Invalidate tb cache once mapping is removed

qemu/accel/tcg/translate-all.c

@@ -1018,11 +1018,13 @@ static void uc_invalidate_tb(struct uc_struct *uc, uint64_t start_addr, size_t l
         return;
     }
 
-    // GPA to GVA
+    // GPA to ram addr
+    // https://raw.githubusercontent.com/android/platform_external_qemu/master/docs/QEMU-MEMORY-MANAGEMENT.TXT
     // start_addr : GPA
-    // addr: GVA
+    // start (returned): ram addr
     // (GPA -> HVA via memory_region_get_ram_addr(mr) + GPA + block->host,
-    // HVA->HPA via host mmu)
+    // GVA -> GPA via tlb & softmmu
+    // HVA -> HPA via host mmu)
     start = get_page_addr_code(uc->cpu->env_ptr, start_addr) & (target_ulong)(-1);
 
     uc->nested_level--;

qemu/softmmu/memory.c

@@ -153,12 +153,15 @@ void memory_unmap(struct uc_struct *uc, MemoryRegion *mr)
     int i;
     hwaddr addr;
 
-    // Make sure all pages associated with the MemoryRegion are flushed
-    // Only need to do this if we are in a running state
     if (uc->cpu) {
-        for (addr = mr->addr; addr < mr->end; addr += uc->target_page_size) {
+        // We also need to remove all tb cache
+        uc->uc_invalidate_tb(uc, mr->addr, mr->size);
+
+        // Make sure all pages associated with the MemoryRegion are flushed
+        // Only need to do this if we are in a running state
+        for (addr = mr->addr; (int64_t)(mr->end - addr) > 0; addr += uc->target_page_size) {
            tlb_flush_page(uc->cpu, addr);
-        }
+        }        
     }
     memory_region_del_subregion(uc->system_memory, mr);