From patchwork Tue Feb  9 22:01:29 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Anthony Liguori <aliguori@us.ibm.com>
X-Patchwork-Id: 44966
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.gnu.org (lists.gnu.org [199.232.76.165])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by ozlabs.org (Postfix) with ESMTPS id A4179B7D07
	for <incoming@patchwork.ozlabs.org>;
	Wed, 10 Feb 2010 09:08:36 +1100 (EST)
Received: from localhost ([127.0.0.1]:38714 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1NeyFx-000626-Ea
	for incoming@patchwork.ozlabs.org; Tue, 09 Feb 2010 17:08:29 -0500
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1Ney9a-00028Q-Ql
	for qemu-devel@nongnu.org; Tue, 09 Feb 2010 17:01:54 -0500
Received: from [199.232.76.173] (port=52474 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Ney9a-000280-6q
	for qemu-devel@nongnu.org; Tue, 09 Feb 2010 17:01:54 -0500
Received: from Debian-exim by monty-python.gnu.org with spam-scanned (Exim
	4.60) (envelope-from <aliguori@us.ibm.com>) id 1Ney9Y-0005n8-Qz
	for qemu-devel@nongnu.org; Tue, 09 Feb 2010 17:01:53 -0500
Received: from e7.ny.us.ibm.com ([32.97.182.137]:40014)
	by monty-python.gnu.org with esmtps
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60)
	(envelope-from <aliguori@us.ibm.com>) id 1Ney9Y-0005mX-HE
	for qemu-devel@nongnu.org; Tue, 09 Feb 2010 17:01:52 -0500
Received: from d01relay06.pok.ibm.com (d01relay06.pok.ibm.com [9.56.227.116])
	by e7.ny.us.ibm.com (8.14.3/8.13.1) with ESMTP id o19LsjOY014718
	for <qemu-devel@nongnu.org>; Tue, 9 Feb 2010 16:54:45 -0500
Received: from d01av01.pok.ibm.com (d01av01.pok.ibm.com [9.56.224.215])
	by d01relay06.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	o19M1n4k1601606
	for <qemu-devel@nongnu.org>; Tue, 9 Feb 2010 17:01:49 -0500
Received: from d01av01.pok.ibm.com (loopback [127.0.0.1])
	by d01av01.pok.ibm.com (8.14.3/8.13.1/NCO v10.0 AVout) with ESMTP id
	o19M1nT5013944
	for <qemu-devel@nongnu.org>; Tue, 9 Feb 2010 17:01:49 -0500
Received: from localhost.localdomain (sig-9-65-47-242.mts.ibm.com
	[9.65.47.242])
	by d01av01.pok.ibm.com (8.14.3/8.13.1/NCO v10.0 AVin) with ESMTP id
	o19M1eiF013399; Tue, 9 Feb 2010 17:01:48 -0500
From: Anthony Liguori <aliguori@us.ibm.com>
To: qemu-devel@nongnu.org
Date: Tue,  9 Feb 2010 16:01:29 -0600
Message-Id: <1265752899-26980-6-git-send-email-aliguori@us.ibm.com>
X-Mailer: git-send-email 1.6.5.2
In-Reply-To: <1265752899-26980-1-git-send-email-aliguori@us.ibm.com>
References: <1265752899-26980-1-git-send-email-aliguori@us.ibm.com>
X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6,
	seldom 2.4 (older, 4)
Cc: Michael Tsirkin <mstirkin@redhat.com>,
	Anthony Liguori <aliguori@us.ibm.com>, Alex Graf <agraf@suse.de>
Subject: [Qemu-devel] [PATCH 05/15] wdt_i6300esb: fix io type leakage
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

The watchdog device registers an io type in the pci map_func callback.  This
callback is invoked whenever the OS needs to reposition the IO region in memory.
While we automatically unmap previous mappings, we don't unregister the io type
(since the PCI layer does not know about this).

The current code will leak io types and eventually exhaust them.  You can
reproduce it by repeatedly rebooting a guest for about 30 times.

The fix is to register the io type once at init.

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
---
 hw/wdt_i6300esb.c |   30 +++++++++++++++++-------------
 1 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/hw/wdt_i6300esb.c b/hw/wdt_i6300esb.c
index be0e89e..6c08c32 100644
--- a/hw/wdt_i6300esb.c
+++ b/hw/wdt_i6300esb.c
@@ -98,6 +98,8 @@ struct I6300State {
     int previous_reboot_flag;   /* If the watchdog caused the previous
                                  * reboot, this flag will be set.
                                  */
+
+    int io_mem;
 };
 
 typedef struct I6300State I6300State;
@@ -342,27 +344,27 @@ static void i6300esb_mem_writel(void *vp, target_phys_addr_t addr, uint32_t val)
     }
 }
 
+static CPUReadMemoryFunc * const mem_read[3] = {
+    i6300esb_mem_readb,
+    i6300esb_mem_readw,
+    i6300esb_mem_readl,
+};
+
+static CPUWriteMemoryFunc * const mem_write[3] = {
+    i6300esb_mem_writeb,
+    i6300esb_mem_writew,
+    i6300esb_mem_writel,
+};
+
 static void i6300esb_map(PCIDevice *dev, int region_num,
                          pcibus_t addr, pcibus_t size, int type)
 {
-    static CPUReadMemoryFunc * const mem_read[3] = {
-        i6300esb_mem_readb,
-        i6300esb_mem_readw,
-        i6300esb_mem_readl,
-    };
-    static CPUWriteMemoryFunc * const mem_write[3] = {
-        i6300esb_mem_writeb,
-        i6300esb_mem_writew,
-        i6300esb_mem_writel,
-    };
     I6300State *d = DO_UPCAST(I6300State, dev, dev);
-    int io_mem;
 
     i6300esb_debug("addr = %"FMT_PCIBUS", size = %"FMT_PCIBUS", type = %d\n",
                    addr, size, type);
 
-    io_mem = cpu_register_io_memory(mem_read, mem_write, d);
-    cpu_register_physical_memory (addr, 0x10, io_mem);
+    cpu_register_physical_memory (addr, 0x10, d->io_mem);
     /* qemu_register_coalesced_mmio (addr, 0x10); ? */
 }
 
@@ -406,6 +408,8 @@ static int i6300esb_init(PCIDevice *dev)
     d->stage = 1;
     d->unlock_state = 0;
     d->previous_reboot_flag = 0;
+    d->io_mem = cpu_register_io_memory(mem_read, mem_write, d);
+
 
     pci_conf = d->dev.config;
     pci_config_set_vendor_id(pci_conf, PCI_VENDOR_ID_INTEL);