From patchwork Fri Oct 2 14:07:57 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lan Tianyu X-Patchwork-Id: 525602 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 762741402B6 for ; Sat, 3 Oct 2015 01:37:38 +1000 (AEST) Received: from localhost ([::1]:60891 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zi2Ou-00079Z-Ea for incoming@patchwork.ozlabs.org; Fri, 02 Oct 2015 11:37:36 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:37689) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zi1AW-00087t-9w for qemu-devel@nongnu.org; Fri, 02 Oct 2015 10:18:41 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Zi1AS-0001Nr-Ab for qemu-devel@nongnu.org; Fri, 02 Oct 2015 10:18:40 -0400 Received: from mga11.intel.com ([192.55.52.93]:4655) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zi1AS-0001NV-59 for qemu-devel@nongnu.org; Fri, 02 Oct 2015 10:18:36 -0400 Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga102.fm.intel.com with ESMTP; 02 Oct 2015 07:18:35 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.17,623,1437462000"; d="scan'208";a="817939813" Received: from lantianyu-ws.sh.intel.com (HELO localhost) ([10.239.159.159]) by fmsmga002.fm.intel.com with ESMTP; 02 Oct 2015 07:18:33 -0700 From: Lan Tianyu To: stefano.stabellini@eu.citrix.com, konrad.wilk@oracle.com, jbeulich@suse.com, pbonzini@redhat.com, mjt@tls.msk.ru, Ian.Campbell@citrix.com Date: Fri, 2 Oct 2015 22:07:57 +0800 Message-Id: <1443794877-23810-1-git-send-email-tianyu.lan@intel.com> X-Mailer: git-send-email 1.7.9.5 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 192.55.52.93 Cc: Lan Tianyu , xen-devel@lists.xensource.com, qemu-devel@nongnu.org Subject: [Qemu-devel] [Resend Fix PATCH] Qemu/Xen: Fix early freeing MSIX MMIO memory region X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org MSIX MMIO memory region is added to pt device's obj as property. When pt device is unplugged, all properties will be deleted and memory region's obj is needed at that point(refer object_finalize_child_property()). But current code frees MSIX MMIO memory region in the xen_pt_msix_delete() before deleting pt device's properties, this will cause segment fault. Reproduce the bug via hotplugging device frequently. This patch is to fix the issue via moving MSIX MMIO memory region into struct XenPCIPassthroughState and free it together with pt device's obj. Signed-off-by: Lan Tianyu --- Cc Xen devel maillist hw/xen/xen_pt.c | 4 ++-- hw/xen/xen_pt.h | 2 +- hw/xen/xen_pt_msi.c | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/hw/xen/xen_pt.c b/hw/xen/xen_pt.c index 2b54f52..0c11069 100644 --- a/hw/xen/xen_pt.c +++ b/hw/xen/xen_pt.c @@ -587,11 +587,11 @@ static void xen_pt_region_update(XenPCIPassthroughState *s, }; bar = xen_pt_bar_from_region(s, mr); - if (bar == -1 && (!s->msix || &s->msix->mmio != mr)) { + if (bar == -1 && (!s->msix || &s->msix_mmio != mr)) { return; } - if (s->msix && &s->msix->mmio == mr) { + if (s->msix && &s->msix_mmio == mr) { if (adding) { s->msix->mmio_base_addr = sec->offset_within_address_space; rc = xen_pt_msix_update_remap(s, s->msix->bar_index); diff --git a/hw/xen/xen_pt.h b/hw/xen/xen_pt.h index 3bc22eb..3569c2c 100644 --- a/hw/xen/xen_pt.h +++ b/hw/xen/xen_pt.h @@ -199,7 +199,6 @@ typedef struct XenPTMSIX { uint64_t table_base; uint32_t table_offset_adjust; /* page align mmap */ uint64_t mmio_base_addr; - MemoryRegion mmio; void *phys_iomem_base; XenPTMSIXEntry msix_entry[0]; } XenPTMSIX; @@ -222,6 +221,7 @@ struct XenPCIPassthroughState { MemoryRegion bar[PCI_NUM_REGIONS - 1]; MemoryRegion rom; + MemoryRegion msix_mmio; MemoryListener memory_listener; MemoryListener io_listener; diff --git a/hw/xen/xen_pt_msi.c b/hw/xen/xen_pt_msi.c index e3d7194..ae39ab3 100644 --- a/hw/xen/xen_pt_msi.c +++ b/hw/xen/xen_pt_msi.c @@ -558,7 +558,7 @@ int xen_pt_msix_init(XenPCIPassthroughState *s, uint32_t base) msix->msix_entry[i].pirq = XEN_PT_UNASSIGNED_PIRQ; } - memory_region_init_io(&msix->mmio, OBJECT(s), &pci_msix_ops, + memory_region_init_io(&s->msix_mmio, OBJECT(s), &pci_msix_ops, s, "xen-pci-pt-msix", (total_entries * PCI_MSIX_ENTRY_SIZE + XC_PAGE_SIZE - 1) @@ -599,7 +599,7 @@ int xen_pt_msix_init(XenPCIPassthroughState *s, uint32_t base) msix->phys_iomem_base); memory_region_add_subregion_overlap(&s->bar[bar_index], table_off, - &msix->mmio, + &s->msix_mmio, 2); /* Priority: pci default + 1 */ return 0; @@ -626,7 +626,7 @@ void xen_pt_msix_delete(XenPCIPassthroughState *s) + msix->table_offset_adjust); } - memory_region_del_subregion(&s->bar[msix->bar_index], &msix->mmio); + memory_region_del_subregion(&s->bar[msix->bar_index], &s->msix_mmio); g_free(s->msix); s->msix = NULL;