From: Paolo Bonzini <pbonzini@redhat.com>
To: Stefano Stabellini <stefano.stabellini@eu.citrix.com>,
Lan Tianyu <tianyu.lan@intel.com>
Cc: xen-devel@lists.xensource.com, mjt@tls.msk.ru, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] Qemu/Xen: Fix early freeing MSIX MMIO memory region
Date: Mon, 12 Oct 2015 14:01:22 +0200 [thread overview]
Message-ID: <561BA112.5030800@redhat.com> (raw)
In-Reply-To: <alpine.DEB.2.02.1510121209310.1179@kaball.uk.xensource.com>
On 12/10/2015 13:09, Stefano Stabellini wrote:
> On Sun, 11 Oct 2015, Lan Tianyu wrote:
>> From: <tianyu.lan@intel.com>>
>>
>> msix->mmio is added to XenPCIPassthroughState's object as property.
>> object_finalize_child_property is called for XenPCIPassthroughState's
>> object, which calls object_property_del_all, which is going to try to
>> delete msix->mmio. object_finalize_child_property() will access
>> msix->mmio's obj. But the whole msix struct has already been freed
>> by xen_pt_msix_delete. This will cause segment fault when msix->mmio
>> has been overwritten.
>>
>> This patch is to fix the issue.
>>
>> Signed-off-by: Lan Tianyu <tianyu.lan@intel.com>
>
> Looks good to me. Paolo?
Also looks good to me. Thanks!
Paolo
>> hw/xen/xen_pt.c | 8 ++++++++
>> hw/xen/xen_pt.h | 1 +
>> hw/xen/xen_pt_config_init.c | 2 +-
>> hw/xen/xen_pt_msi.c | 13 ++++++++++++-
>> 4 files changed, 22 insertions(+), 2 deletions(-)
>>
>> diff --git a/hw/xen/xen_pt.c b/hw/xen/xen_pt.c
>> index 2b54f52..aa96288 100644
>> --- a/hw/xen/xen_pt.c
>> +++ b/hw/xen/xen_pt.c
>> @@ -938,10 +938,18 @@ static void xen_pci_passthrough_class_init(ObjectClass *klass, void *data)
>> dc->props = xen_pci_passthrough_properties;
>> };
>>
>> +static void xen_pci_passthrough_finalize(Object *obj)
>> +{
>> + XenPCIPassthroughState *s = XEN_PT_DEVICE(obj);
>> +
>> + xen_pt_msix_delete(s);
>> +}
>> +
>> static const TypeInfo xen_pci_passthrough_info = {
>> .name = TYPE_XEN_PT_DEVICE,
>> .parent = TYPE_PCI_DEVICE,
>> .instance_size = sizeof(XenPCIPassthroughState),
>> + .instance_finalize = xen_pci_passthrough_finalize,
>> .class_init = xen_pci_passthrough_class_init,
>> };
>>
>> diff --git a/hw/xen/xen_pt.h b/hw/xen/xen_pt.h
>> index 3bc22eb..c545280 100644
>> --- a/hw/xen/xen_pt.h
>> +++ b/hw/xen/xen_pt.h
>> @@ -305,6 +305,7 @@ void xen_pt_msi_disable(XenPCIPassthroughState *s);
>>
>> int xen_pt_msix_init(XenPCIPassthroughState *s, uint32_t base);
>> void xen_pt_msix_delete(XenPCIPassthroughState *s);
>> +void xen_pt_msix_unmap(XenPCIPassthroughState *s);
>> int xen_pt_msix_update(XenPCIPassthroughState *s);
