Patchwork [v3] pci: call object_unparent() before free_qdev()

login
register
mail settings
Submitter Jianjun Kong
Date May 20, 2012, 9:57 a.m.
Message ID <1337507865-28504-1-git-send-email-kongjianjun@gmail.com>
Download mbox | patch
Permalink /patch/160252/
State New
Headers show

Comments

Jianjun Kong - May 20, 2012, 9:57 a.m.
Start VM with 8 multiple-function block devs, hot-removing
those block devs by 'device_del ...' would cause qemu abort.

| (qemu) device_del virti0-0-0
| (qemu) **
|ERROR:qom/object.c:389:object_delete: assertion failed: (obj->ref == 0)

It's a regression introduced by commit 57c9fafe

The whole PCI slot should be removed once. Currently only one func
is cleaned in pci_unplug_device(), if you try to remove a single
func by monitor cmd.

free_qdev() are called for all functions in slot,
but unparent_delete() is only called for one
function.

---
aliguori has a better resolution, better to do it in 1.2

v2: fix warning: too many arguments for format
v3: move object_unparent() to acpi_piix_eject_slot()

Signed-off-by: Amos Kong <kongjianjun@gmail.com>
---
 hw/acpi_piix4.c |    1 +
 hw/pci.c        |    1 -
 2 files changed, 1 insertions(+), 1 deletions(-)
Michael S. Tsirkin - May 20, 2012, 10:22 a.m.
On Sun, May 20, 2012 at 05:57:45PM +0800, Amos Kong wrote:
> Start VM with 8 multiple-function block devs, hot-removing
> those block devs by 'device_del ...' would cause qemu abort.
> 
> | (qemu) device_del virti0-0-0
> | (qemu) **
> |ERROR:qom/object.c:389:object_delete: assertion failed: (obj->ref == 0)
> 
> It's a regression introduced by commit 57c9fafe
> 
> The whole PCI slot should be removed once. Currently only one func
> is cleaned in pci_unplug_device(), if you try to remove a single
> func by monitor cmd.
> 
> free_qdev() are called for all functions in slot,
> but unparent_delete() is only called for one
> function.
> 
> ---
> aliguori has a better resolution, better to do it in 1.2
> 
> v2: fix warning: too many arguments for format
> v3: move object_unparent() to acpi_piix_eject_slot()
> 
> Signed-off-by: Amos Kong <kongjianjun@gmail.com>

commit is mangled up a bit.  It should be:

subject: xxxx

commit log

Signed-off-by: XXXX

--- 

Versioning info

diff


No need to repost just we that. But we also need to update other pci
hotplug users: hw//shpc.c hw//pcie.c
Not sure about pci-hotplug.c (calls qdev_free on error
handling) - add a virtio blk function with wrong drive
parameter using pci_add and see. Anything else?

> ---
>  hw/acpi_piix4.c |    1 +
>  hw/pci.c        |    1 -
>  2 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/hw/acpi_piix4.c b/hw/acpi_piix4.c
> index 585da4e..0345490 100644
> --- a/hw/acpi_piix4.c
> +++ b/hw/acpi_piix4.c
> @@ -299,6 +299,7 @@ static void acpi_piix_eject_slot(PIIX4PMState *s, unsigned slots)
>              if (pc->no_hotplug) {
>                  slot_free = false;
>              } else {
> +                object_unparent(OBJECT(dev));
>                  qdev_free(qdev);
>              }
>          }
> diff --git a/hw/pci.c b/hw/pci.c
> index b706e69..c1ebdde 100644
> --- a/hw/pci.c
> +++ b/hw/pci.c
> @@ -1527,7 +1527,6 @@ static int pci_unplug_device(DeviceState *qdev)
>          qerror_report(QERR_DEVICE_NO_HOTPLUG, object_get_typename(OBJECT(dev)));
>          return -1;
>      }
> -    object_unparent(OBJECT(dev));
>      return dev->bus->hotplug(dev->bus->hotplug_qdev, dev,
>                               PCI_HOTPLUG_DISABLED);
>  }
> -- 
> 1.7.1
Anthony Liguori - May 30, 2012, 2:13 a.m.
On 05/20/2012 05:57 PM, Amos Kong wrote:
> Start VM with 8 multiple-function block devs, hot-removing
> those block devs by 'device_del ...' would cause qemu abort.
>
> | (qemu) device_del virti0-0-0
> | (qemu) **
> |ERROR:qom/object.c:389:object_delete: assertion failed: (obj->ref == 0)
>
> It's a regression introduced by commit 57c9fafe
>
> The whole PCI slot should be removed once. Currently only one func
> is cleaned in pci_unplug_device(), if you try to remove a single
> func by monitor cmd.
>
> free_qdev() are called for all functions in slot,
> but unparent_delete() is only called for one
> function.
>
> ---
> aliguori has a better resolution, better to do it in 1.2
>
> v2: fix warning: too many arguments for format
> v3: move object_unparent() to acpi_piix_eject_slot()
>
> Signed-off-by: Amos Kong<kongjianjun@gmail.com>

Applied.  Thanks.

Regards,

Anthony Liguori

> ---
>   hw/acpi_piix4.c |    1 +
>   hw/pci.c        |    1 -
>   2 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/hw/acpi_piix4.c b/hw/acpi_piix4.c
> index 585da4e..0345490 100644
> --- a/hw/acpi_piix4.c
> +++ b/hw/acpi_piix4.c
> @@ -299,6 +299,7 @@ static void acpi_piix_eject_slot(PIIX4PMState *s, unsigned slots)
>               if (pc->no_hotplug) {
>                   slot_free = false;
>               } else {
> +                object_unparent(OBJECT(dev));
>                   qdev_free(qdev);
>               }
>           }
> diff --git a/hw/pci.c b/hw/pci.c
> index b706e69..c1ebdde 100644
> --- a/hw/pci.c
> +++ b/hw/pci.c
> @@ -1527,7 +1527,6 @@ static int pci_unplug_device(DeviceState *qdev)
>           qerror_report(QERR_DEVICE_NO_HOTPLUG, object_get_typename(OBJECT(dev)));
>           return -1;
>       }
> -    object_unparent(OBJECT(dev));
>       return dev->bus->hotplug(dev->bus->hotplug_qdev, dev,
>                                PCI_HOTPLUG_DISABLED);
>   }
Michael S. Tsirkin - May 30, 2012, 5:14 a.m.
On Wed, May 30, 2012 at 10:13:07AM +0800, Anthony Liguori wrote:
> On 05/20/2012 05:57 PM, Amos Kong wrote:
> >Start VM with 8 multiple-function block devs, hot-removing
> >those block devs by 'device_del ...' would cause qemu abort.
> >
> >| (qemu) device_del virti0-0-0
> >| (qemu) **
> >|ERROR:qom/object.c:389:object_delete: assertion failed: (obj->ref == 0)
> >
> >It's a regression introduced by commit 57c9fafe
> >
> >The whole PCI slot should be removed once. Currently only one func
> >is cleaned in pci_unplug_device(), if you try to remove a single
> >func by monitor cmd.
> >
> >free_qdev() are called for all functions in slot,
> >but unparent_delete() is only called for one
> >function.
> >
> >---
> >aliguori has a better resolution, better to do it in 1.2
> >
> >v2: fix warning: too many arguments for format
> >v3: move object_unparent() to acpi_piix_eject_slot()
> >
> >Signed-off-by: Amos Kong<kongjianjun@gmail.com>
> 
> Applied.  Thanks.
> 
> Regards,
> 
> Anthony Liguori
> 
> >---
> >  hw/acpi_piix4.c |    1 +
> >  hw/pci.c        |    1 -
> >  2 files changed, 1 insertions(+), 1 deletions(-)
> >
> >diff --git a/hw/acpi_piix4.c b/hw/acpi_piix4.c
> >index 585da4e..0345490 100644
> >--- a/hw/acpi_piix4.c
> >+++ b/hw/acpi_piix4.c
> >@@ -299,6 +299,7 @@ static void acpi_piix_eject_slot(PIIX4PMState *s, unsigned slots)
> >              if (pc->no_hotplug) {
> >                  slot_free = false;
> >              } else {
> >+                object_unparent(OBJECT(dev));
> >                  qdev_free(qdev);
> >              }
> >          }

Does shpc need this too now?

> >diff --git a/hw/pci.c b/hw/pci.c
> >index b706e69..c1ebdde 100644
> >--- a/hw/pci.c
> >+++ b/hw/pci.c
> >@@ -1527,7 +1527,6 @@ static int pci_unplug_device(DeviceState *qdev)
> >          qerror_report(QERR_DEVICE_NO_HOTPLUG, object_get_typename(OBJECT(dev)));
> >          return -1;
> >      }
> >-    object_unparent(OBJECT(dev));
> >      return dev->bus->hotplug(dev->bus->hotplug_qdev, dev,
> >                               PCI_HOTPLUG_DISABLED);
> >  }
Michael S. Tsirkin - May 30, 2012, 8:59 a.m.
On Wed, May 30, 2012 at 08:14:03AM +0300, Michael S. Tsirkin wrote:
> On Wed, May 30, 2012 at 10:13:07AM +0800, Anthony Liguori wrote:
> > On 05/20/2012 05:57 PM, Amos Kong wrote:
> > >Start VM with 8 multiple-function block devs, hot-removing
> > >those block devs by 'device_del ...' would cause qemu abort.
> > >
> > >| (qemu) device_del virti0-0-0
> > >| (qemu) **
> > >|ERROR:qom/object.c:389:object_delete: assertion failed: (obj->ref == 0)
> > >
> > >It's a regression introduced by commit 57c9fafe
> > >
> > >The whole PCI slot should be removed once. Currently only one func
> > >is cleaned in pci_unplug_device(), if you try to remove a single
> > >func by monitor cmd.
> > >
> > >free_qdev() are called for all functions in slot,
> > >but unparent_delete() is only called for one
> > >function.
> > >
> > >---
> > >aliguori has a better resolution, better to do it in 1.2
> > >
> > >v2: fix warning: too many arguments for format
> > >v3: move object_unparent() to acpi_piix_eject_slot()
> > >
> > >Signed-off-by: Amos Kong<kongjianjun@gmail.com>
> > 
> > Applied.  Thanks.
> > 
> > Regards,
> > 
> > Anthony Liguori


