Re: [QEMU PATCH 0/1] cpmu: segfault issue with hotplug event

[Jonathan Cameron <jonathan.cameron@huawei.com>]

On Fri,  5 Dec 2025 14:03:28 +0000
Joshua Lant <joshualant@gmail.com> wrote:

> Hi,
> 
> The CXL device topology shown below casues a hotplug event at some
> point during boot. This triggers a segfault in cpmu_timer_update due
> to a dangling pointer. The teardown of the pci devices has already
> happened at this point. However, the associated CPMU timers remain in
> the timer_list. We need to remove them before the rest of the device
> teardown happens. This should not cause any issue, since if a hot-add
> happens the realize function for the corresponding device will be called 
> and the timers will be set up once again (although I have not tested 
> this scenario. Only that I can now complete the boot process correctly).
> 
> Many thanks,
> 
> Josh
> 
> qemu: https://gitlab.com/jic23/qemu -b cxl-2025-10-03-draft
> kernel: https://github.com/weiny2/linux-kernel.git -b dcd-v6-2025-04-13 

I'm curious what is triggering the hotplug to occur, but indeed this is
clearly a bug. I'll squash the changes into the relevant CPMU patches.

So applied in across relevant 3ish patches.  I tweaked it a bit to reduce
the use of local variables that were only used once.

Given we are near the QEMU 10.2 release, I'll wait for that before pushing
out a new tree incorporating this fix.

Thanks,

Jonathan


> device topology:
> 
> -device usb-ehci,id=ehci \
> -object memory-backend-file,id=cxl-mem1,share=on,mem-path=/tmp/t3_cxl1.raw,size=8G \
> -object memory-backend-file,id=cxl-lsa1,share=on,mem-path=/tmp/t3_lsa1.raw,size=1M \
> -object memory-backend-file,id=cxl-mem2,share=on,mem-path=/tmp/t3_cxl2.raw,size=8G \
> -object memory-backend-file,id=cxl-lsa2,share=on,mem-path=/tmp/t3_lsa2.raw,size=1M \
> -device pxb-cxl,bus_nr=12,bus=pcie.0,id=cxl.0,hdm_for_passthrough=true \
> -device pxb-cxl,bus_nr=48,bus=pcie.0,id=cxl.1,hdm_for_passthrough=true \
> -device cxl-rp,port=0,bus=cxl.0,id=root_port1,chassis=0,slot=1 \
> -device cxl-rp,port=1,bus=cxl.1,id=root_port2,chassis=1,slot=1 \
> -device cxl-upstream,port=0,sn=1234,bus=root_port1,id=us0,addr=0.0,multifunction=on, \
> -device cxl-upstream,port=0,sn=5678,bus=root_port2,id=us1,addr=0.1,multifunction=on, \
> -device cxl-switch-mailbox-cci,bus=root_port1,addr=0.3,target=us0 \
> -device cxl-downstream,port=0,bus=us0,id=swport0,slot=3 \
> -device cxl-downstream,port=0,bus=us1,id=swport1,slot=4 \
> -device cxl-type3,bus=swport0,volatile-dc-memdev=cxl-mem1,id=cxl-dcd0,lsa=cxl-lsa1,num-dc-regions=8,sn=99 \
> -device cxl-type3,bus=swport1,volatile-dc-memdev=cxl-mem2,id=cxl-dcd1,lsa=cxl-lsa2,num-dc-regions=8,sn=100 \
> -machine cxl-fmw.0.targets.0=cxl.0,cxl-fmw.0.size=8G,cxl-fmw.1.targets.0=cxl.1,cxl-fmw.1.size=8G"
> 
> Joshua Lant (1):
>   cpmu: teardown cpmu timers on device exit
> 
>  hw/cxl/cxl-cpmu.c              | 8 ++++++++
>  hw/mem/cxl_type3.c             | 5 +++++
>  hw/pci-bridge/cxl_downstream.c | 2 ++
>  hw/pci-bridge/cxl_upstream.c   | 4 ++++
>  include/hw/cxl/cxl_cpmu.h      | 1 +
>  5 files changed, 20 insertions(+)
>