>> int xen_pt_msix_update_remap(XenPCIPassthroughState *s, int bar_index);
>> void xen_pt_msix_disable(XenPCIPassthroughState *s);
>> diff --git a/hw/xen/xen_pt_config_init.c b/hw/xen/xen_pt_config_init.c
>> index 4a5bc11..0efee11 100644
>> --- a/hw/xen/xen_pt_config_init.c
>> +++ b/hw/xen/xen_pt_config_init.c
>> @@ -2079,7 +2079,7 @@ void xen_pt_config_delete(XenPCIPassthroughState *s)
>>
>> /* free MSI/MSI-X info table */
>> if (s->msix) {
>> - xen_pt_msix_delete(s);
>> + xen_pt_msix_unmap(s);
>> }
>> g_free(s->msi);
>>
>> diff --git a/hw/xen/xen_pt_msi.c b/hw/xen/xen_pt_msi.c
>> index e3d7194..82de2bc 100644
>> --- a/hw/xen/xen_pt_msi.c
>> +++ b/hw/xen/xen_pt_msi.c
>> @@ -610,7 +610,7 @@ error_out:
>> return rc;
>> }
>>
>> -void xen_pt_msix_delete(XenPCIPassthroughState *s)
>> +void xen_pt_msix_unmap(XenPCIPassthroughState *s)
>> {
>> XenPTMSIX *msix = s->msix;
>>
>> @@ -627,6 +627,17 @@ void xen_pt_msix_delete(XenPCIPassthroughState *s)
>> }
>>
>> memory_region_del_subregion(&s->bar[msix->bar_index], &msix->mmio);
>> +}
>> +
>> +void xen_pt_msix_delete(XenPCIPassthroughState *s)
>> +{
>> + XenPTMSIX *msix = s->msix;
>> +
>> + if (!msix) {
>> + return;
>> + }
>> +
>> + object_unparent(OBJECT(&msix->mmio));
>>
>> g_free(s->msix);
>> s->msix = NULL;
>> --
>> 1.7.9.5
>>
WARNING: multiple messages have this Message-ID (diff)
From: Paolo Bonzini <pbonzini@redhat.com>
To: Stefano Stabellini <stefano.stabellini@eu.citrix.com>,
Lan Tianyu <tianyu.lan@intel.com>
Cc: xen-devel@lists.xensource.com, mjt@tls.msk.ru, qemu-devel@nongnu.org
Subject: Re: [PATCH] Qemu/Xen: Fix early freeing MSIX MMIO memory region
Date: Mon, 12 Oct 2015 14:01:22 +0200 [thread overview]
Message-ID: <561BA112.5030800@redhat.com> (raw)
In-Reply-To: <alpine.DEB.2.02.1510121209310.1179@kaball.uk.xensource.com>
On 12/10/2015 13:09, Stefano Stabellini wrote:
> On Sun, 11 Oct 2015, Lan Tianyu wrote:
>> From: <tianyu.lan@intel.com>>
>>
>> msix->mmio is added to XenPCIPassthroughState's object as property.
>> object_finalize_child_property is called for XenPCIPassthroughState's
>> object, which calls object_property_del_all, which is going to try to
>> delete msix->mmio. object_finalize_child_property() will access
>> msix->mmio's obj. But the whole msix struct has already been freed
>> by xen_pt_msix_delete. This will cause segment fault when msix->mmio
>> has been overwritten.
>>
>> This patch is to fix the issue.
>>
>> Signed-off-by: Lan Tianyu <tianyu.lan@intel.com>
>
> Looks good to me. Paolo?
Also looks good to me. Thanks!
