diff options
| author | Amit Shah <amit.shah@redhat.com> | 2011-07-20 13:30:56 +0530 |
|---|---|---|
| committer | Anthony Liguori <aliguori@us.ibm.com> | 2011-08-04 16:43:09 -0500 |
| commit | 30fb2ca603e8b8d0f02630ef18bc0d0637a88ffa (patch) | |
| tree | 15cf07aad31a658c0e42ee98c6a6fa87ebe2c10e /hw/virtio-balloon.c | |
| parent | dce911c753489609238f91d29bcf945c87a19911 (diff) | |
balloon: Separate out stat and balloon handling
Passing on '0' as ballooning target to indicate retrieval of stats is
bad API. It also makes 'balloon 0' in the monitor cause a segfault.
Have two different functions handle the different functionality instead.
Detailed explanation from Markus's review:
1. do_info_balloon() is an info_async() method. It receives a callback
with argument, to be called exactly once (callback frees the
argument). It passes the callback via qemu_balloon_status() and
indirectly through qemu_balloon_event to virtio_balloon_to_target().
virtio_balloon_to_target() executes its balloon stats half. It
stores the callback in the device state.
If it can't send a stats request, it resets stats and calls the
callback right away.
Else, it sends a stats request. The device model runs the callback
when it receives the answer.
Works.
2. do_balloon() is a cmd_async() method. It receives a callback with
argument, to be called when the command completes. do_balloon()
calls it right before it succeeds. Odd, but should work.
Nevertheless, it passes the callback on via qemu_ballon() and
indirectly through qemu_balloon_event to virtio_balloon_to_target().
a. If the argument is non-zero, virtio_balloon_to_target() executes
its balloon half, which doesn't use the callback in any way.
Odd, but works.
b. If the argument is zero, virtio_balloon_to_target() executes its
balloon stats half, just like in 1. It either calls the callback
right away, or arranges for it to be called later.
Thus, the callback runs twice: use after free and double free.
Test case: start with -S -device virtio-balloon, execute "balloon 0" in
human monitor. Runs the callback first from virtio_balloon_to_target(),
then again from do_balloon().
Reported-by: Mike Cao <bcao@redhat.com>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Diffstat (limited to 'hw/virtio-balloon.c')
| -rw-r--r-- | hw/virtio-balloon.c | 7 |
1 files changed, 2 insertions, 5 deletions
diff --git a/hw/virtio-balloon.c b/hw/virtio-balloon.c index 2f371f2f69..40b43b0606 100644 --- a/hw/virtio-balloon.c +++ b/hw/virtio-balloon.c @@ -227,8 +227,7 @@ static void virtio_balloon_stat(void *opaque, MonitorCompletion cb, complete_stats_request(dev); } -static void virtio_balloon_to_target(void *opaque, ram_addr_t target, - MonitorCompletion cb, void *cb_data) +static void virtio_balloon_to_target(void *opaque, ram_addr_t target) { VirtIOBalloon *dev = opaque; @@ -238,8 +237,6 @@ static void virtio_balloon_to_target(void *opaque, ram_addr_t target, if (target) { dev->num_pages = (ram_size - target) >> VIRTIO_BALLOON_PFN_SHIFT; virtio_notify_config(&dev->vdev); - } else { - virtio_balloon_stat(opaque, cb, cb_data); } } @@ -284,7 +281,7 @@ VirtIODevice *virtio_balloon_init(DeviceState *dev) s->svq = virtio_add_queue(&s->vdev, 128, virtio_balloon_receive_stats); reset_stats(s); - qemu_add_balloon_handler(virtio_balloon_to_target, s); + qemu_add_balloon_handler(virtio_balloon_to_target, virtio_balloon_stat, s); register_savevm(dev, "virtio-balloon", -1, 1, virtio_balloon_save, virtio_balloon_load, s); |