* [QEMU- PATCH v2 0/1] cxl_type3: segfault in cxl_destroy_dc_regions
@ 2025-09-08 15:30 Joshua Lant
2025-09-08 15:30 ` [QEMU- PATCH v2 1/1] cxl_type3: fix " Joshua Lant
0 siblings, 1 reply; 2+ messages in thread
From: Joshua Lant @ 2025-09-08 15:30 UTC (permalink / raw)
To: linux-cxl; +Cc: Jonathan.Cameron, Joshua Lant
Changes for v2: fix tags block and hash in commit message
Hi there,
A typo[1] in a qemu command[2] of mine is causing a segfault[3] in qemu
during boot, due to cxl_destroy_dc_regions being called inside what looks like
a hot-remove event. I realise my command is not correct more generally, as
it does not achieve what I want. However, the issue appears to be in qemu, due to
the use of CXL_TYPE3_CLASS() rather than CXL_TYPE3_GET_CLASS(), as the input
is the device rather than the class (introduced in ef73003556).
Josh
[1] Issue in my command
Causes segfault:
-device
cxl-upstream,port=0,sn=5678,bus=cxl_rp_port1,id=us1,addr=0.1,multifunction=on,
Boots okay:
-device
cxl-upstream,port=0,sn=5678,bus=cxl_rp_port1,id=us1,addr=0.0,multifunction=on,
[2] System Setup
QEMU- https://gitlab.com/jic23/qemu.git origin/cxl-2025-07-03
Kernel- https://github.com/weiny2/linux-kernel.git origin/dcd-v6-2025-04-13
Command-
...
-device usb-ehci,id=ehci \
-object memory-backend-file,id=cxl-mem1,share=on,mem-path=/tmp/t3_cxl1.raw,size=4G \
-object memory-backend-file,id=cxl-mem2,share=on,mem-path=/tmp/t3_cxl2.raw,size=4G \
-object memory-backend-file,id=cxl-lsa1,share=on,mem-path=/tmp/t3_lsa1.raw,size=1M \
-object memory-backend-file,id=cxl-lsa2,share=on,mem-path=/tmp/t3_lsa2.raw,size=1M \
-device pxb-cxl,bus_nr=11,bus=pcie.0,id=cxl.1,hdm_for_passthrough=true \
-device pxb-cxl,bus_nr=12,bus=pcie.0,id=cxl.2,hdm_for_passthrough=true \
-device cxl-rp,port=0,bus=cxl.1,id=cxl_rp_port0,chassis=0,slot=2 \
-device cxl-rp,port=1,bus=cxl.2,id=cxl_rp_port1,chassis=1,slot=2 \
-device cxl-upstream,port=0,sn=1234,bus=cxl_rp_port0,id=us0,addr=0.0,multifunction=on, \
-device cxl-upstream,port=0,sn=5678,bus=cxl_rp_port1,id=us1,addr=0.1,multifunction=on, \
-device cxl-switch-mailbox-cci,bus=cxl_rp_port0,addr=0.3,target=us0 \
-device cxl-switch-mailbox-cci,bus=cxl_rp_port1,addr=0.3,target=us1 \
-device cxl-downstream,port=0,bus=us0,id=swport0,slot=4 \
-device cxl-downstream,port=0,bus=us1,id=swport1,slot=5 \
-device cxl-type3,bus=swport0,volatile-dc-memdev=cxl-mem1,id=cxl-dcd0,lsa=cxl-lsa1,num-dc-regions=2,sn=99 \
-device cxl-type3,bus=swport1,volatile-dc-memdev=cxl-mem2,id=cxl-dcd1,lsa=cxl-lsa2,num-dc-regions=2,sn=100 \
-device usb-cxl-mctp,bus=ehci.0,id=usb0,target=us0 \
-device usb-cxl-mctp,bus=ehci.0,id=usb1,target=us1 \
-device usb-cxl-mctp,bus=ehci.0,id=usb2,target=cxl-dcd0 \
-device usb-cxl-mctp,bus=ehci.0,id=usb3,target=cxl-dcd1 \
-machine cxl-fmw.0.targets.0=cxl.2,cxl-fmw.1.targets.0=cxl.1,cxl-fmw.0.size=2G,cxl-fmw.1.size=2G,cxl-fmw.0.interleave-granularity=1k,cxl-fmw.1.interleave-granularity=1k
[3] Backtrace
#0 object_class_dynamic_cast at ../qom/object.c:966
#1 0x0000555555f593c7 in object_class_dynamic_cast_assert (class=0x7ffbcf4f7010, typename=0x5555562385d4 "cxl-type3",
file=0x555556238580 "include/hw/cxl/cxl_device.h", line=865, func=0x555556238f60 <__func__.44683> "CXL_TYPE3_CLASS") at ../qom/object.c:1016
#2 CXL_TYPE3_CLASS at include/hw/cxl/cxl_device.h:865
#3 cxl_destroy_dc_regions at ../hw/mem/cxl_type3.c:922
#4 ct3_exit at ../hw/mem/cxl_type3.c:1309
#5 pci_qdev_unrealize at ../hw/pci/pci.c:1445
#6 device_set_realized at ../hw/core/qdev.c:583
#7 property_set_bool at ../qom/object.c:2375
#8 object_property_set at ../qom/object.c:1450
#9 object_property_set_qobject at ../qom/qom-qobject.c:28
#10 object_property_set_bool at ../qom/object.c:1520
#11 qdev_unrealize at ../hw/core/qdev.c:290
#12 bus_set_realized at ../hw/core/bus.c:205
#13 property_set_bool at ../qom/object.c:2375
#14 object_property_set at ../qom/object.c:1450
