diff options
| author | Amit Shah <amit.shah@redhat.com> | 2011-07-20 13:30:56 +0530 |
|---|---|---|
| committer | Anthony Liguori <aliguori@us.ibm.com> | 2011-08-04 16:43:09 -0500 |
| commit | 30fb2ca603e8b8d0f02630ef18bc0d0637a88ffa (patch) | |
| tree | 15cf07aad31a658c0e42ee98c6a6fa87ebe2c10e | |
| parent | dce911c753489609238f91d29bcf945c87a19911 (diff) | |
| download | focaccia-qemu-30fb2ca603e8b8d0f02630ef18bc0d0637a88ffa.tar.gz focaccia-qemu-30fb2ca603e8b8d0f02630ef18bc0d0637a88ffa.zip | |
balloon: Separate out stat and balloon handling
Passing on '0' as ballooning target to indicate retrieval of stats is
bad API. It also makes 'balloon 0' in the monitor cause a segfault.
Have two different functions handle the different functionality instead.
Detailed explanation from Markus's review:
1. do_info_balloon() is an info_async() method. It receives a callback
with argument, to be called exactly once (callback frees the
argument). It passes the callback via qemu_balloon_status() and
indirectly through qemu_balloon_event to virtio_balloon_to_target().
virtio_balloon_to_target() executes its balloon stats half. It
stores the callback in the device state.
If it can't send a stats request, it resets stats and calls the
callback right away.
Else, it sends a stats request. The device model runs the callback
when it receives the answer.
Works.
2. do_balloon() is a cmd_async() method. It receives a callback with
argument, to be called when the command completes. do_balloon()
calls it right before it succeeds. Odd, but should work.
Nevertheless, it passes the callback on via qemu_ballon() and
indirectly through qemu_balloon_event to virtio_balloon_to_target().
a. If the argument is non-zero, virtio_balloon_to_target() executes
its balloon half, which doesn't use the callback in any way.
Odd, but works.
b. If the argument is zero, virtio_balloon_to_target() executes its
balloon stats half, just like in 1. It either calls the callback
right away, or arranges for it to be called later.
Thus, the callback runs twice: use after free and double free.
Test case: start with -S -device virtio-balloon, execute "balloon 0" in
human monitor. Runs the callback first from virtio_balloon_to_target(),
then again from do_balloon().
Reported-by: Mike Cao <bcao@redhat.com>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
| -rw-r--r-- | balloon.c | 17 | ||||
| -rw-r--r-- | balloon.h | 8 | ||||
| -rw-r--r-- | hw/virtio-balloon.c | 7 |
3 files changed, 17 insertions, 15 deletions
diff --git a/balloon.c b/balloon.c index d40be39b3b..8be3812ee2 100644 --- a/balloon.c +++ b/balloon.c @@ -32,30 +32,33 @@ static QEMUBalloonEvent *balloon_event_fn; +static QEMUBalloonStatus *balloon_stat_fn; static void *balloon_opaque; -void qemu_add_balloon_handler(QEMUBalloonEvent *func, void *opaque) +void qemu_add_balloon_handler(QEMUBalloonEvent *event_func, + QEMUBalloonStatus *stat_func, void *opaque) { - balloon_event_fn = func; + balloon_event_fn = event_func; + balloon_stat_fn = stat_func; balloon_opaque = opaque; } -static int qemu_balloon(ram_addr_t target, MonitorCompletion cb, void *opaque) +static int qemu_balloon(ram_addr_t target) { if (!balloon_event_fn) { return 0; } trace_balloon_event(balloon_opaque, target); - balloon_event_fn(balloon_opaque, target, cb, opaque); + balloon_event_fn(balloon_opaque, target); return 1; } static int qemu_balloon_status(MonitorCompletion cb, void *opaque) { - if (!balloon_event_fn) { + if (!balloon_stat_fn) { return 0; } - balloon_event_fn(balloon_opaque, 0, cb, opaque); + balloon_stat_fn(balloon_opaque, cb, opaque); return 1; } @@ -135,7 +138,7 @@ int do_balloon(Monitor *mon, const QDict *params, return -1; } - ret = qemu_balloon(qdict_get_int(params, "value"), cb, opaque); + ret = qemu_balloon(qdict_get_int(params, "value")); if (ret == 0) { qerror_report(QERR_DEVICE_NOT_ACTIVE, "balloon"); return -1; diff --git a/balloon.h b/balloon.h index 06a8a46b50..a6c31d587c 100644 --- a/balloon.h +++ b/balloon.h @@ -16,10 +16,12 @@ #include "monitor.h" -typedef void (QEMUBalloonEvent)(void *opaque, ram_addr_t target, - MonitorCompletion cb, void *cb_data); +typedef void (QEMUBalloonEvent)(void *opaque, ram_addr_t target); +typedef void (QEMUBalloonStatus)(void *opaque, MonitorCompletion cb, + void *cb_data); -void qemu_add_balloon_handler(QEMUBalloonEvent *func, void *opaque); +void qemu_add_balloon_handler(QEMUBalloonEvent *event_func, + QEMUBalloonStatus *stat_func, void *opaque); void monitor_print_balloon(Monitor *mon, const QObject *data); int do_info_balloon(Monitor *mon, MonitorCompletion cb, void *opaque); diff --git a/hw/virtio-balloon.c b/hw/virtio-balloon.c index 2f371f2f69..40b43b0606 100644 --- a/hw/virtio-balloon.c +++ b/hw/virtio-balloon.c @@ -227,8 +227,7 @@ static void virtio_balloon_stat(void *opaque, MonitorCompletion cb, complete_stats_request(dev); } -static void virtio_balloon_to_target(void *opaque, ram_addr_t target, - MonitorCompletion cb, void *cb_data) +static void virtio_balloon_to_target(void *opaque, ram_addr_t target) { VirtIOBalloon *dev = opaque; @@ -238,8 +237,6 @@ static void virtio_balloon_to_target(void *opaque, ram_addr_t target, if (target) { dev->num_pages = (ram_size - target) >> VIRTIO_BALLOON_PFN_SHIFT; virtio_notify_config(&dev->vdev); - } else { - virtio_balloon_stat(opaque, cb, cb_data); } } @@ -284,7 +281,7 @@ VirtIODevice *virtio_balloon_init(DeviceState *dev) s->svq = virtio_add_queue(&s->vdev, 128, virtio_balloon_receive_stats); reset_stats(s); - qemu_add_balloon_handler(virtio_balloon_to_target, s); + qemu_add_balloon_handler(virtio_balloon_to_target, virtio_balloon_stat, s); register_savevm(dev, "virtio-balloon", -1, 1, virtio_balloon_save, virtio_balloon_load, s); |