From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:33969) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Wu2y1-0002mj-SS for qemu-devel@nongnu.org; Mon, 09 Jun 2014 13:02:46 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Wu2xw-0000vP-Tu for qemu-devel@nongnu.org; Mon, 09 Jun 2014 13:02:41 -0400 Received: from mx1.redhat.com ([209.132.183.28]:55410) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Wu2xw-0000uN-L3 for qemu-devel@nongnu.org; Mon, 09 Jun 2014 13:02:36 -0400 From: Bandan Das References: <20140605161803.GB11292@redhat.com> <53918F6E.1020406@redhat.com> <20140608104626.GA26245@redhat.com> <539475F8.3060200@redhat.com> Date: Mon, 09 Jun 2014 13:02:29 -0400 In-Reply-To: <539475F8.3060200@redhat.com> (Paolo Bonzini's message of "Sun, 08 Jun 2014 16:40:56 +0200") Message-ID: MIME-Version: 1.0 Content-Type: text/plain Subject: Re: [Qemu-devel] Use-after-free during unrealize in system_reset List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Paolo Bonzini Cc: Stefan Hajnoczi , peter.maydell@linaro.org, qemu-devel , Andreas =?utf-8?Q?F=C3=A4rber?= , "Michael S. Tsirkin" Paolo Bonzini writes: > Il 08/06/2014 12:46, Michael S. Tsirkin ha scritto: >> Tested-by: Michael S. Tsirkin > > You probably tested the reversal, actually. :) > > Actually, there is a reason for it. "Unassembling" the device > (unparent) should come after "powering it down" (unrealize). Yes, exactly. But to be honest, I was not sure if I was doing the right thing and hence posted this series as a RFC. > However, the bus is missing a recursive unrealization of the devices > below it prior to calling bc->unrealize: > > diff --git a/hw/core/qdev.c b/hw/core/qdev.c > index e65a5aa..4282491 100644 > --- a/hw/core/qdev.c > +++ b/hw/core/qdev.c > @@ -567,32 +567,35 @@ static void bus_set_realized(Object *obj, bool > value, Error **errp) > { > BusState *bus = BUS(obj); > BusClass *bc = BUS_GET_CLASS(bus); > + BusChild *kid; > Error *local_err = NULL; > > if (value && !bus->realized) { > if (bc->realize) { > bc->realize(bus, &local_err); > - > - if (local_err != NULL) { > - goto error; > - } > - > } > + > + /* TODO: recursive realization */ > } else if (!value && bus->realized) { > - if (bc->unrealize) { > + QTAILQ_FOREACH(kid, &bus->children, sibling) { > + DeviceState *dev = kid->child; > + object_property_set_bool(OBJECT(dev), false, "realized", > + &local_err); > + if (local_err != NULL) { > + break; > + } > + } > + if (bc->unrealize && local_err == NULL) { > bc->unrealize(bus, &local_err); It also seems that my original patch included unrealizing children, but that didn't get in for some reason - https://lists.gnu.org/archive/html/qemu-devel/2013-11/msg03204.html Andreas might have had a reason not to include it however.. > - > - if (local_err != NULL) { > - goto error; > - } > } > } > > + if (local_err != NULL) { > + error_propagate(errp, local_err); > + return; > + } > + > bus->realized = value; > - return; > - > -error: > - error_propagate(errp, local_err); > } > > void qbus_create_inplace(void *bus, size_t size, const char *typename, > > > This seems to fix the bug too. > > Paolo