| Message ID | 20150201160602.1167.7247.stgit@gimli.home |
|---|---|
| State | New |
| Headers | show |
On 01/02/2015 17:06, Alex Williamson wrote: > Commit d8d95814609e added explicit object_unparent() calls for > dynamically allocated MemoryRegions. The VFIOMSIXInfo structure also > contains such a MemoryRegion, covering the mmap'd region of a PCI BAR > above the MSI-X table. This structure is freed as part of the class > exit function and therefore also needs an explicit object_unparent(). > Failing to do this results in random segfaults due to fields within > the structure, often the class pointer, being reclaimed and corrupted > by the time object_finalize_child_property() is called for the object. > > Signed-off-by: Alex Williamson <alex.williamson@redhat.com> > Cc: Paolo Bonzini <pbonzini@redhat.com> > Cc: qemu-stable@nongnu.org > --- > > hw/vfio/pci.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c > index 014a92c..29caabc 100644 > --- a/hw/vfio/pci.c > +++ b/hw/vfio/pci.c > @@ -3065,6 +3065,7 @@ static void vfio_put_device(VFIOPCIDevice *vdev) > { > g_free(vdev->vbasedev.name); > if (vdev->msix) { > + object_unparent(OBJECT(&vdev->msix->mmap_mem)); > g_free(vdev->msix); > vdev->msix = NULL; > } > Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Perhaps specify "# 2.2" on the "Cc: qemu-stable@nongnu.org" line and/or add a "Fixes: ..." line. Paolo
diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c index 014a92c..29caabc 100644 --- a/hw/vfio/pci.c +++ b/hw/vfio/pci.c @@ -3065,6 +3065,7 @@ static void vfio_put_device(VFIOPCIDevice *vdev) { g_free(vdev->vbasedev.name); if (vdev->msix) { + object_unparent(OBJECT(&vdev->msix->mmap_mem)); g_free(vdev->msix); vdev->msix = NULL; }
Commit d8d95814609e added explicit object_unparent() calls for dynamically allocated MemoryRegions. The VFIOMSIXInfo structure also contains such a MemoryRegion, covering the mmap'd region of a PCI BAR above the MSI-X table. This structure is freed as part of the class exit function and therefore also needs an explicit object_unparent(). Failing to do this results in random segfaults due to fields within the structure, often the class pointer, being reclaimed and corrupted by the time object_finalize_child_property() is called for the object. Signed-off-by: Alex Williamson <alex.williamson@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: qemu-stable@nongnu.org --- hw/vfio/pci.c | 1 + 1 file changed, 1 insertion(+)