[QEMU- PATCH 0/1] cxl_type3: segfault in cxl_destroy_dc_regions

[QEMU- PATCH 0/1] cxl_type3: segfault in cxl_destroy_dc_regions

[Joshua Lant]

Hi there,

A typo[1] in a qemu command[2] of mine is causing a segfault[3] in qemu during
boot, due to cxl_destroy_dc_regions being called inside what looks like a
hot-remove event. I realise my command is not correct more generally, as it does not
achieve what I want. However, the issue appears to be in qemu, due to the 
use of CXL_TYPE3_CLASS() rather than CXL_TYPE3_GET_CLASS(), as the input is
the device rather than the class (introduced in ef730035567). 

Josh

[1] Issue in my command

Causes segfault:
-device
cxl-upstream,port=0,sn=5678,bus=cxl_rp_port1,id=us1,addr=0.1,multifunction=on,
Boots okay:
-device
cxl-upstream,port=0,sn=5678,bus=cxl_rp_port1,id=us1,addr=0.0,multifunction=on,

[2] System Setup

QEMU- https://gitlab.com/jic23/qemu.git origin/cxl-2025-07-03

Kernel- https://github.com/weiny2/linux-kernel.git origin/dcd-v6-2025-04-13

Command-

...
-device usb-ehci,id=ehci \
-object memory-backend-file,id=cxl-mem1,share=on,mem-path=/tmp/t3_cxl1.raw,size=4G \
-object memory-backend-file,id=cxl-mem2,share=on,mem-path=/tmp/t3_cxl2.raw,size=4G \
-object memory-backend-file,id=cxl-lsa1,share=on,mem-path=/tmp/t3_lsa1.raw,size=1M \
-object memory-backend-file,id=cxl-lsa2,share=on,mem-path=/tmp/t3_lsa2.raw,size=1M \
-device pxb-cxl,bus_nr=11,bus=pcie.0,id=cxl.1,hdm_for_passthrough=true \
-device pxb-cxl,bus_nr=12,bus=pcie.0,id=cxl.2,hdm_for_passthrough=true \
-device cxl-rp,port=0,bus=cxl.1,id=cxl_rp_port0,chassis=0,slot=2 \
-device cxl-rp,port=1,bus=cxl.2,id=cxl_rp_port1,chassis=1,slot=2 \
-device cxl-upstream,port=0,sn=1234,bus=cxl_rp_port0,id=us0,addr=0.0,multifunction=on, \
-device cxl-upstream,port=0,sn=5678,bus=cxl_rp_port1,id=us1,addr=0.1,multifunction=on, \
-device cxl-switch-mailbox-cci,bus=cxl_rp_port0,addr=0.3,target=us0 \
-device cxl-switch-mailbox-cci,bus=cxl_rp_port1,addr=0.3,target=us1 \
-device cxl-downstream,port=0,bus=us0,id=swport0,slot=4 \
-device cxl-downstream,port=0,bus=us1,id=swport1,slot=5 \
-device cxl-type3,bus=swport0,volatile-dc-memdev=cxl-mem1,id=cxl-dcd0,lsa=cxl-lsa1,num-dc-regions=2,sn=99 \
-device cxl-type3,bus=swport1,volatile-dc-memdev=cxl-mem2,id=cxl-dcd1,lsa=cxl-lsa2,num-dc-regions=2,sn=100 \
-device usb-cxl-mctp,bus=ehci.0,id=usb0,target=us0 \
-device usb-cxl-mctp,bus=ehci.0,id=usb1,target=us1 \
-device usb-cxl-mctp,bus=ehci.0,id=usb2,target=cxl-dcd0 \
-device usb-cxl-mctp,bus=ehci.0,id=usb3,target=cxl-dcd1 \
-machine cxl-fmw.0.targets.0=cxl.2,cxl-fmw.1.targets.0=cxl.1,cxl-fmw.0.size=2G,cxl-fmw.1.size=2G,cxl-fmw.0.interleave-granularity=1k,cxl-fmw.1.interleave-granularity=1k

