From: Joshua Lant <joshualant@googlemail.com>
To: linux-cxl@vger.kernel.org
Cc: Jonathan.Cameron@huawei.com, Joshua Lant <joshualant@gmail.com>
Subject: [QEMU- PATCH v2 0/1] cxl_type3: segfault in cxl_destroy_dc_regions
Date: Mon, 8 Sep 2025 16:30:19 +0100 [thread overview]
Message-ID: <20250908154251.904229-1-joshualant@gmail.com> (raw)
Changes for v2: fix tags block and hash in commit message
Hi there,
A typo[1] in a qemu command[2] of mine is causing a segfault[3] in qemu
during boot, due to cxl_destroy_dc_regions being called inside what looks like
a hot-remove event. I realise my command is not correct more generally, as
it does not achieve what I want. However, the issue appears to be in qemu, due to
the use of CXL_TYPE3_CLASS() rather than CXL_TYPE3_GET_CLASS(), as the input
is the device rather than the class (introduced in ef73003556).
Josh
[1] Issue in my command
Causes segfault:
-device
cxl-upstream,port=0,sn=5678,bus=cxl_rp_port1,id=us1,addr=0.1,multifunction=on,
Boots okay:
-device
cxl-upstream,port=0,sn=5678,bus=cxl_rp_port1,id=us1,addr=0.0,multifunction=on,
[2] System Setup
QEMU- https://gitlab.com/jic23/qemu.git origin/cxl-2025-07-03
Kernel- https://github.com/weiny2/linux-kernel.git origin/dcd-v6-2025-04-13
Command-
...
-device usb-ehci,id=ehci \
-object memory-backend-file,id=cxl-mem1,share=on,mem-path=/tmp/t3_cxl1.raw,size=4G \
-object memory-backend-file,id=cxl-mem2,share=on,mem-path=/tmp/t3_cxl2.raw,size=4G \
-object memory-backend-file,id=cxl-lsa1,share=on,mem-path=/tmp/t3_lsa1.raw,size=1M \
-object memory-backend-file,id=cxl-lsa2,share=on,mem-path=/tmp/t3_lsa2.raw,size=1M \
-device pxb-cxl,bus_nr=11,bus=pcie.0,id=cxl.1,hdm_for_passthrough=true \
-device pxb-cxl,bus_nr=12,bus=pcie.0,id=cxl.2,hdm_for_passthrough=true \
-device cxl-rp,port=0,bus=cxl.1,id=cxl_rp_port0,chassis=0,slot=2 \
-device cxl-rp,port=1,bus=cxl.2,id=cxl_rp_port1,chassis=1,slot=2 \
-device cxl-upstream,port=0,sn=1234,bus=cxl_rp_port0,id=us0,addr=0.0,multifunction=on, \
-device cxl-upstream,port=0,sn=5678,bus=cxl_rp_port1,id=us1,addr=0.1,multifunction=on, \
-device cxl-switch-mailbox-cci,bus=cxl_rp_port0,addr=0.3,target=us0 \
-device cxl-switch-mailbox-cci,bus=cxl_rp_port1,addr=0.3,target=us1 \
-device cxl-downstream,port=0,bus=us0,id=swport0,slot=4 \
-device cxl-downstream,port=0,bus=us1,id=swport1,slot=5 \
-device cxl-type3,bus=swport0,volatile-dc-memdev=cxl-mem1,id=cxl-dcd0,lsa=cxl-lsa1,num-dc-regions=2,sn=99 \
-device cxl-type3,bus=swport1,volatile-dc-memdev=cxl-mem2,id=cxl-dcd1,lsa=cxl-lsa2,num-dc-regions=2,sn=100 \
-device usb-cxl-mctp,bus=ehci.0,id=usb0,target=us0 \
-device usb-cxl-mctp,bus=ehci.0,id=usb1,target=us1 \
-device usb-cxl-mctp,bus=ehci.0,id=usb2,target=cxl-dcd0 \
-device usb-cxl-mctp,bus=ehci.0,id=usb3,target=cxl-dcd1 \
-machine cxl-fmw.0.targets.0=cxl.2,cxl-fmw.1.targets.0=cxl.1,cxl-fmw.0.size=2G,cxl-fmw.1.size=2G,cxl-fmw.0.interleave-granularity=1k,cxl-fmw.1.interleave-granularity=1k
[3] Backtrace
#0 object_class_dynamic_cast at ../qom/object.c:966
#1 0x0000555555f593c7 in object_class_dynamic_cast_assert (class=0x7ffbcf4f7010, typename=0x5555562385d4 "cxl-type3",
file=0x555556238580 "include/hw/cxl/cxl_device.h", line=865, func=0x555556238f60 <__func__.44683> "CXL_TYPE3_CLASS") at ../qom/object.c:1016
#2 CXL_TYPE3_CLASS at include/hw/cxl/cxl_device.h:865
#3 cxl_destroy_dc_regions at ../hw/mem/cxl_type3.c:922
#4 ct3_exit at ../hw/mem/cxl_type3.c:1309
