[Qemu-devel] [PATCH] Fix crash on spapr_tce_table

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH] Fix crash on spapr_tce_table_finalize()
@ 2014-12-08  2:48 David Gibson
  2014-12-17 12:03 ` Alexander Graf
  0 siblings, 1 reply; 2+ messages in thread
From: David Gibson @ 2014-12-08  2:48 UTC (permalink / raw)
  To: agraf, aik, mdroth; +Cc: qemu-devel, David Gibson

spapr_tce_table_finalize() can SEGV if the object was not previously
realized.  In particular this can be triggered by running
         qemu-system-ppc -device spapr-tce-table,?

The basic problem is that we have mismatched initialization versus
finalization: spapr_tce_table_finalize() is attempting to undo things that
are done in spapr_tce_table_realize(), not an instance_init function.

Therefore, replace spapr_tce_table_finalize() with
spapr_tce_table_unrealize().

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 hw/ppc/spapr_iommu.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hw/ppc/spapr_iommu.c b/hw/ppc/spapr_iommu.c
index 6c91d8e..da47474 100644
--- a/hw/ppc/spapr_iommu.c
+++ b/hw/ppc/spapr_iommu.c
@@ -173,9 +173,9 @@ sPAPRTCETable *spapr_tce_new_table(DeviceState *owner, uint32_t liobn,
     return tcet;
 }
 
-static void spapr_tce_table_finalize(Object *obj)
+static void spapr_tce_table_unrealize(DeviceState *dev, Error **errp)
 {
-    sPAPRTCETable *tcet = SPAPR_TCE_TABLE(obj);
+    sPAPRTCETable *tcet = SPAPR_TCE_TABLE(dev);
 
     QLIST_REMOVE(tcet, list);
 
@@ -420,6 +420,7 @@ static void spapr_tce_table_class_init(ObjectClass *klass, void *data)
     DeviceClass *dc = DEVICE_CLASS(klass);
     dc->init = spapr_tce_table_realize;
     dc->reset = spapr_tce_reset;
+    dc->unrealize = spapr_tce_table_unrealize;
 
     QLIST_INIT(&spapr_tce_tables);
 
@@ -435,7 +436,6 @@ static TypeInfo spapr_tce_table_info = {
     .parent = TYPE_DEVICE,
     .instance_size = sizeof(sPAPRTCETable),
     .class_init = spapr_tce_table_class_init,
-    .instance_finalize = spapr_tce_table_finalize,
 };
 
 static void register_types(void)
-- 
2.1.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [Qemu-devel] [PATCH] Fix crash on spapr_tce_table_finalize()
  2014-12-08  2:48 [Qemu-devel] [PATCH] Fix crash on spapr_tce_table_finalize() David Gibson
@ 2014-12-17 12:03 ` Alexander Graf
  0 siblings, 0 replies; 2+ messages in thread
From: Alexander Graf @ 2014-12-17 12:03 UTC (permalink / raw)
  To: David Gibson, aik, mdroth; +Cc: qemu-devel



On 08.12.14 03:48, David Gibson wrote:
> spapr_tce_table_finalize() can SEGV if the object was not previously
> realized.  In particular this can be triggered by running
>          qemu-system-ppc -device spapr-tce-table,?
> 
> The basic problem is that we have mismatched initialization versus
> finalization: spapr_tce_table_finalize() is attempting to undo things that
> are done in spapr_tce_table_realize(), not an instance_init function.
> 
> Therefore, replace spapr_tce_table_finalize() with
> spapr_tce_table_unrealize().
> 
> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>

Thanks, applied to ppc-next and added CC stable.


Alex

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2014-12-17 12:03 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-12-08  2:48 [Qemu-devel] [PATCH] Fix crash on spapr_tce_table_finalize() David Gibson
2014-12-17 12:03 ` Alexander Graf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).