From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:58193) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bNjuo-0003Nk-HM for qemu-devel@nongnu.org; Thu, 14 Jul 2016 12:55:13 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bNjuk-0000CM-Mf for qemu-devel@nongnu.org; Thu, 14 Jul 2016 12:55:10 -0400 Received: from mx1.redhat.com ([209.132.183.28]:34113) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bNjuk-0000Bq-IC for qemu-devel@nongnu.org; Thu, 14 Jul 2016 12:55:06 -0400 From: Igor Mammedov Date: Thu, 14 Jul 2016 18:54:39 +0200 Message-Id: <1468515285-173356-11-git-send-email-imammedo@redhat.com> In-Reply-To: <1468515285-173356-1-git-send-email-imammedo@redhat.com> References: <1468515285-173356-1-git-send-email-imammedo@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: [Qemu-devel] [PATCH v4 10/16] apic: kvm-apic: fix crash due to access to freed memory region List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: pkrempa@redhat.com, ehabkost@redhat.com, mst@redhat.com, eduardo.otubo@profitbricks.com, Bandan Das , =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= , pbonzini@redhat.com kvm-apic.io_memory memory region had its parent set to NULL at memory_region_init_io() time, so it ended up as a child in /unattached contaner. As result when kvm-apic instance was deleted, the child property /unattached/kvm-apic-msi[XXX] contained a reference to kvm-apic.io_memory address which was freed as part of kvm-apic. Do the same as 'apic' and make kvm-apic instance the owner of the memory region so that it won't end up in /unattached and gets cleanly released along with related kvm-apic instance. Signed-off-by: Igor Mammedov --- CC: Radim Kr=C4=8Dm=C3=A1=C5=99 CC: pbonzini@redhat.com --- hw/i386/kvm/apic.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/i386/kvm/apic.c b/hw/i386/kvm/apic.c index c5983c7..1f87e73 100644 --- a/hw/i386/kvm/apic.c +++ b/hw/i386/kvm/apic.c @@ -184,8 +184,8 @@ static void kvm_apic_realize(DeviceState *dev, Error = **errp) { APICCommonState *s =3D APIC_COMMON(dev); =20 - memory_region_init_io(&s->io_memory, NULL, &kvm_apic_io_ops, s, "kvm= -apic-msi", - APIC_SPACE_SIZE); + memory_region_init_io(&s->io_memory, OBJECT(s), &kvm_apic_io_ops, s, + "kvm-apic-msi", APIC_SPACE_SIZE); =20 if (kvm_has_gsi_routing()) { msi_nonbroken =3D true; --=20 2.7.4