#5 pci_qdev_unrealize at ../hw/pci/pci.c:1445
#6 device_set_realized at ../hw/core/qdev.c:583
#7 property_set_bool at ../qom/object.c:2375
#8 object_property_set at ../qom/object.c:1450
#9 object_property_set_qobject at ../qom/qom-qobject.c:28
#10 object_property_set_bool at ../qom/object.c:1520
#11 qdev_unrealize at ../hw/core/qdev.c:290
#12 bus_set_realized at ../hw/core/bus.c:205
#13 property_set_bool at ../qom/object.c:2375
#14 object_property_set at ../qom/object.c:1450
#15 object_property_set_qobject at ../qom/qom-qobject.c:28
#16 object_property_set_bool at ../qom/object.c:1520
#17 qbus_unrealize at ../hw/core/bus.c:179
#18 device_set_realized at ../hw/core/qdev.c:577
#19 property_set_bool at ../qom/object.c:2375
#20 object_property_set at ../qom/object.c:1450
#21 object_property_set_qobject at ../qom/qom-qobject.c:28
#22 object_property_set_bool at ../qom/object.c:1520
#23 qdev_unrealize at ../hw/core/qdev.c:290
#24 bus_set_realized at ../hw/core/bus.c:205
#25 property_set_bool at ../qom/object.c:2375
#26 object_property_set at ../qom/object.c:1450
#27 object_property_set_qobject at ../qom/qom-qobject.c:28
#28 object_property_set_bool at ../qom/object.c:1520
#29 qbus_unrealize at ../hw/core/bus.c:179
#30 device_set_realized at ../hw/core/qdev.c:577
#31 property_set_bool at ../qom/object.c:2375
#32 object_property_set at ../qom/object.c:1450
#33 object_property_set_qobject at ../qom/qom-qobject.c:28
#34 object_property_set_bool at ../qom/object.c:1520
#35 qdev_unrealize at ../hw/core/qdev.c:290
#36 pcie_cap_slot_unplug_cb at ../hw/pci/pcie.c:574
#37 hotplug_handler_unplug at ../hw/core/hotplug.c:56
#38 pcie_unplug_device at ../hw/pci/pcie.c:585
#39 pci_for_each_device_under_bus at ../hw/pci/pci.c:2017
#40 pcie_cap_slot_do_unplug at ../hw/pci/pcie.c:595
#41 pcie_cap_slot_write_config at ../hw/pci/pcie.c:890
#42 cxl_rp_write_config at ../hw/pci-bridge/cxl_root_port.c:295
#43 pci_host_config_write_common at ../hw/pci/pci_host.c:96
#44 pci_data_write at ../hw/pci/pci_host.c:138
#45 pci_host_data_write at ../hw/pci/pci_host.c:188
#46 memory_region_write_accessor at ../system/memory.c:488
#47 access_with_adjusted_size at ../system/memory.c:564
#48 memory_region_dispatch_write at ../system/memory.c:1544
#49 flatview_write_continue_step at ../system/physmem.c:2977
#50 flatview_write_continue at ../system/physmem.c:3007
#51 flatview_write at ../system/physmem.c:3038
#52 address_space_write at ../system/physmem.c:3158
#53 address_space_rw at ../system/physmem.c:3168
#54 kvm_handle_io at ../accel/kvm/kvm-all.c:2814
#55 kvm_cpu_exec at ../accel/kvm/kvm-all.c:3213
#56 kvm_vcpu_thread_fn at ../accel/kvm/kvm-accel-ops.c:51
#57 qemu_thread_start at ../util/qemu-thread-posix.c:393
#58 start_thread from /lib64/libpthread.so.0
#59 clone () from /lib64/libc.so.6
Joshua Lant (1):
cxl_type3: fix segfault in cxl_destroy_dc_regions
hw/mem/cxl_type3.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--
2.43.7
next reply other threads:[~2025-09-08 15:42 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-08 15:30 Joshua Lant [this message]
2025-09-08 15:30 ` [QEMU- PATCH v2 1/1] cxl_type3: fix segfault in cxl_destroy_dc_regions Joshua Lant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250908154251.904229-1-joshualant@gmail.com \
--to=joshualant@googlemail.com \
--cc=Jonathan.Cameron@huawei.com \
--cc=joshualant@gmail.com \
--cc=linux-cxl@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox