| Message ID | 146723342014.9665.3613446436074803191.stgit@bahia.lan (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Wed, Jun 29, 2016 at 10:50:20PM +0200, Greg Kurz wrote: > When a core is being realized, we create a child object for each thread > of the core. > > The child is first initialized with object_initialize() which sets its ref > count to 1, and then added to the core with object_property_add_child() > which bumps the ref count to 2. > > When the core gets released, object_unparent() decreases the ref count to 1, > and we g_free() the object: we hence loose the reference on an unfinalized > object. This is likely to cause random crashes. > > Let's drop the extra reference as soon as we don't need it, after the > thread is added to the core. > > Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Bharata B Rao <bharata@linux.vnet.ibm.com>
diff --git a/hw/ppc/spapr_cpu_core.c b/hw/ppc/spapr_cpu_core.c index 2aa0dc523374..789eb2e6f206 100644 --- a/hw/ppc/spapr_cpu_core.c +++ b/hw/ppc/spapr_cpu_core.c @@ -299,8 +299,9 @@ static void spapr_cpu_core_realize(DeviceState *dev, Error **errp) object_property_add_child(OBJECT(sc), id, obj, &local_err); if (local_err) { goto err; } + object_unref(obj); } object_child_foreach(OBJECT(dev), spapr_cpu_core_realize_child, &local_err); if (local_err) { goto err;
When a core is being realized, we create a child object for each thread of the core. The child is first initialized with object_initialize() which sets its ref count to 1, and then added to the core with object_property_add_child() which bumps the ref count to 2. When the core gets released, object_unparent() decreases the ref count to 1, and we g_free() the object: we hence loose the reference on an unfinalized object. This is likely to cause random crashes. Let's drop the extra reference as soon as we don't need it, after the thread is added to the core. Signed-off-by: Greg Kurz <groug@kaod.org> --- hw/ppc/spapr_cpu_core.c | 1 + 1 file changed, 1 insertion(+)