Commit d8d95814609e replaced a number of memory_region_destroy()
calls with object_unparent() calls. The logic appears to be that
subregions need to be unparented, but the base region is destroyed
with the device object. Doing hotplug testing with vfio-pci I
occasionally get a segfault from object_finalize_child_property()
due to completely bogus class pointers on the child Object. Adding
the explicit object_unparent() for these subregions resolves the
problem, however I question the sanity of the Memory API now where
we sometimes need to destroy MemoryRegions, but the rules aren't
clear and there's no longer a memory_region_destroy() function, so
we need to reach over to some other random QEMU API and unparent
an object that we barely know about and certainly didn't explicitly
parent previously.
Signed-off-by: Alex Williamson <alex.william...@redhat.com>
Cc: Paolo Bonzini <pbonz...@redhat.com>
Cc: qemu-sta...@nongnu.org
---
hw/vfio/pci.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
index 014a92c..c71499e 100644
--- a/hw/vfio/pci.c
+++ b/hw/vfio/pci.c
@@ -2294,10 +2294,12 @@ static void vfio_unmap_bar(VFIOPCIDevice *vdev, int nr)
memory_region_del_subregion(&bar->region.mem, &bar->region.mmap_mem);
munmap(bar->region.mmap, memory_region_size(&bar->region.mmap_mem));
+ object_unparent(OBJECT(&bar->region.mmap_mem));
if (vdev->msix && vdev->msix->table_bar == nr) {
memory_region_del_subregion(&bar->region.mem, &vdev->msix->mmap_mem);
munmap(vdev->msix->mmap, memory_region_size(&vdev->msix->mmap_mem));
+ object_unparent(OBJECT(&vdev->msix->mmap_mem));
}
}
