xemu-project/xemu
1
0
Fork 0
mirror of https://github.com/xemu-project/xemu.git synced 2024-11-27 21:40:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Qemu/Xen: Fix early freeing MSIX MMIO memory region

Browse Source 
msix->mmio is added to XenPCIPassthroughState's object as property.
object_finalize_child_property is called for XenPCIPassthroughState's
object, which calls object_property_del_all, which is going to try to
delete msix->mmio. object_finalize_child_property() will access
msix->mmio's obj. But the whole msix struct has already been freed
by xen_pt_msix_delete. This will cause segment fault when msix->mmio
has been overwritten.

This patch is to fix the issue.

Signed-off-by: Lan Tianyu <tianyu.lan@intel.com>
Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
This commit is contained in:
Lan Tianyu 2015-10-11 23:19:24 +08:00 committed by Stefano Stabellini
parent af25e7277d
commit 4e494de668
4 changed files with 22 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
hw/xen/xen_pt.c
View File

@ -938,10 +938,18 @@ static void xen_pci_passthrough_class_init(ObjectClass *klass, void *data)
dc->props = xen_pci_passthrough_properties; dc->props = xen_pci_passthrough_properties;
}; };
static void xen_pci_passthrough_finalize(Object *obj)
{
XenPCIPassthroughState *s = XEN_PT_DEVICE(obj);
xen_pt_msix_delete(s);
}
static const TypeInfo xen_pci_passthrough_info = { static const TypeInfo xen_pci_passthrough_info = {
.name = TYPE_XEN_PT_DEVICE, .name = TYPE_XEN_PT_DEVICE,
.parent = TYPE_PCI_DEVICE, .parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(XenPCIPassthroughState), .instance_size = sizeof(XenPCIPassthroughState),
.instance_finalize = xen_pci_passthrough_finalize,
.class_init = xen_pci_passthrough_class_init, .class_init = xen_pci_passthrough_class_init,
}; };

1
hw/xen/xen_pt.h
View File

@ -305,6 +305,7 @@ void xen_pt_msi_disable(XenPCIPassthroughState *s);
int xen_pt_msix_init(XenPCIPassthroughState *s, uint32_t base); int xen_pt_msix_init(XenPCIPassthroughState *s, uint32_t base);
void xen_pt_msix_delete(XenPCIPassthroughState *s); void xen_pt_msix_delete(XenPCIPassthroughState *s);
void xen_pt_msix_unmap(XenPCIPassthroughState *s);
int xen_pt_msix_update(XenPCIPassthroughState *s); int xen_pt_msix_update(XenPCIPassthroughState *s);
int xen_pt_msix_update_remap(XenPCIPassthroughState *s, int bar_index); int xen_pt_msix_update_remap(XenPCIPassthroughState *s, int bar_index);
void xen_pt_msix_disable(XenPCIPassthroughState *s); void xen_pt_msix_disable(XenPCIPassthroughState *s);

2
hw/xen/xen_pt_config_init.c
View File

@ -2079,7 +2079,7 @@ void xen_pt_config_delete(XenPCIPassthroughState *s)
/* free MSI/MSI-X info table */ /* free MSI/MSI-X info table */
if (s->msix) { if (s->msix) {
xen_pt_msix_delete(s); xen_pt_msix_unmap(s);
} }
g_free(s->msi); g_free(s->msi);

13
hw/xen/xen_pt_msi.c
View File

@ -610,7 +610,7 @@ error_out:
return rc; return rc;
} }
void xen_pt_msix_delete(XenPCIPassthroughState *s) void xen_pt_msix_unmap(XenPCIPassthroughState *s)
{ {
XenPTMSIX *msix = s->msix; XenPTMSIX *msix = s->msix;
@ -627,6 +627,17 @@ void xen_pt_msix_delete(XenPCIPassthroughState *s)
} }
memory_region_del_subregion(&s->bar[msix->bar_index], &msix->mmio); memory_region_del_subregion(&s->bar[msix->bar_index], &msix->mmio);
}
void xen_pt_msix_delete(XenPCIPassthroughState *s)
{
XenPTMSIX *msix = s->msix;
if (!msix) {
return;
}
object_unparent(OBJECT(&msix->mmio));
g_free(s->msix); g_free(s->msix);
s->msix = NULL; s->msix = NULL;