child_obj(obj, "peripherals", &s->peripherals, + sizeof(s->peripherals), TYPE_BCM2835_PERIPHERALS= ); object_property_add_alias(obj, "board-rev", OBJECT(&s->peripherals), "board-rev", &error_abort); object_property_add_alias(obj, "vcram-size", OBJECT(&s->peripherals), "vcram-size", &error_abort); - qdev_set_parent_bus(DEVICE(&s->peripherals), sysbus_get_default()); } =20 static void bcm2836_realize(DeviceState *dev, Error **errp) --=20 1.8.3.1 From nobody Tue Nov 4 21:21:18 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1531409819942261.9284563019214; Thu, 12 Jul 2018 08:36:59 -0700 (PDT) Received: from localhost ([::1]:60802 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fddeL-0000rD-MT for importer@patchew.org; Thu, 12 Jul 2018 11:36:57 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:37644) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fddYw-0005PS-SV for qemu-devel@nongnu.org; Thu, 12 Jul 2018 11:31:27 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fddYv-00084r-LV for qemu-devel@nongnu.org; Thu, 12 Jul 2018 11:31:22 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:52420 helo=mx1.redhat.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fddYo-0007wH-UY; Thu, 12 Jul 2018 11:31:15 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7EE1C70211; Thu, 12 Jul 2018 15:31:14 +0000 (UTC) Received: from thh440s.redhat.com (ovpn-116-19.ams2.redhat.com [10.36.116.19]) by smtp.corp.redhat.com (Postfix) with ESMTP id E9FC81C674; Thu, 12 Jul 2018 15:31:12 +0000 (UTC) From: Thomas Huth To: qemu-devel@nongnu.org, Peter Maydell , Paolo Bonzini Date: Thu, 12 Jul 2018 17:31:02 +0200 Message-Id: <1531409463-3843-5-git-send-email-thuth@redhat.com> In-Reply-To: <1531409463-3843-1-git-send-email-thuth@redhat.com> References: <1531409463-3843-1-git-send-email-thuth@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Thu, 12 Jul 2018 15:31:14 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Thu, 12 Jul 2018 15:31:14 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'thuth@redhat.com' RCPT:'' X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 66.187.233.73 Subject: [Qemu-devel] [PATCH 4/5] hw/arm/armv7: Fix crash when introspecting the "iotkit" device X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-arm@nongnu.org, Markus Armbruster , Eduardo Habkost Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" QEMU currently crashes when introspecting the "iotkit" device and runnint "info qtree" afterwards, e.g. when running QEMU like this: echo "{'execute':'qmp_capabilities'} {'execute':'device-list-properties'," \ "'arguments':{'typename':'iotkit'}}" "{'execute': 'human-monitor-command',= " \ "'arguments': {'command-line': 'info qtree'}}" | \ aarch64-softmmu/qemu-system-aarch64 -M none,accel=3Dqtest -qmp stdio Use the new functions object_initialize_as_child() and sysbus_init_child_ob= j() to make sure that all objects get cleaned up correctly when the instances are destroyed. Signed-off-by: Thomas Huth --- hw/arm/armv7m.c | 9 ++++--- hw/arm/iotkit.c | 74 ++++++++++++++++++++++-------------------------= ---- hw/intc/armv7m_nvic.c | 5 ++-- 3 files changed, 39 insertions(+), 49 deletions(-) diff --git a/hw/arm/armv7m.c b/hw/arm/armv7m.c index 9e00d40..7164e04 100644 --- a/hw/arm/armv7m.c +++ b/hw/arm/armv7m.c @@ -134,14 +134,15 @@ static void armv7m_instance_init(Object *obj) =20 memory_region_init(&s->container, obj, "armv7m-container", UINT64_MAX); =20 - object_initialize(&s->nvic, sizeof(s->nvic), TYPE_NVIC); - qdev_set_parent_bus(DEVICE(&s->nvic), sysbus_get_default()); + sysbus_init_child_obj(obj, "nvnic", &s->nvic, sizeof(s->nvic), TYPE_NV= IC); object_property_add_alias(obj, "num-irq", OBJECT(&s->nvic), "num-irq", &error_abort); =20 for (i =3D 0; i < ARRAY_SIZE(s->bitband); i++) { - object_initialize(&s->bitband[i], sizeof(s->bitband[i]), TYPE_BITB= AND); - qdev_set_parent_bus(DEVICE(&s->bitband[i]), sysbus_get_default()); + char *name =3D g_strdup_printf("bitband-%d", i); + sysbus_init_child_obj(obj, name, &s->bitband[i], sizeof(s->bitband= [i]), + TYPE_BITBAND); + g_free(name); } } =20 diff --git a/hw/arm/iotkit.c b/hw/arm/iotkit.c index 133d5bb..d479323 100644 --- a/hw/arm/iotkit.c +++ b/hw/arm/iotkit.c @@ -30,15 +30,6 @@ static void make_alias(IoTKit *s, MemoryRegion *mr, cons= t char *name, memory_region_add_subregion_overlap(&s->container, base, mr, -1500); } =20 -static void init_sysbus_child(Object *parent, const char *childname, - void *child, size_t childsize, - const char *childtype) -{ - object_initialize(child, childsize, childtype); - object_property_add_child(parent, childname, OBJECT(child), &error_abo= rt); - qdev_set_parent_bus(DEVICE(child), sysbus_get_default()); -} - static void irq_status_forwarder(void *opaque, int n, int level) { qemu_irq destirq =3D opaque; @@ -119,53 +110,52 @@ static void iotkit_init(Object *obj) =20 memory_region_init(&s->container, obj, "iotkit-container", UINT64_MAX); =20 - init_sysbus_child(obj, "armv7m", &s->armv7m, sizeof(s->armv7m), - TYPE_ARMV7M); + sysbus_init_child_obj(obj, "armv7m", &s->armv7m, sizeof(s->armv7m), + TYPE_ARMV7M); qdev_prop_set_string(DEVICE(&s->armv7m), "cpu-type", ARM_CPU_TYPE_NAME("cortex-m33")); =20 - init_sysbus_child(obj, "secctl", &s->secctl, sizeof(s->secctl), - TYPE_IOTKIT_SECCTL); - init_sysbus_child(obj, "apb-ppc0", &s->apb_ppc0, sizeof(s->apb_ppc0), - TYPE_TZ_PPC); - init_sysbus_child(obj, "apb-ppc1", &s->apb_ppc1, sizeof(s->apb_ppc1), - TYPE_TZ_PPC); - init_sysbus_child(obj, "mpc", &s->mpc, sizeof(s->mpc), TYPE_TZ_MPC); - object_initialize(&s->mpc_irq_orgate, sizeof(s->mpc_irq_orgate), - TYPE_OR_IRQ); - object_property_add_child(obj, "mpc-irq-orgate", - OBJECT(&s->mpc_irq_orgate), &error_abort); + sysbus_init_child_obj(obj, "secctl", &s->secctl, sizeof(s->secctl), + TYPE_IOTKIT_SECCTL); + sysbus_init_child_obj(obj, "apb-ppc0", &s->apb_ppc0, sizeof(s->apb_ppc= 0), + TYPE_TZ_PPC); + sysbus_init_child_obj(obj, "apb-ppc1", &s->apb_ppc1, sizeof(s->apb_ppc= 1), + TYPE_TZ_PPC); + sysbus_init_child_obj(obj, "mpc", &s->mpc, sizeof(s->mpc), TYPE_TZ_MPC= ); + object_initialize_as_child(obj, "mpc-irq-orgate", &s->mpc_irq_orgate, + sizeof(s->mpc_irq_orgate), TYPE_OR_IRQ, + &error_abort); + for (i =3D 0; i < ARRAY_SIZE(s->mpc_irq_splitter); i++) { char *name =3D g_strdup_printf("mpc-irq-splitter-%d", i); SplitIRQ *splitter =3D &s->mpc_irq_splitter[i]; =20 - object_initialize(splitter, sizeof(*splitter), TYPE_SPLIT_IRQ); - object_property_add_child(obj, name, OBJECT(splitter), &error_abor= t); + object_initialize_as_child(obj, name, splitter, sizeof(*splitter), + TYPE_SPLIT_IRQ, &error_abort); g_free(name); } - init_sysbus_child(obj, "timer0", &s->timer0, sizeof(s->timer0), - TYPE_CMSDK_APB_TIMER); - init_sysbus_child(obj, "timer1", &s->timer1, sizeof(s->timer1), - TYPE_CMSDK_APB_TIMER); - init_sysbus_child(obj, "dualtimer", &s->dualtimer, sizeof(s->dualtimer= ), - TYPE_UNIMPLEMENTED_DEVICE); - object_initialize(&s->ppc_irq_orgate, sizeof(s->ppc_irq_orgate), - TYPE_OR_IRQ); - object_property_add_child(obj, "ppc-irq-orgate", - OBJECT(&s->ppc_irq_orgate), &error_abort); - object_initialize(&s->sec_resp_splitter, sizeof(s->sec_resp_splitter), - TYPE_SPLIT_IRQ); - object_property_add_child(obj, "sec-resp-splitter", - OBJECT(&s->sec_resp_splitter), &error_abort); + sysbus_init_child_obj(obj, "timer0", &s->timer0, sizeof(s->timer0), + TYPE_CMSDK_APB_TIMER); + sysbus_init_child_obj(obj, "timer1", &s->timer1, sizeof(s->timer1), + TYPE_CMSDK_APB_TIMER); + sysbus_init_child_obj(obj, "dualtimer", &s->dualtimer, sizeof(s->dualt= imer), + TYPE_UNIMPLEMENTED_DEVICE); + object_initialize_as_child(obj, "ppc-irq-orgate", &s->ppc_irq_orgate, + sizeof(s->ppc_irq_orgate), TYPE_OR_IRQ, + &error_abort); + object_initialize_as_child(obj, "sec-resp-splitter", &s->sec_resp_spli= tter, + sizeof(s->sec_resp_splitter), TYPE_SPLIT_IR= Q, + &error_abort); for (i =3D 0; i < ARRAY_SIZE(s->ppc_irq_splitter); i++) { char *name =3D g_strdup_printf("ppc-irq-splitter-%d", i); SplitIRQ *splitter =3D &s->ppc_irq_splitter[i]; =20 - object_initialize(splitter, sizeof(*splitter), TYPE_SPLIT_IRQ); - object_property_add_child(obj, name, OBJECT(splitter), &error_abor= t); + object_initialize_as_child(obj, name, splitter, sizeof(*splitter), + TYPE_SPLIT_IRQ, &error_abort); + g_free(name); } - init_sysbus_child(obj, "s32ktimer", &s->s32ktimer, sizeof(s->s32ktimer= ), - TYPE_UNIMPLEMENTED_DEVICE); + sysbus_init_child_obj(obj, "s32ktimer", &s->s32ktimer, sizeof(s->s32kt= imer), + TYPE_UNIMPLEMENTED_DEVICE); } =20 static void iotkit_exp_irq(void *opaque, int n, int level) diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c index 661be88..7a5330f 100644 --- a/hw/intc/armv7m_nvic.c +++ b/hw/intc/armv7m_nvic.c @@ -2296,9 +2296,8 @@ static void armv7m_nvic_instance_init(Object *obj) NVICState *nvic =3D NVIC(obj); SysBusDevice *sbd =3D SYS_BUS_DEVICE(obj); =20 - object_initialize(&nvic->systick[M_REG_NS], - sizeof(nvic->systick[M_REG_NS]), TYPE_SYSTICK); - qdev_set_parent_bus(DEVICE(&nvic->systick[M_REG_NS]), sysbus_get_defau= lt()); + sysbus_init_child_obj(obj, "systick-reg-ns", &nvic->systick[M_REG_NS], + sizeof(nvic->systick[M_REG_NS]), TYPE_SYSTICK); /* We can't initialize the secure systick here, as we don't know * yet if we need it. */ --=20 1.8.3.1 From nobody Tue Nov 4 21:21:18 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1531409843813131.07664961386115; Thu, 12 Jul 2018 08:37:23 -0700 (PDT) Received: from localhost ([::1]:60804 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fddek-0001B4-PQ for importer@patchew.org; Thu, 12 Jul 2018 11:37:22 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:37667) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fddYz-0005Rm-68 for qemu-devel@nongnu.org; Thu, 12 Jul 2018 11:31:28 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fddYy-00086k-4X for qemu-devel@nongnu.org; Thu, 12 Jul 2018 11:31:25 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:45758 helo=mx1.redhat.