Paolo
>> hw/xen/xen_pt.c | 8 ++++++++
>> hw/xen/xen_pt.h | 1 +
>> hw/xen/xen_pt_config_init.c | 2 +-
>> hw/xen/xen_pt_msi.c | 13 ++++++++++++-
>> 4 files changed, 22 insertions(+), 2 deletions(-)
>>
>> diff --git a/hw/xen/xen_pt.c b/hw/xen/xen_pt.c
>> index 2b54f52..aa96288 100644
>> --- a/hw/xen/xen_pt.c
>> +++ b/hw/xen/xen_pt.c
>> @@ -938,10 +938,18 @@ static void xen_pci_passthrough_class_init(ObjectClass *klass, void *data)
>> dc->props = xen_pci_passthrough_properties;
>> };
>>
>> +static void xen_pci_passthrough_finalize(Object *obj)
>> +{
>> + XenPCIPassthroughState *s = XEN_PT_DEVICE(obj);
>> +
>> + xen_pt_msix_delete(s);
>> +}
>> +
>> static const TypeInfo xen_pci_passthrough_info = {
>> .name = TYPE_XEN_PT_DEVICE,
>> .parent = TYPE_PCI_DEVICE,
>> .instance_size = sizeof(XenPCIPassthroughState),
>> + .instance_finalize = xen_pci_passthrough_finalize,
>> .class_init = xen_pci_passthrough_class_init,
>> };
>>
>> diff --git a/hw/xen/xen_pt.h b/hw/xen/xen_pt.h
>> index 3bc22eb..c545280 100644
>> --- a/hw/xen/xen_pt.h
>> +++ b/hw/xen/xen_pt.h
>> @@ -305,6 +305,7 @@ void xen_pt_msi_disable(XenPCIPassthroughState *s);
>>
>> int xen_pt_msix_init(XenPCIPassthroughState *s, uint32_t base);
>> void xen_pt_msix_delete(XenPCIPassthroughState *s);
>> +void xen_pt_msix_unmap(XenPCIPassthroughState *s);
>> int xen_pt_msix_update(XenPCIPassthroughState *s);
>> int xen_pt_msix_update_remap(XenPCIPassthroughState *s, int bar_index);
>> void xen_pt_msix_disable(XenPCIPassthroughState *s);
>> diff --git a/hw/xen/xen_pt_config_init.c b/hw/xen/xen_pt_config_init.c
>> index 4a5bc11..0efee11 100644
>> --- a/hw/xen/xen_pt_config_init.c
>> +++ b/hw/xen/xen_pt_config_init.c
>> @@ -2079,7 +2079,7 @@ void xen_pt_config_delete(XenPCIPassthroughState *s)
>>
>> /* free MSI/MSI-X info table */
>> if (s->msix) {
>> - xen_pt_msix_delete(s);
>> + xen_pt_msix_unmap(s);
>> }
>> g_free(s->msi);
>>
>> diff --git a/hw/xen/xen_pt_msi.c b/hw/xen/xen_pt_msi.c
>> index e3d7194..82de2bc 100644
>> --- a/hw/xen/xen_pt_msi.c
>> +++ b/hw/xen/xen_pt_msi.c
>> @@ -610,7 +610,7 @@ error_out:
>> return rc;
>> }
>>
>> -void xen_pt_msix_delete(XenPCIPassthroughState *s)
>> +void xen_pt_msix_unmap(XenPCIPassthroughState *s)
>> {
>> XenPTMSIX *msix = s->msix;
>>
>> @@ -627,6 +627,17 @@ void xen_pt_msix_delete(XenPCIPassthroughState *s)
>> }
>>
>> memory_region_del_subregion(&s->bar[msix->bar_index], &msix->mmio);
>> +}
>> +
>> +void xen_pt_msix_delete(XenPCIPassthroughState *s)
>> +{
>> + XenPTMSIX *msix = s->msix;
>> +
>> + if (!msix) {
>> + return;
>> + }
>> +
>> + object_unparent(OBJECT(&msix->mmio));
>>
>> g_free(s->msix);
>> s->msix = NULL;
>> --
>> 1.7.9.5
>>
next prev parent reply other threads:[~2015-10-12 12:01 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-11 15:19 [Qemu-devel] [PATCH] Qemu/Xen: Fix early freeing MSIX MMIO memory region Lan Tianyu
2015-10-11 15:19 ` Lan Tianyu
2015-10-12 11:09 ` [Qemu-devel] " Stefano Stabellini
2015-10-12 11:09 ` Stefano Stabellini
2015-10-12 12:01 ` Paolo Bonzini [this message]
2015-10-12 12:01 ` Paolo Bonzini
2015-10-12 12:45 ` [Qemu-devel] " Stefano Stabellini
2015-10-12 12:45 ` Stefano Stabellini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=561BA112.5030800@redhat.com \
--to=pbonzini@redhat.com \
--cc=mjt@tls.msk.ru \
--cc=qemu-devel@nongnu.org \
--cc=stefano.stabellini@eu.citrix.com \
--cc=tianyu.lan@intel.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.