From e95205e1f9cd2c4262b7a7b1c992a94512c86d0e Mon Sep 17 00:00:00 2001 From: Fam Zheng Date: Mon, 16 Mar 2015 17:03:37 +0800 Subject: dma-helpers: Fix race condition of continue_after_map_failure and dma_aio_cancel If DMA's owning thread cancels the IO while the bounce buffer's owning thread is notifying the "cpu client list", a use-after-free happens: continue_after_map_failure dma_aio_cancel ------------------------------------------------------------------ aio_bh_new qemu_bh_delete qemu_bh_schedule (use after free) Also, the old code doesn't run the bh in the right AioContext. Fix both problems by passing a QEMUBH to cpu_register_map_client. Signed-off-by: Fam Zheng Reviewed-by: Paolo Bonzini Message-Id: <1426496617-10702-6-git-send-email-famz@redhat.com> [Remove unnecessary forward declaration. - Paolo] Signed-off-by: Paolo Bonzini --- include/exec/cpu-common.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/exec/cpu-common.h b/include/exec/cpu-common.h index fcc3162..43428bd 100644 --- a/include/exec/cpu-common.h +++ b/include/exec/cpu-common.h @@ -82,7 +82,8 @@ void *cpu_physical_memory_map(hwaddr addr, int is_write); void cpu_physical_memory_unmap(void *buffer, hwaddr len, int is_write, hwaddr access_len); -void *cpu_register_map_client(void *opaque, void (*callback)(void *opaque)); +void cpu_register_map_client(QEMUBH *bh); +void cpu_unregister_map_client(QEMUBH *bh); bool cpu_physical_memory_is_io(hwaddr phys_addr); -- cgit v1.1 From 37d7c08413cd4307f53c83d43b1b06cf2701d7a7 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Mon, 23 Mar 2015 10:21:46 +0100 Subject: memory: add memory_region_ram_resize This is a simple MemoryRegion wrapper for qemu_ram_resize. Signed-off-by: Paolo Bonzini --- include/exec/memory.h | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'include') diff --git a/include/exec/memory.h b/include/exec/memory.h index 06ffa1d..a2ea587 100644 --- a/include/exec/memory.h +++ b/include/exec/memory.h @@ -605,6 +605,18 @@ int memory_region_get_fd(MemoryRegion *mr); */ void *memory_region_get_ram_ptr(MemoryRegion *mr); +/* memory_region_ram_resize: Resize a RAM region. + * + * Only legal before guest might have detected the memory size: e.g. on + * incoming migration, or right after reset. + * + * @mr: a memory region created with @memory_region_init_resizeable_ram. + * @newsize: the new size the region + * @errp: pointer to Error*, to store an error if it happens. + */ +void memory_region_ram_resize(MemoryRegion *mr, ram_addr_t newsize, + Error **errp); + /** * memory_region_set_log: Turn dirty logging on or off for a region. * -- cgit v1.1 From 339240b5cd42bd13d4f6629f2aedf8b4b07459fb Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Mon, 23 Mar 2015 10:24:16 +0100 Subject: acpi-build: remove dependency from ram_addr.h ram_addr_t is an internal interface, everyone should go through MemoryRegion. Clean it up by making rom_add_blob return a MemoryRegion* and using the new qemu_ram_resize infrastructure. Reviewed-by: Michael S. Tsirkin Signed-off-by: Paolo Bonzini --- include/hw/loader.h | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'include') diff --git a/include/hw/loader.h b/include/hw/loader.h index 4f0681b..485ff8f 100644 --- a/include/hw/loader.h +++ b/include/hw/loader.h @@ -68,9 +68,11 @@ extern bool rom_file_has_mr; int rom_add_file(const char *file, const char *fw_dir, hwaddr addr, int32_t bootindex, bool option_rom); -ram_addr_t rom_add_blob(const char *name, const void *blob, size_t len, - size_t max_len, hwaddr addr, const char *fw_file_name, - FWCfgReadCallback fw_callback, void *callback_opaque); +MemoryRegion *rom_add_blob(const char *name, const void *blob, size_t len, + size_t max_len, hwaddr addr, + const char *fw_file_name, + FWCfgReadCallback fw_callback, + void *callback_opaque); int rom_add_elf_program(const char *name, void *data, size_t datasize, size_t romsize, hwaddr addr); int rom_load_all(void); -- cgit v1.1