From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53224)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1Wtac7-0004Bq-Jf
	for qemu-devel@nongnu.org; Sun, 08 Jun 2014 06:46:16 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1Wtac2-0002sq-NG
	for qemu-devel@nongnu.org; Sun, 08 Jun 2014 06:46:11 -0400
Received: from mx1.redhat.com ([209.132.183.28]:9571)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1Wtac2-0002sX-Em
	for qemu-devel@nongnu.org; Sun, 08 Jun 2014 06:46:06 -0400
Date: Sun, 8 Jun 2014 13:46:26 +0300
From: "Michael S. Tsirkin" <mst@redhat.com>
Message-ID: <20140608104626.GA26245@redhat.com>
References: <CAJSP0QXUsWO1R1pFfiiDNS-gitK=0ufTxvFG7=BKkGTc00c7dA@mail.gmail.com>
	<20140605161803.GB11292@redhat.com>
	<CAJSP0QWy_xg00mN8bLr_VR71HFB=+RV2KK2+B5zScBn9pM-POQ@mail.gmail.com>
	<53918F6E.1020406@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
In-Reply-To: <53918F6E.1020406@redhat.com>
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Qemu-devel] Use-after-free during unrealize in system_reset
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: peter.maydell@linaro.org, Stefan Hajnoczi <stefanha@gmail.com>, bsd@redhat.com, qemu-devel <qemu-devel@nongnu.org>, Andreas =?iso-8859-1?Q?F=E4rber?= <afaerber@suse.de>

On Fri, Jun 06, 2014 at 11:52:46AM +0200, Paolo Bonzini wrote:
> Il 06/06/2014 11:03, Stefan Hajnoczi ha scritto:
> >commit 5c21ce77d7e5643089ceec556c0408445d017f32
> >Author: Bandan Das <bsd@redhat.com>
> >Date:   Wed Mar 12 21:02:12 2014 +0100
> >
> >    qdev: Realize buses on device realization
> >
> >    Integrate (un)realization of child buses with realization/unrealiz=
ation
> >    of the device hosting them. Code in device_unparent() is reordered=
 for
> >    unrealization of buses to work as part of device unrealization.
> >
> >    That way no changes need to be made to bus instantiation.
> >
> >    Signed-off-by: Bandan Das <bsd@redhat.com>
> >    Signed-off-by: Andreas F=E4rber <afaerber@suse.de>
>=20
> This hunk seems wrong.  Bandan, what was the reason for it?
>=20
>=20
> @@ -841,13 +858,13 @@ static void device_unparent(Object *obj)
>      QObject *event_data;
>      bool have_realized =3D dev->realized;
>=20
> +    if (dev->realized) {
> +        object_property_set_bool(obj, false, "realized", NULL);
> +    }
>      while (dev->num_child_bus) {
>          bus =3D QLIST_FIRST(&dev->child_bus);
>          object_unparent(OBJECT(bus));
>      }
> -    if (dev->realized) {
> -        object_property_set_bool(obj, false, "realized", NULL);
> -    }
>      if (dev->parent_bus) {
>          bus_remove_child(dev->parent_bus, dev);
>          object_unref(OBJECT(dev->parent_bus));
>=20

Tested-by: Michael S. Tsirkin <mst@redhat.com>



>=20
> Paolo