From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:49411)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mdroth@linux.vnet.ibm.com>) id 1YQNRY-00021l-J1
	for qemu-devel@nongnu.org; Tue, 24 Feb 2015 16:55:08 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mdroth@linux.vnet.ibm.com>) id 1YQNRQ-0007uN-BT
	for qemu-devel@nongnu.org; Tue, 24 Feb 2015 16:55:04 -0500
Received: from e38.co.us.ibm.com ([32.97.110.159]:53610)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mdroth@linux.vnet.ibm.com>) id 1YQNRQ-0007u7-3v
	for qemu-devel@nongnu.org; Tue, 24 Feb 2015 16:54:56 -0500
Received: from /spool/local
	by e38.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only!
	Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <mdroth@linux.vnet.ibm.com>;
	Tue, 24 Feb 2015 14:54:55 -0700
From: Michael Roth <mdroth@linux.vnet.ibm.com>
Date: Tue, 24 Feb 2015 15:48:12 -0600
Message-Id: <1424814498-6993-38-git-send-email-mdroth@linux.vnet.ibm.com>
In-Reply-To: <1424814498-6993-1-git-send-email-mdroth@linux.vnet.ibm.com>
References: <1424814498-6993-1-git-send-email-mdroth@linux.vnet.ibm.com>
Subject: [Qemu-devel] [PATCH 37/43] vfio-pci: Fix missing unparent of
	dynamically allocated MemoryRegion
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: Alex Williamson <alex.williamson@redhat.com>, qemu-stable@nongnu.org

From: Alex Williamson <alex.williamson@redhat.com>

Commit d8d95814609e added explicit object_unparent() calls for
dynamically allocated MemoryRegions.  The VFIOMSIXInfo structure also
contains such a MemoryRegion, covering the mmap'd region of a PCI BAR
above the MSI-X table.  This structure is freed as part of the class
exit function and therefore also needs an explicit object_unparent().
Failing to do this results in random segfaults due to fields within
the structure, often the class pointer, being reclaimed and corrupted
by the time object_finalize_child_property() is called for the object.

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Cc: qemu-stable@nongnu.org # 2.2
(cherry picked from commit 3a4dbe6aa934370a92372528c1255ee1504965ee)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/misc/vfio.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c
index fd318a1..7bff62c 100644
--- a/hw/misc/vfio.c
+++ b/hw/misc/vfio.c
@@ -4049,6 +4049,7 @@ static void vfio_put_device(VFIODevice *vdev)
     DPRINTF("vfio_put_device: close vdev->fd\n");
     close(vdev->fd);
     if (vdev->msix) {
+        object_unparent(OBJECT(&vdev->msix->mmap_mem));
         g_free(vdev->msix);
         vdev->msix = NULL;
     }
-- 
1.9.1