diff options
author | Paolo Bonzini <pbonzini@redhat.com> | 2013-06-28 17:33:29 +0200 |
---|---|---|
committer | Paolo Bonzini <pbonzini@redhat.com> | 2013-07-04 17:42:46 +0200 |
commit | d3e71559a81ca7b6221465dd19282429101f983d (patch) | |
tree | e5234bf5244df64a87267aa23f11ac23a0cad1ba /exec.c | |
parent | e3127ae0cdcde6b10a8643836f5bec197f2eff1a (diff) | |
download | qemu-d3e71559a81ca7b6221465dd19282429101f983d.zip qemu-d3e71559a81ca7b6221465dd19282429101f983d.tar.gz qemu-d3e71559a81ca7b6221465dd19282429101f983d.tar.bz2 |
memory: ref/unref memory across address_space_map/unmap
The iothread mutex might be released between map and unmap, so the
mapped region might disappear.
Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'exec.c')
-rw-r--r-- | exec.c | 15 |
1 files changed, 12 insertions, 3 deletions
@@ -1986,6 +1986,7 @@ void cpu_physical_memory_write_rom(hwaddr addr, } typedef struct { + MemoryRegion *mr; void *buffer; hwaddr addr; hwaddr len; @@ -2083,6 +2084,9 @@ void *address_space_map(AddressSpace *as, bounce.buffer = qemu_memalign(TARGET_PAGE_SIZE, TARGET_PAGE_SIZE); bounce.addr = addr; bounce.len = l; + + memory_region_ref(mr); + bounce.mr = mr; if (!is_write) { address_space_read(as, addr, bounce.buffer, l); } @@ -2109,6 +2113,7 @@ void *address_space_map(AddressSpace *as, } } + memory_region_ref(mr); *plen = done; return qemu_ram_ptr_length(raddr + base, plen); } @@ -2121,10 +2126,12 @@ void address_space_unmap(AddressSpace *as, void *buffer, hwaddr len, int is_write, hwaddr access_len) { if (buffer != bounce.buffer) { + MemoryRegion *mr; + ram_addr_t addr1; + + mr = qemu_ram_addr_from_host(buffer, &addr1); + assert(mr != NULL); if (is_write) { - ram_addr_t addr1; - MemoryRegion *mr = qemu_ram_addr_from_host(buffer, &addr1); - assert(mr != NULL); while (access_len) { unsigned l; l = TARGET_PAGE_SIZE; @@ -2138,6 +2145,7 @@ void address_space_unmap(AddressSpace *as, void *buffer, hwaddr len, if (xen_enabled()) { xen_invalidate_map_cache_entry(buffer); } + memory_region_unref(mr); return; } if (is_write) { @@ -2145,6 +2153,7 @@ void address_space_unmap(AddressSpace *as, void *buffer, hwaddr len, } qemu_vfree(bounce.buffer); bounce.buffer = NULL; + memory_region_unref(bounce.mr); cpu_notify_map_clients(); } |