diff options
author | Lan Tianyu <tianyu.lan@intel.com> | 2015-10-11 23:19:24 +0800 |
---|---|---|
committer | Stefano Stabellini <stefano.stabellini@eu.citrix.com> | 2015-10-26 11:32:18 +0000 |
commit | 4e494de66800747446e73b5ec0189ad7f4690908 (patch) | |
tree | 2d12bc4ae4b77bcd1275fd0e0bf694a0cfb292ec /hw/xen/xen_pt_msi.c | |
parent | af25e7277d3e95a3ea31023f31d8097ab5e2ac84 (diff) |
Qemu/Xen: Fix early freeing MSIX MMIO memory region
msix->mmio is added to XenPCIPassthroughState's object as property.
object_finalize_child_property is called for XenPCIPassthroughState's
object, which calls object_property_del_all, which is going to try to
delete msix->mmio. object_finalize_child_property() will access
msix->mmio's obj. But the whole msix struct has already been freed
by xen_pt_msix_delete. This will cause segment fault when msix->mmio
has been overwritten.
This patch is to fix the issue.
Signed-off-by: Lan Tianyu <tianyu.lan@intel.com>
Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Diffstat (limited to 'hw/xen/xen_pt_msi.c')
-rw-r--r-- | hw/xen/xen_pt_msi.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/hw/xen/xen_pt_msi.c b/hw/xen/xen_pt_msi.c index e3d71945cd..82de2bced3 100644 --- a/hw/xen/xen_pt_msi.c +++ b/hw/xen/xen_pt_msi.c @@ -610,7 +610,7 @@ error_out: return rc; } -void xen_pt_msix_delete(XenPCIPassthroughState *s) +void xen_pt_msix_unmap(XenPCIPassthroughState *s) { XenPTMSIX *msix = s->msix; @@ -627,6 +627,17 @@ void xen_pt_msix_delete(XenPCIPassthroughState *s) } memory_region_del_subregion(&s->bar[msix->bar_index], &msix->mmio); +} + +void xen_pt_msix_delete(XenPCIPassthroughState *s) +{ + XenPTMSIX *msix = s->msix; + + if (!msix) { + return; + } + + object_unparent(OBJECT(&msix->mmio)); g_free(s->msix); s->msix = NULL; |