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fddYq-0007z0-VM; Thu, 12 Jul 2018 11:31:17 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 8C8D84075844; Thu, 12 Jul 2018 15:31:16 +0000 (UTC) Received: from thh440s.redhat.com (ovpn-116-19.ams2.redhat.com [10.36.116.19]) by smtp.corp.redhat.com (Postfix) with ESMTP id DCE2B1C674; Thu, 12 Jul 2018 15:31:14 +0000 (UTC) From: Thomas Huth To: qemu-devel@nongnu.org, Peter Maydell , Paolo Bonzini Date: Thu, 12 Jul 2018 17:31:03 +0200 Message-Id: <1531409463-3843-6-git-send-email-thuth@redhat.com> In-Reply-To: <1531409463-3843-1-git-send-email-thuth@redhat.com> References: <1531409463-3843-1-git-send-email-thuth@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 12 Jul 2018 15:31:16 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 12 Jul 2018 15:31:16 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'thuth@redhat.com' RCPT:'' X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 66.187.233.73 Subject: [Qemu-devel] [PATCH 5/5] hw/cpu/a15mpcore: Fix introspection problem with the a15mpcore_priv device X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-arm@nongnu.org, Markus Armbruster , Eduardo Habkost Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" There is a memory management problem when introspecting the a15mpcore_priv device. It can be seen with valgrind when running QEMU like this: echo "{'execute':'qmp_capabilities'} {'execute':'device-list-properties'," \ "'arguments':{'typename':'a15mpcore_priv'}}"\ "{'execute': 'human-monitor-command', " \ "'arguments': {'command-line': 'info qtree'}}" | \ valgrind -q aarch64-softmmu/qemu-system-aarch64 -M none,accel=3Dqtest -qmp= stdio {"QMP": {"version": {"qemu": {"micro": 50, "minor": 12, "major": 2}, "package": "build-all"}, "capabilities": []}} {"return": {}} {"return": [{"name": "num-cpu", "type": "uint32"}, {"name": "num-irq", "type": "uint32"}, {"name": "a15mp-priv-container[0]", "type": "child"}]} =3D=3D24978=3D=3D Invalid read of size 8 =3D=3D24978=3D=3D at 0x618EBA: qdev_print (qdev-monitor.c:686) =3D=3D24978=3D=3D by 0x618EBA: qbus_print (qdev-monitor.c:719) [...] Use the new sysbus_init_child_obj() function to make sure that we get the reference counting of the child objects right. Signed-off-by: Thomas Huth --- hw/cpu/a15mpcore.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/hw/cpu/a15mpcore.c b/hw/cpu/a15mpcore.c index bc05152..43c1079 100644 --- a/hw/cpu/a15mpcore.c +++ b/hw/cpu/a15mpcore.c @@ -35,15 +35,13 @@ static void a15mp_priv_initfn(Object *obj) { SysBusDevice *sbd =3D SYS_BUS_DEVICE(obj); A15MPPrivState *s =3D A15MPCORE_PRIV(obj); - DeviceState *gicdev; =20 memory_region_init(&s->container, obj, "a15mp-priv-container", 0x8000); sysbus_init_mmio(sbd, &s->container); =20 - object_initialize(&s->gic, sizeof(s->gic), gic_class_name()); - gicdev =3D DEVICE(&s->gic); - qdev_set_parent_bus(gicdev, sysbus_get_default()); - qdev_prop_set_uint32(gicdev, "revision", 2); + sysbus_init_child_obj(obj, "gic", &s->gic, sizeof(s->gic), + gic_class_name()); + qdev_prop_set_uint32(DEVICE(&s->gic), "revision", 2); } =20 static void a15mp_priv_realize(DeviceState *dev, Error **errp) --=20 1.8.3.1