Patchwork qom: fix refcounting in object_property_del_child()

login
register
mail settings
Submitter Amos Kong
Date May 11, 2012, 2:15 a.m.
Message ID <20120511021531.14819.78211.stgit@t>
Download mbox | patch
Permalink /patch/158422/
State New
Headers show

Comments

Amos Kong - May 11, 2012, 2:15 a.m.
Start VM with 8 multiple-function block devs, hot-removing
those block devs by 'device_del ...' would cause qemu abort.

object_ref() is called in object_property_add_child(),
but we don't unref it in object_property_del_child().

| (qemu) device_del virti0-0-0
| (qemu) **
| ERROR:qom/object.c:389:object_delete: assertion failed: (obj->ref == 0)

Signed-off-by: Amos Kong <akong@redhat.com>
---
 qom/object.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)
Paolo Bonzini - May 11, 2012, 6:42 a.m.
Il 11/05/2012 04:15, Amos Kong ha scritto:
> Start VM with 8 multiple-function block devs, hot-removing
> those block devs by 'device_del ...' would cause qemu abort.
> 
> object_ref() is called in object_property_add_child(),
> but we don't unref it in object_property_del_child().
> 
> | (qemu) device_del virti0-0-0
> | (qemu) **
> | ERROR:qom/object.c:389:object_delete: assertion failed: (obj->ref == 0)
> 
> Signed-off-by: Amos Kong <akong@redhat.com>
> ---
>  qom/object.c |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/qom/object.c b/qom/object.c
> index e721fc2..9da6b59 100644
> --- a/qom/object.c
> +++ b/qom/object.c
> @@ -320,6 +320,7 @@ static void object_property_del_child(Object *obj, Object *child, Error **errp)
>      QTAILQ_FOREACH(prop, &obj->properties, node) {
>          if (strstart(prop->type, "child<", NULL) && prop->opaque == child) {
>              object_property_del(obj, prop->name, errp);
> +            object_unref(child);

This should be called by object_finalize_child_property instead, can you
check why this is not the case?

Paolo

>              break;
>          }
>      }
>
Amos Kong - May 11, 2012, 2:52 p.m.
On 05/11/2012 02:42 PM, Paolo Bonzini wrote:
> Il 11/05/2012 04:15, Amos Kong ha scritto:
>> Start VM with 8 multiple-function block devs, hot-removing
>> those block devs by 'device_del ...' would cause qemu abort.
>>
>> object_ref() is called in object_property_add_child(),
>> but we don't unref it in object_property_del_child().
>>
>> | (qemu) device_del virti0-0-0
>> | (qemu) **
>> | ERROR:qom/object.c:389:object_delete: assertion failed: (obj->ref == 0)
>>
>> Signed-off-by: Amos Kong <akong@redhat.com>
>> ---
>>  qom/object.c |    1 +
>>  1 files changed, 1 insertions(+), 0 deletions(-)
>>
>> diff --git a/qom/object.c b/qom/object.c
>> index e721fc2..9da6b59 100644
>> --- a/qom/object.c
>> +++ b/qom/object.c
>> @@ -320,6 +320,7 @@ static void object_property_del_child(Object *obj, Object *child, Error **errp)
>>      QTAILQ_FOREACH(prop, &obj->properties, node) {
>>          if (strstart(prop->type, "child<", NULL) && prop->opaque == child) {
>>              object_property_del(obj, prop->name, errp);
>> +            object_unref(child);
> 
> This should be called by object_finalize_child_property instead, can you
> check why this is not the case?

Yes, original ref/unref are right.
I will post another patch to fix this issue.


NAK this patch.


> Paolo

Thanks!

Patch

diff --git a/qom/object.c b/qom/object.c
index e721fc2..9da6b59 100644
--- a/qom/object.c
+++ b/qom/object.c
@@ -320,6 +320,7 @@  static void object_property_del_child(Object *obj, Object *child, Error **errp)
     QTAILQ_FOREACH(prop, &obj->properties, node) {
         if (strstart(prop->type, "child<", NULL) && prop->opaque == child) {
             object_property_del(obj, prop->name, errp);
+            object_unref(child);
             break;
         }
     }