[3] Backtrace 

#0  object_class_dynamic_cast  at ../qom/object.c:966
#1  0x0000555555f593c7 in object_class_dynamic_cast_assert (class=0x7ffbcf4f7010, typename=0x5555562385d4 "cxl-type3",
    file=0x555556238580 "include/hw/cxl/cxl_device.h", line=865, func=0x555556238f60 <__func__.44683> "CXL_TYPE3_CLASS") at ../qom/object.c:1016
#2  CXL_TYPE3_CLASS  at include/hw/cxl/cxl_device.h:865
#3  cxl_destroy_dc_regions  at ../hw/mem/cxl_type3.c:922
#4  ct3_exit  at ../hw/mem/cxl_type3.c:1309
#5  pci_qdev_unrealize  at ../hw/pci/pci.c:1445
#6  device_set_realized  at ../hw/core/qdev.c:583
#7  property_set_bool  at ../qom/object.c:2375
#8  object_property_set  at ../qom/object.c:1450
#9  object_property_set_qobject  at ../qom/qom-qobject.c:28
#10 object_property_set_bool  at ../qom/object.c:1520
#11 qdev_unrealize  at ../hw/core/qdev.c:290
#12 bus_set_realized  at ../hw/core/bus.c:205
#13 property_set_bool  at ../qom/object.c:2375
#14 object_property_set  at ../qom/object.c:1450
#15 object_property_set_qobject  at ../qom/qom-qobject.c:28
#16 object_property_set_bool  at ../qom/object.c:1520
#17 qbus_unrealize  at ../hw/core/bus.c:179
#18 device_set_realized  at ../hw/core/qdev.c:577
#19 property_set_bool  at ../qom/object.c:2375
#20 object_property_set  at ../qom/object.c:1450
#21 object_property_set_qobject  at ../qom/qom-qobject.c:28
#22 object_property_set_bool  at ../qom/object.c:1520
#23 qdev_unrealize  at ../hw/core/qdev.c:290
#24 bus_set_realized  at ../hw/core/bus.c:205
#25 property_set_bool  at ../qom/object.c:2375
#26 object_property_set  at ../qom/object.c:1450
#27 object_property_set_qobject  at ../qom/qom-qobject.c:28
#28 object_property_set_bool  at ../qom/object.c:1520
#29 qbus_unrealize  at ../hw/core/bus.c:179
#30 device_set_realized  at ../hw/core/qdev.c:577
#31 property_set_bool  at ../qom/object.c:2375
#32 object_property_set  at ../qom/object.c:1450
#33 object_property_set_qobject  at ../qom/qom-qobject.c:28
#34 object_property_set_bool  at ../qom/object.c:1520
#35 qdev_unrealize  at ../hw/core/qdev.c:290
#36 pcie_cap_slot_unplug_cb  at ../hw/pci/pcie.c:574
#37 hotplug_handler_unplug  at ../hw/core/hotplug.c:56
#38 pcie_unplug_device  at ../hw/pci/pcie.c:585
#39 pci_for_each_device_under_bus  at ../hw/pci/pci.c:2017
#40 pcie_cap_slot_do_unplug  at ../hw/pci/pcie.c:595
#41 pcie_cap_slot_write_config  at ../hw/pci/pcie.c:890
#42 cxl_rp_write_config  at ../hw/pci-bridge/cxl_root_port.c:295
#43 pci_host_config_write_common  at ../hw/pci/pci_host.c:96
#44 pci_data_write  at ../hw/pci/pci_host.c:138
#45 pci_host_data_write  at ../hw/pci/pci_host.c:188
#46 memory_region_write_accessor  at ../system/memory.c:488
#47 access_with_adjusted_size  at ../system/memory.c:564
#48 memory_region_dispatch_write  at ../system/memory.c:1544
#49 flatview_write_continue_step  at ../system/physmem.c:2977
#50 flatview_write_continue  at ../system/physmem.c:3007
#51 flatview_write  at ../system/physmem.c:3038
#52 address_space_write  at ../system/physmem.c:3158
#53 address_space_rw  at ../system/physmem.c:3168
#54 kvm_handle_io  at ../accel/kvm/kvm-all.c:2814
#55 kvm_cpu_exec  at ../accel/kvm/kvm-all.c:3213
#56 kvm_vcpu_thread_fn  at ../accel/kvm/kvm-accel-ops.c:51
#57 qemu_thread_start  at ../util/qemu-thread-posix.c:393
#58 start_thread  from /lib64/libpthread.so.0
#59 clone () from /lib64/libc.so.6

Joshua Lant (1):
  cxl_type3: fix segfault in cxl_destroy_dc_regions

 hw/mem/cxl_type3.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.43.7

[QEMU- PATCH 1/1] cxl_type3: fix segfault in cxl_destroy_dc_regions

[Joshua Lant]

CXL_TYPE3_CLASS() should be CXL_TYPE3_GET_CLASS() given object (CXLType3Dev)
input. Leads to segfault in object_class_dynamic_cast.