#15 object_property_set_qobject at ../qom/qom-qobject.c:28
#16 object_property_set_bool at ../qom/object.c:1520
#17 qbus_unrealize at ../hw/core/bus.c:179
#18 device_set_realized at ../hw/core/qdev.c:577
#19 property_set_bool at ../qom/object.c:2375
#20 object_property_set at ../qom/object.c:1450
#21 object_property_set_qobject at ../qom/qom-qobject.c:28
#22 object_property_set_bool at ../qom/object.c:1520
#23 qdev_unrealize at ../hw/core/qdev.c:290
#24 bus_set_realized at ../hw/core/bus.c:205
#25 property_set_bool at ../qom/object.c:2375
#26 object_property_set at ../qom/object.c:1450
#27 object_property_set_qobject at ../qom/qom-qobject.c:28
#28 object_property_set_bool at ../qom/object.c:1520
#29 qbus_unrealize at ../hw/core/bus.c:179
#30 device_set_realized at ../hw/core/qdev.c:577
#31 property_set_bool at ../qom/object.c:2375
#32 object_property_set at ../qom/object.c:1450
#33 object_property_set_qobject at ../qom/qom-qobject.c:28
#34 object_property_set_bool at ../qom/object.c:1520
#35 qdev_unrealize at ../hw/core/qdev.c:290
#36 pcie_cap_slot_unplug_cb at ../hw/pci/pcie.c:574
#37 hotplug_handler_unplug at ../hw/core/hotplug.c:56
#38 pcie_unplug_device at ../hw/pci/pcie.c:585
#39 pci_for_each_device_under_bus at ../hw/pci/pci.c:2017
#40 pcie_cap_slot_do_unplug at ../hw/pci/pcie.c:595
#41 pcie_cap_slot_write_config at ../hw/pci/pcie.c:890
#42 cxl_rp_write_config at ../hw/pci-bridge/cxl_root_port.c:295
#43 pci_host_config_write_common at ../hw/pci/pci_host.c:96
#44 pci_data_write at ../hw/pci/pci_host.c:138
#45 pci_host_data_write at ../hw/pci/pci_host.c:188
#46 memory_region_write_accessor at ../system/memory.c:488
#47 access_with_adjusted_size at ../system/memory.c:564
#48 memory_region_dispatch_write at ../system/memory.c:1544
#49 flatview_write_continue_step at ../system/physmem.c:2977
#50 flatview_write_continue at ../system/physmem.c:3007
#51 flatview_write at ../system/physmem.c:3038
#52 address_space_write at ../system/physmem.c:3158
#53 address_space_rw at ../system/physmem.c:3168
#54 kvm_handle_io at ../accel/kvm/kvm-all.c:2814
#55 kvm_cpu_exec at ../accel/kvm/kvm-all.c:3213
#56 kvm_vcpu_thread_fn at ../accel/kvm/kvm-accel-ops.c:51
#57 qemu_thread_start at ../util/qemu-thread-posix.c:393
#58 start_thread from /lib64/libpthread.so.0
#59 clone () from /lib64/libc.so.6
Joshua Lant (1):
cxl_type3: fix segfault in cxl_destroy_dc_regions
hw/mem/cxl_type3.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--
2.43.7
^ permalink raw reply [flat|nested] 2+ messages in thread
* [QEMU- PATCH v2 1/1] cxl_type3: fix segfault in cxl_destroy_dc_regions
2025-09-08 15:30 [QEMU- PATCH v2 0/1] cxl_type3: segfault in cxl_destroy_dc_regions Joshua Lant
@ 2025-09-08 15:30 ` Joshua Lant
0 siblings, 0 replies; 2+ messages in thread
From: Joshua Lant @ 2025-09-08 15:30 UTC (permalink / raw)
To: linux-cxl; +Cc: Jonathan.Cameron, Joshua Lant
CXL_TYPE3_CLASS() should be CXL_TYPE3_GET_CLASS() given object (CXLType3Dev)
input. Leads to segfault in object_class_dynamic_cast.
Fixes: ef73003556 (cxl_type3: add MHD callbacks)
Signed-off-by: Joshua Lant <joshualant@gmail.com>
---
hw/mem/cxl_type3.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/mem/cxl_type3.c b/hw/mem/cxl_type3.c
index c4658e0955..14cb09d9fe 100644
--- a/hw/mem/cxl_type3.c
+++ b/hw/mem/cxl_type3.c
@@ -919,7 +919,7 @@ static void cxl_destroy_dc_regions(CXLType3Dev *ct3d)
{
CXLDCExtent *ent, *ent_next;
CXLDCExtentGroup *group, *group_next;
- CXLType3Class *cvc = CXL_TYPE3_CLASS(ct3d);
+ CXLType3Class *cvc = CXL_TYPE3_GET_CLASS(ct3d);
int i;
CXLDCRegion *region;
--
2.43.7
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-09-08 15:43 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-08 15:30 [QEMU- PATCH v2 0/1] cxl_type3: segfault in cxl_destroy_dc_regions Joshua Lant
2025-09-08 15:30 ` [QEMU- PATCH v2 1/1] cxl_type3: fix " Joshua Lant
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox