From patchwork Fri Jul  1 06:41:56 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: David Gibson <david@gibson.dropbear.id.au>
X-Patchwork-Id: 642846
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3rgnGx27q2z9s9d
	for <incoming@patchwork.ozlabs.org>;
	Fri,  1 Jul 2016 16:55:21 +1000 (AEST)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=gibson.dropbear.id.au
	header.i=@gibson.dropbear.id.au header.b=DDc7pxRn;
	dkim-atps=neutral
Received: from localhost ([::1]:54015 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)
	id 1bIsMB-0002ms-6J
	for incoming@patchwork.ozlabs.org; Fri, 01 Jul 2016 02:55:19 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:56671)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <dgibson@ozlabs.org>) id 1bIs7k-0003bK-3f
	for qemu-devel@nongnu.org; Fri, 01 Jul 2016 02:40:26 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <dgibson@ozlabs.org>) id 1bIs7i-0003It-28
	for qemu-devel@nongnu.org; Fri, 01 Jul 2016 02:40:23 -0400
Received: from ozlabs.org ([2401:3900:2:1::2]:59516)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <dgibson@ozlabs.org>)
	id 1bIs7h-0003FJ-LB; Fri, 01 Jul 2016 02:40:21 -0400
Received: by ozlabs.org (Postfix, from userid 1007)
	id 3rgmxT68BDz9t1k; Fri,  1 Jul 2016 16:40:12 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
	d=gibson.dropbear.id.au; s=201602; t=1467355213;
	bh=efGqzbthR3QFBJTAzZ7L7rqan3IHy5EM2GFOSaVhL5A=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=DDc7pxRnNDJhnRxyQuwM9+tBF1km/7S78PjRK9UULwO0qTDpH9BTKiLrhrRABHnxu
	ex3xRtkpo9UOHaMAfTn0c4PLBvmu49Tcv4fb9izPMrbLm2wJ/LFu8raCUaqGIYw7rT
	YnzQT+yjBNakVGjBv4qEOwGWjojy2JHPfnZfNrUI=
From: David Gibson <david@gibson.dropbear.id.au>
To: peter.maydell@linaro.org
Date: Fri,  1 Jul 2016 16:41:56 +1000
Message-Id: <1467355319-28406-21-git-send-email-david@gibson.dropbear.id.au>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1467355319-28406-1-git-send-email-david@gibson.dropbear.id.au>
References: <1467355319-28406-1-git-send-email-david@gibson.dropbear.id.au>
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 2401:3900:2:1::2
Subject: [Qemu-devel] [PULL 20/23] spapr: drop reference on child object
	during core realization
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: qemu-devel@nongnu.org, Greg Kurz <groug@kaod.org>, agraf@suse.de,
	qemu-ppc@nongnu.org, David Gibson <david@gibson.dropbear.id.au>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>

From: Greg Kurz <groug@kaod.org>

When a core is being realized, we create a child object for each thread
of the core.

The child is first initialized with object_initialize() which sets its ref
count to 1, and then added to the core with object_property_add_child()
which bumps the ref count to 2.

When the core gets released, object_unparent() decreases the ref count to 1,
and we g_free() the object: we hence loose the reference on an unfinalized
object. This is likely to cause random crashes.

Let's drop the extra reference as soon as we don't need it, after the
thread is added to the core.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Bharata B Rao <bharata@linux.vnet.ibm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 hw/ppc/spapr_cpu_core.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/ppc/spapr_cpu_core.c b/hw/ppc/spapr_cpu_core.c
index e30b159..bba3612 100644
--- a/hw/ppc/spapr_cpu_core.c
+++ b/hw/ppc/spapr_cpu_core.c
@@ -300,6 +300,7 @@ static void spapr_cpu_core_realize(DeviceState *dev, Error **errp)
         if (local_err) {
             goto err;
         }
+        object_unref(obj);
     }
     object_child_foreach(OBJECT(dev), spapr_cpu_core_realize_child, &local_err);
     if (local_err) {