diff mbox series

hw/vfio/container: Fix SIGSEV on vfio_container_instance_finalize()

Message ID 20240719165011.1751831-1-eric.auger@redhat.com (mailing list archive)
State New, archived
Headers show
Series hw/vfio/container: Fix SIGSEV on vfio_container_instance_finalize() | expand

Commit Message

Eric Auger July 19, 2024, 4:50 p.m. UTC
In vfio_connect_container's error path, the base container is
removed twice form the VFIOAddressSpace QLIST: first on the
listener_release_exit label and second, on free_container_exit
label, through object_unref(container), which calls
vfio_container_instance_finalize().

Let's remove the first instance.

Fixes: 938026053f4 ("vfio/container: Switch to QOM")
Signed-off-by: Eric Auger <eric.auger@redhat.com>
---
 hw/vfio/container.c | 1 -
 1 file changed, 1 deletion(-)

Comments

Cédric Le Goater July 20, 2024, 6:57 a.m. UTC | #1
On 7/19/24 18:50, Eric Auger wrote:
> In vfio_connect_container's error path, the base container is
> removed twice form the VFIOAddressSpace QLIST: first on the
> listener_release_exit label and second, on free_container_exit
> label, through object_unref(container), which calls
> vfio_container_instance_finalize().
> 
> Let's remove the first instance.
> 
> Fixes: 938026053f4 ("vfio/container: Switch to QOM")
> Signed-off-by: Eric Auger <eric.auger@redhat.com>

Oh. Nice catch !


Reviewed-by: Cédric Le Goater <clg@redhat.com>

Thanks,

C.


> ---
>   hw/vfio/container.c | 1 -
>   1 file changed, 1 deletion(-)
> 
> diff --git a/hw/vfio/container.c b/hw/vfio/container.c
> index 425db1a14c..d8b7c533af 100644
> --- a/hw/vfio/container.c
> +++ b/hw/vfio/container.c
> @@ -657,7 +657,6 @@ static bool vfio_connect_container(VFIOGroup *group, AddressSpace *as,
>       return true;
>   listener_release_exit:
>       QLIST_REMOVE(group, container_next);
> -    QLIST_REMOVE(bcontainer, next);
>       vfio_kvm_device_del_group(group);
>       memory_listener_unregister(&bcontainer->listener);
>       if (vioc->release) {
Duan, Zhenzhong July 22, 2024, 6:29 a.m. UTC | #2
>-----Original Message-----
>From: Eric Auger <eric.auger@redhat.com>
>Subject: [PATCH] hw/vfio/container: Fix SIGSEV on
>vfio_container_instance_finalize()
>
>In vfio_connect_container's error path, the base container is
>removed twice form the VFIOAddressSpace QLIST: first on the
>listener_release_exit label and second, on free_container_exit
>label, through object_unref(container), which calls
>vfio_container_instance_finalize().
>
>Let's remove the first instance.
>
>Fixes: 938026053f4 ("vfio/container: Switch to QOM")
>Signed-off-by: Eric Auger <eric.auger@redhat.com>

Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com>

Thanks
Zhenzhong

>---
> hw/vfio/container.c | 1 -
> 1 file changed, 1 deletion(-)
>
>diff --git a/hw/vfio/container.c b/hw/vfio/container.c
>index 425db1a14c..d8b7c533af 100644
>--- a/hw/vfio/container.c
>+++ b/hw/vfio/container.c
>@@ -657,7 +657,6 @@ static bool vfio_connect_container(VFIOGroup
>*group, AddressSpace *as,
>     return true;
> listener_release_exit:
>     QLIST_REMOVE(group, container_next);
>-    QLIST_REMOVE(bcontainer, next);
>     vfio_kvm_device_del_group(group);
>     memory_listener_unregister(&bcontainer->listener);
>     if (vioc->release) {
>--
>2.41.0
Cédric Le Goater July 22, 2024, 1:50 p.m. UTC | #3
On 7/19/24 18:50, Eric Auger wrote:
> In vfio_connect_container's error path, the base container is
> removed twice form the VFIOAddressSpace QLIST: first on the
> listener_release_exit label and second, on free_container_exit
> label, through object_unref(container), which calls
> vfio_container_instance_finalize().
> 
> Let's remove the first instance.
> 
> Fixes: 938026053f4 ("vfio/container: Switch to QOM")
> Signed-off-by: Eric Auger <eric.auger@redhat.com>
> ---
>   hw/vfio/container.c | 1 -
>   1 file changed, 1 deletion(-)
> 
> diff --git a/hw/vfio/container.c b/hw/vfio/container.c
> index 425db1a14c..d8b7c533af 100644
> --- a/hw/vfio/container.c
> +++ b/hw/vfio/container.c
> @@ -657,7 +657,6 @@ static bool vfio_connect_container(VFIOGroup *group, AddressSpace *as,
>       return true;
>   listener_release_exit:
>       QLIST_REMOVE(group, container_next);
> -    QLIST_REMOVE(bcontainer, next);
>       vfio_kvm_device_del_group(group);
>       memory_listener_unregister(&bcontainer->listener);
>       if (vioc->release) {


Applied to vfio-next.

Thanks,

C.
diff mbox series

Patch

diff --git a/hw/vfio/container.c b/hw/vfio/container.c
index 425db1a14c..d8b7c533af 100644
--- a/hw/vfio/container.c
+++ b/hw/vfio/container.c
@@ -657,7 +657,6 @@  static bool vfio_connect_container(VFIOGroup *group, AddressSpace *as,
     return true;
 listener_release_exit:
     QLIST_REMOVE(group, container_next);
-    QLIST_REMOVE(bcontainer, next);
     vfio_kvm_device_del_group(group);
     memory_listener_unregister(&bcontainer->listener);
     if (vioc->release) {