qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] Use-after-free during unrealize in system_reset

From: Stefan Hajnoczi
Subject: Re: [Qemu-devel] Use-after-free during unrealize in system_reset
Date: Fri, 6 Jun 2014 11:03:34 +0200 
On Thu, Jun 5, 2014 at 6:18 PM, Michael S. Tsirkin <address@hidden> wrote:
> On Thu, Jun 05, 2014 at 05:31:45PM +0200, Stefan Hajnoczi wrote:
>> qemu-iotests ./check -qcow2 067 is entering an infinite loop during
>> system_reset.  This failure is a non-deterministic use-after-free and
>> the infinite loop happens maybe 1/3 of the time.
>
> This patch makes it fail deterministically.
>
> diff --git a/hw/pci/pci.c b/hw/pci/pci.c
> index 22fe5ee..6815fad 100644
> --- a/hw/pci/pci.c
> +++ b/hw/pci/pci.c
> @@ -790,6 +790,7 @@ static void pci_config_alloc(PCIDevice *pci_dev)
>  static void pci_config_free(PCIDevice *pci_dev)
>  {
>      g_free(pci_dev->config);
> +    pci_dev->config = NULL;
>      g_free(pci_dev->cmask);
>      g_free(pci_dev->wmask);
>      g_free(pci_dev->w1cmask);

Thanks for the patch, I bisected the use-after-free to this commit:

commit 5c21ce77d7e5643089ceec556c0408445d017f32
Author: Bandan Das <address@hidden>
Date:   Wed Mar 12 21:02:12 2014 +0100

    qdev: Realize buses on device realization

    Integrate (un)realization of child buses with realization/unrealization
    of the device hosting them. Code in device_unparent() is reordered for
    unrealization of buses to work as part of device unrealization.

    That way no changes need to be made to bus instantiation.

    Signed-off-by: Bandan Das <address@hidden>
    Signed-off-by: Andreas Färber <address@hidden>

Stefan
reply via email to
[Prev in Thread] Current Thread [Next in Thread]