BTW git log shows for this commit:
    Signed-off-by: XXXX

Any idea why?
Jason Baron - June 4, 2012, 8:15 p.m.
On Sun, May 20, 2012 at 05:57:45PM +0800, Amos Kong wrote:
> Start VM with 8 multiple-function block devs, hot-removing
> those block devs by 'device_del ...' would cause qemu abort.
> 
> | (qemu) device_del virti0-0-0
> | (qemu) **
> |ERROR:qom/object.c:389:object_delete: assertion failed: (obj->ref == 0)
> 
> It's a regression introduced by commit 57c9fafe
> 

I found a similar assertion where the parent reference isn't cleared,
doing:

(qemu) device_add pci-bridge

in the monitor. I posted for patches for it under:

Subject: [Qemu-devel] [PATCH 0/2] pci: hotplug bridge fixes

It's still an issue with the current tree.

Thanks,

-Jason
Michael S. Tsirkin - June 4, 2012, 9:52 p.m.
On Mon, Jun 04, 2012 at 04:15:56PM -0400, Jason Baron wrote:
> On Sun, May 20, 2012 at 05:57:45PM +0800, Amos Kong wrote:
> > Start VM with 8 multiple-function block devs, hot-removing
> > those block devs by 'device_del ...' would cause qemu abort.
> > 
> > | (qemu) device_del virti0-0-0
> > | (qemu) **
> > |ERROR:qom/object.c:389:object_delete: assertion failed: (obj->ref == 0)
> > 
> > It's a regression introduced by commit 57c9fafe
> > 
> 
> I found a similar assertion where the parent reference isn't cleared,
> doing:
> 
> (qemu) device_add pci-bridge
> 
> in the monitor. I posted for patches for it under:
> 
> Subject: [Qemu-devel] [PATCH 0/2] pci: hotplug bridge fixes
> 
> It's still an issue with the current tree.
> 
> Thanks,
> 
> -Jason

I pushed your patches on my tree pci branch, care to test
there?
Jason Baron - June 7, 2012, 2:06 p.m.
On Tue, Jun 05, 2012 at 12:52:02AM +0300, Michael S. Tsirkin wrote:
> On Mon, Jun 04, 2012 at 04:15:56PM -0400, Jason Baron wrote:
> > On Sun, May 20, 2012 at 05:57:45PM +0800, Amos Kong wrote:
> > > Start VM with 8 multiple-function block devs, hot-removing
> > > those block devs by 'device_del ...' would cause qemu abort.
> > > 
> > > | (qemu) device_del virti0-0-0
> > > | (qemu) **
> > > |ERROR:qom/object.c:389:object_delete: assertion failed: (obj->ref == 0)
> > > 
> > > It's a regression introduced by commit 57c9fafe
> > > 
> > 
> > I found a similar assertion where the parent reference isn't cleared,
> > doing:
> > 
> > (qemu) device_add pci-bridge
> > 
> > in the monitor. I posted for patches for it under:
> > 
> > Subject: [Qemu-devel] [PATCH 0/2] pci: hotplug bridge fixes
> > 
> > It's still an issue with the current tree.
> > 
> > Thanks,
> > 
> > -Jason
> 
> I pushed your patches on my tree pci branch, care to test
> there?
> 

Yes, fixes are confirmed.

Test case is quite simple:

(qemu) device_add pci_bridge

causes segfault without the 2 patches applied.

Thanks,

-Jason

Patch

diff --git a/hw/acpi_piix4.c b/hw/acpi_piix4.c
index 585da4e..0345490 100644
--- a/hw/acpi_piix4.c
+++ b/hw/acpi_piix4.c
@@ -299,6 +299,7 @@  static void acpi_piix_eject_slot(PIIX4PMState *s, unsigned slots)
             if (pc->no_hotplug) {
                 slot_free = false;
             } else {
+                object_unparent(OBJECT(dev));
                 qdev_free(qdev);
             }
         }
diff --git a/hw/pci.c b/hw/pci.c
index b706e69..c1ebdde 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -1527,7 +1527,6 @@  static int pci_unplug_device(DeviceState *qdev)
         qerror_report(QERR_DEVICE_NO_HOTPLUG, object_get_typename(OBJECT(dev)));
         return -1;
     }
-    object_unparent(OBJECT(dev));
     return dev->bus->hotplug(dev->bus->hotplug_qdev, dev,
                              PCI_HOTPLUG_DISABLED);
 }