Fixes: ef730035567

signed-off-by: Joshua Lant <joshualant@gmail.com>
---
 hw/mem/cxl_type3.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/mem/cxl_type3.c b/hw/mem/cxl_type3.c
index c4658e0955..14cb09d9fe 100644
--- a/hw/mem/cxl_type3.c
+++ b/hw/mem/cxl_type3.c
@@ -919,7 +919,7 @@ static void cxl_destroy_dc_regions(CXLType3Dev *ct3d)
 {
     CXLDCExtent *ent, *ent_next;
     CXLDCExtentGroup *group, *group_next;
-    CXLType3Class *cvc = CXL_TYPE3_CLASS(ct3d);
+    CXLType3Class *cvc = CXL_TYPE3_GET_CLASS(ct3d);
     int i;
     CXLDCRegion *region;
 
-- 
2.43.7

Re: [QEMU- PATCH 1/1] cxl_type3: fix segfault in cxl_destroy_dc_regions

[Jonathan Cameron]

On Thu,  4 Sep 2025 10:02:22 +0100
Joshua Lant <joshualant@googlemail.com> wrote:

> CXL_TYPE3_CLASS() should be CXL_TYPE3_GET_CLASS() given object (CXLType3Dev)
> input. Leads to segfault in object_class_dynamic_cast.
> 
> Fixes: ef730035567
> 
> signed-off-by: Joshua Lant <joshualant@gmail.com>

Good find.

The Fixes tag needs fixing though.
Should be all part of the tags block and needs to include the patch name.
I'm not finding the SHA though.

I think that tag is probably Svetley's MHD callback patch which isn't upstream
so I'll squash this in my local tree and it will be fixed in the next tree
I put up on gitlab.com/jic23/

Thanks,

Jonathan




> ---
>  hw/mem/cxl_type3.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/mem/cxl_type3.c b/hw/mem/cxl_type3.c
> index c4658e0955..14cb09d9fe 100644
> --- a/hw/mem/cxl_type3.c
> +++ b/hw/mem/cxl_type3.c
> @@ -919,7 +919,7 @@ static void cxl_destroy_dc_regions(CXLType3Dev *ct3d)
>  {
>      CXLDCExtent *ent, *ent_next;
>      CXLDCExtentGroup *group, *group_next;
> -    CXLType3Class *cvc = CXL_TYPE3_CLASS(ct3d);
> +    CXLType3Class *cvc = CXL_TYPE3_GET_CLASS(ct3d);
>      int i;
>      CXLDCRegion *region;
>  

Re: [QEMU- PATCH 1/1] cxl_type3: fix segfault in cxl_destroy_dc_regions

[Joshua Lant]

> On Thu,  4 Sep 2025 10:02:22 +0100
> Joshua Lant <joshualant@googlemail.com> wrote:
> 
> > CXL_TYPE3_CLASS() should be CXL_TYPE3_GET_CLASS() given object (CXLType3Dev)
> > input. Leads to segfault in object_class_dynamic_cast.
> > 
> > Fixes: ef730035567
> > 
> > signed-off-by: Joshua Lant <joshualant@gmail.com>
> 
> Good find.
> 
> The Fixes tag needs fixing though.
> Should be all part of the tags block and needs to include the patch name.
> I'm not finding the SHA though.
> 
> I think that tag is probably Svetley's MHD callback patch which isn't upstream
> so I'll squash this in my local tree and it will be fixed in the next tree
> I put up on gitlab.com/jic23/
> 
> Thanks,
> 
> Jonathan

Yeah sorry, it is that MHD patch. I managed to write a rogue '7' at the end of
the hash somehow. Have reposted with updated tags block...

Cheers,

Josh

Re: [QEMU- PATCH 1/1] cxl_type3: fix segfault in cxl_destroy_dc_regions

[Jonathan Cameron]

On Mon, 8 Sep 2025 16:44:33 +0100
Joshua Lant <joshualant@googlemail.com> wrote:

> > On Thu,  4 Sep 2025 10:02:22 +0100
> > Joshua Lant <joshualant@googlemail.com> wrote:
> >   
> > > CXL_TYPE3_CLASS() should be CXL_TYPE3_GET_CLASS() given object (CXLType3Dev)
> > > input. Leads to segfault in object_class_dynamic_cast.
> > > 
> > > Fixes: ef730035567
> > > 
> > > signed-off-by: Joshua Lant <joshualant@gmail.com>  
> > 
> > Good find.
> > 
> > The Fixes tag needs fixing though.
> > Should be all part of the tags block and needs to include the patch name.
> > I'm not finding the SHA though.
> > 
> > I think that tag is probably Svetley's MHD callback patch which isn't upstream
> > so I'll squash this in my local tree and it will be fixed in the next tree
> > I put up on gitlab.com/jic23/
> > 
> > Thanks,
> > 
> > Jonathan  
> 
> Yeah sorry, it is that MHD patch. I managed to write a rogue '7' at the end of
> the hash somehow. Have reposted with updated tags block...
> 
I smashed it into the mhd patch locally and it will end up in there when I push
a new tree, so the fix won't be directly visible as a separate patch.

Thanks anyway for working out what was wrong with the tag.

Jonathan

> Cheers,
> 
> Josh