aboutsummaryrefslogtreecommitdiff
path: root/hw/intc
diff options
context:
space:
mode:
authorGreg Kurz <groug@kaod.org>2019-10-24 16:27:27 +0200
committerLaurent Vivier <lvivier@redhat.com>2019-11-18 11:50:16 +0100
commit35886de140b7ff781b775d2da5e7475e8a8cb4c6 (patch)
tree4c1b3625f85ecacd3b81a906e55084f754b2d1ad /hw/intc
parent0990ce6a2e900d0bdda7f3ecdc991746f63551fb (diff)
downloadqemu-35886de140b7ff781b775d2da5e7475e8a8cb4c6.zip
qemu-35886de140b7ff781b775d2da5e7475e8a8cb4c6.tar.gz
qemu-35886de140b7ff781b775d2da5e7475e8a8cb4c6.tar.bz2
xive, xics: Fix reference counting on CPU objects
When a VCPU gets connected to the XIVE interrupt controller, we add a const link targetting the CPU object to the TCTX object. Similar links are added to the ICP object when using the XICS interrupt controller. As explained in <qom/object.h>: * The caller must ensure that @target stays alive as long as * this property exists. In the case @target is a child of @obj, * this will be the case. Otherwise, the caller is responsible for * taking a reference. We're in the latter case for both XICS and XIVE. Add the missing calls to object_ref() and object_unref(). This doesn't fix any known issue because the life cycle of the TCTX or ICP happens to be shorter than the one of the CPU or XICS fabric, but better safe than sorry. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Message-Id: <157192724770.3146912.15400869269097231255.stgit@bahia.lan> Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Diffstat (limited to 'hw/intc')
-rw-r--r--hw/intc/xics.c8
-rw-r--r--hw/intc/xive.c6
2 files changed, 12 insertions, 2 deletions
diff --git a/hw/intc/xics.c b/hw/intc/xics.c
index 935f325..5f74607 100644
--- a/hw/intc/xics.c
+++ b/hw/intc/xics.c
@@ -388,8 +388,10 @@ Object *icp_create(Object *cpu, const char *type, XICSFabric *xi, Error **errp)
obj = object_new(type);
object_property_add_child(cpu, type, obj, &error_abort);
object_unref(obj);
+ object_ref(OBJECT(xi));
object_property_add_const_link(obj, ICP_PROP_XICS, OBJECT(xi),
&error_abort);
+ object_ref(cpu);
object_property_add_const_link(obj, ICP_PROP_CPU, cpu, &error_abort);
object_property_set_bool(obj, true, "realized", &local_err);
if (local_err) {
@@ -403,7 +405,11 @@ Object *icp_create(Object *cpu, const char *type, XICSFabric *xi, Error **errp)
void icp_destroy(ICPState *icp)
{
- object_unparent(OBJECT(icp));
+ Object *obj = OBJECT(icp);
+
+ object_unref(object_property_get_link(obj, ICP_PROP_CPU, &error_abort));
+ object_unref(object_property_get_link(obj, ICP_PROP_XICS, &error_abort));
+ object_unparent(obj);
}
/*
diff --git a/hw/intc/xive.c b/hw/intc/xive.c
index 38257aa..952a461 100644
--- a/hw/intc/xive.c
+++ b/hw/intc/xive.c
@@ -682,6 +682,7 @@ Object *xive_tctx_create(Object *cpu, XiveRouter *xrtr, Error **errp)
obj = object_new(TYPE_XIVE_TCTX);
object_property_add_child(cpu, TYPE_XIVE_TCTX, obj, &error_abort);
object_unref(obj);
+ object_ref(cpu);
object_property_add_const_link(obj, "cpu", cpu, &error_abort);
object_property_set_bool(obj, true, "realized", &local_err);
if (local_err) {
@@ -698,7 +699,10 @@ error:
void xive_tctx_destroy(XiveTCTX *tctx)
{
- object_unparent(OBJECT(tctx));
+ Object *obj = OBJECT(tctx);
+
+ object_unref(object_property_get_link(obj, "cpu", &error_abort));
+ object_unparent(obj);
}
/*