A memory region does not use their own reference counters, but instead piggybacks on another QOM object, "owner" (unless the owner is not the memory region itself). When creating a subregion, a new reference to the owner of the container must be created. However, if the subregion is owned by the same QOM object, this result in a self-reference, and make the owner immortal. Avoid such a self-reference.
Signed-off-by: Akihiko Odaki <akihiko.od...@daynix.com> --- system/memory.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/system/memory.c b/system/memory.c index 9540caa8a1f4..6645da02c658 100644 --- a/system/memory.c +++ b/system/memory.c @@ -2638,7 +2638,10 @@ static void memory_region_update_container_subregions(MemoryRegion *subregion) memory_region_transaction_begin(); - memory_region_ref(subregion); + if (mr->owner != subregion->owner) { + memory_region_ref(subregion); + } + QTAILQ_FOREACH(other, &mr->subregions, subregions_link) { if (subregion->priority >= other->priority) { QTAILQ_INSERT_BEFORE(other, subregion, subregions_link); @@ -2696,7 +2699,11 @@ void memory_region_del_subregion(MemoryRegion *mr, assert(alias->mapped_via_alias >= 0); } QTAILQ_REMOVE(&mr->subregions, subregion, subregions_link); - memory_region_unref(subregion); + + if (mr->owner != subregion->owner) { + memory_region_unref(subregion); + } + memory_region_update_pending |= mr->enabled && subregion->enabled; memory_region_transaction_commit(); } -- 2.45.2