From: Liu Ping Fan <pingf...@linux.vnet.ibm.com>
Scene:
obja lies in objA, when objA's ref->0, it will be freed,
but at that time obja can still be in use.
The real example is:
typedef struct PCIIDEState {
PCIDevice dev;
IDEBus bus[2]; --> create in place
.....
}
When without big lock protection for mmio-dispatch, we will hold
obj's refcnt. So memory_region_init_io() will replace the third para
"void *opaque" with "Object *obj".
With this patch, we can protect PCIIDEState from disappearing during
mmio-dispatch hold the IDEBus->ref.
And the ref circle has been broken when calling qdev_delete_subtree().
Signed-off-by: Liu Ping Fan <pingf...@linux.vnet.ibm.com>
---
hw/qdev.c | 2 ++
hw/qdev.h | 1 +
2 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/hw/qdev.c b/hw/qdev.c
index e2339a1..b09ebbf 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -510,6 +510,8 @@ void qbus_create_inplace(BusState *bus, const char
*typename,
{
object_initialize(bus, typename);
+ bus->overlap = parent;
+ object_ref(OBJECT(bus->overlap));
bus->parent = parent;
bus->name = name ? g_strdup(name) : NULL;
qbus_realize(bus);
diff --git a/hw/qdev.h b/hw/qdev.h
index 182cfa5..9bc5783 100644
--- a/hw/qdev.h
+++ b/hw/qdev.h
@@ -117,6 +117,7 @@ struct BusState {
int allow_hotplug;
bool qom_allocated;
bool glib_allocated;
+ DeviceState *overlap;
int max_index;
QTAILQ_HEAD(ChildrenHead, BusChild) children;
QLIST_ENTRY(BusState) sibling;
--
1.7.4.4
