diff options
| author | Cédric Le Goater <clg@redhat.com> | 2024-11-15 09:34:40 +0100 |
|---|---|---|
| committer | Cédric Le Goater <clg@redhat.com> | 2024-11-18 08:40:06 +0100 |
| commit | ebbf7c60bbd1ceedf9faf962e428ceda2388c248 (patch) | |
| tree | 4be9b60740cee33015e4265d1f1a6a509638b795 /hw | |
| parent | 66650fd0cc67e11f84521a114a7cbc8a8a5033ff (diff) | |
vfio/container: Fix container object destruction
When commit 96b7af4388b3 intoduced a .instance_finalize() handler,
it did not take into account that the container was not necessarily
inserted into the container list of the address space. Hence, if
the container object is destroyed, by calling object_unref() for
example, before vfio_address_space_insert() is called, QEMU may
crash when removing the container from the list as done in
vfio_container_instance_finalize(). This was seen with an SEV-SNP
guest for which discarding of RAM fails.
To resolve this issue, use the safe version of QLIST_REMOVE().
Cc: Zhenzhong Duan <zhenzhong.duan@intel.com>
Cc: Eric Auger <eric.auger@redhat.com>
Fixes: 96b7af4388b3 ("vfio/container: Move vfio_container_destroy() to an instance_finalize() handler")
Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Signed-off-by: Cédric Le Goater <clg@redhat.com>
Diffstat (limited to 'hw')
| -rw-r--r-- | hw/vfio/container-base.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/vfio/container-base.c b/hw/vfio/container-base.c index 809b157674..6f86c37d97 100644 --- a/hw/vfio/container-base.c +++ b/hw/vfio/container-base.c @@ -103,7 +103,7 @@ static void vfio_container_instance_finalize(Object *obj) VFIOContainerBase *bcontainer = VFIO_IOMMU(obj); VFIOGuestIOMMU *giommu, *tmp; - QLIST_REMOVE(bcontainer, next); + QLIST_SAFE_REMOVE(bcontainer, next); QLIST_FOREACH_SAFE(giommu, &bcontainer->giommu_list, giommu_next, tmp) { memory_region_unregister_iommu_notifier( |