aboutsummaryrefslogtreecommitdiff
path: root/hw/xen/xen_pt_msi.c
diff options
context:
space:
mode:
authorLan Tianyu <tianyu.lan@intel.com>2015-10-11 23:19:24 +0800
committerStefano Stabellini <stefano.stabellini@eu.citrix.com>2015-10-26 11:32:18 +0000
commit4e494de66800747446e73b5ec0189ad7f4690908 (patch)
tree2d12bc4ae4b77bcd1275fd0e0bf694a0cfb292ec /hw/xen/xen_pt_msi.c
parentaf25e7277d3e95a3ea31023f31d8097ab5e2ac84 (diff)
Qemu/Xen: Fix early freeing MSIX MMIO memory region
msix->mmio is added to XenPCIPassthroughState's object as property. object_finalize_child_property is called for XenPCIPassthroughState's object, which calls object_property_del_all, which is going to try to delete msix->mmio. object_finalize_child_property() will access msix->mmio's obj. But the whole msix struct has already been freed by xen_pt_msix_delete. This will cause segment fault when msix->mmio has been overwritten. This patch is to fix the issue. Signed-off-by: Lan Tianyu <tianyu.lan@intel.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Diffstat (limited to 'hw/xen/xen_pt_msi.c')
-rw-r--r--hw/xen/xen_pt_msi.c13
1 files changed, 12 insertions, 1 deletions
diff --git a/hw/xen/xen_pt_msi.c b/hw/xen/xen_pt_msi.c
index e3d71945cd..82de2bced3 100644
--- a/hw/xen/xen_pt_msi.c
+++ b/hw/xen/xen_pt_msi.c
@@ -610,7 +610,7 @@ error_out:
return rc;
}
-void xen_pt_msix_delete(XenPCIPassthroughState *s)
+void xen_pt_msix_unmap(XenPCIPassthroughState *s)
{
XenPTMSIX *msix = s->msix;
@@ -627,6 +627,17 @@ void xen_pt_msix_delete(XenPCIPassthroughState *s)
}
memory_region_del_subregion(&s->bar[msix->bar_index], &msix->mmio);
+}
+
+void xen_pt_msix_delete(XenPCIPassthroughState *s)
+{
+ XenPTMSIX *msix = s->msix;
+
+ if (!msix) {
+ return;
+ }
+
+ object_unparent(OBJECT(&msix->mmio));
g_free(s->msix);
s->msix = NULL;